System hardening refers to providing various means of protection in a computer system, eliminating as many security risks as possible. This is usually done by removing all non-essential software programs and utilities from the computer. While these programs may offer useful features to the user, they might provide "back-door" access to the system and thus must be removed to improve system security.
Extended system protection should be provided at various levels and is often referred to as defense in depth. Protecting in levels means to protect at the host layer, the application layer, the operating system layer, the data layer, the physical layer and all the sub layers in between. Each one of these layers requires a unique method of security.
Security Content Automation Protocol
SCAP is a method for using commonly accepted standards to enable automated vulnerability management and security policy compliance metrics. It started as a collection of specifications originally created by the US government which are now an industry standard.
It was developed through the cooperation and collaboration of public and private sector organizations, including government, industry and academia, but the standard is still maintained by the the US National Institute of Standards and Technology.
Benefits of SCAP
Automated tools that use SCAP specifications make it easier to continuously verify the security compliance status of a wide variety of IT systems. The use of standardized, automated methods for system security management can help organizations operate more effectively in complex, interconnected environments and realize cost savings.
- CVE - Common Vulnerabilities and Exposures
- Catalog of known security threats
- CCE - Common Configuration Enumeration
- List of “identifiers” and entries relating to security system configuration issues
- Common identification enables correlation
- CPE - Common Platform Enumeration
- Structured naming scheme to describe systems, platforms, software
- CVSS - Common Vulnerability Scoring System
- Framework to describe the characteristics and impacts of IT vulnerabilities.
- XCCDF - eXtensible Configuration Checklist Description Format
- Security checklists, benchmarks and configuration documentation in XML format.
- OVAL - Open Vulnerability and Assessment Language
- Common language for assessing the status of a vulnerability
- OCIL – Open Checklist Interactive Language
- Common language to express questions to be presented to a user and interpret responses
- Asset Identification
- This specification describes the purpose of asset identification, a data model and methods for identifying assets, and guidance on how to use asset identification.
- ARF - Asset Reporting Format
- Data model to express the transport format of information about assets, and the relationships between assets and reports.
- CCSS - Common Configuration Scoring System
- Set of measures of the severity of software security configuration issues
- TMSAD - Trust Model for Security Automation Data
- Common trust model that can be applied to specifications within the security automation domain.
These are common industry-accepted standards that include specific weakness-correcting guidelines. The main ones are published by the following organizations:
Center for Internet Security
CIS Benchmarks are recommended technical settings for operating systems, middleware and software applications, and network devices. Developed in a unique consensus-based process comprised of hundreds of security professionals worldwide as de facto, best-practice configuration standards.
International Organization for Standardization
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
National Institute of Standards and Technology
The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 3, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the SCAP thus allowing standards based security tools to automatically perform configuration checking using NCP checklists.
Defense Information Systems Agency
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.
Bundesamt für Sicherheit in der Informationstechnik
The BSI Standards contain recommendations on methods, processes, procedures, approaches and measures relating to information security.
Any organization managing payments, handling private customer data, or operate in markets controlled by security regulations, need to demonstrate security compliance to avoid penalties and meet customer expectations. These are some of the major compliance requirements:
Payment Card Industry Data Security Standard
The PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.
Health Insurance Portability and Accountability Act
The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, essentially defines how healthcare provider entities use individually-identifiable health information or the PHI (Personal Health Information).
Information Technology Infrastructure Library
ITIL compliance guidelines include categories such as change management, security architecture and help desk systems. Companies can then find ways to accomplish ITIL compliance by using the appropriate systems and strategies.
Control Objectives for Information and Related Technology
COBIT is a framework created for IT governance and management. It is meant to be a supportive tool for managers and allows bridging the crucial gap between technical issues, business risks and control requirements.
National Institute of Standards and Technology
The NIST is responsible for developing cybersecurity standards, guidelines, tests, and metrics for the protection of federal information systems. While developed for federal agency use, these resources are voluntarily adopted by other organizations because they are effective and accepted globally.
Next post: Windows 7 Hardening (Part 1)