-->

System Hardening

System hardening refers to providing various means of protection in a computer system, eliminating as many security risks as possible. This is usually done by removing all non-essential software programs and utilities from the computer. While these programs may offer useful features to the user, they might provide "back-door" access to the system and thus must be removed to improve system security.

Extended system protection should be provided at various levels and is often referred to as defense in depth. Protecting in levels means to protect at the host layer, the application layer, the operating system layer, the data layer, the physical layer and all the sub layers in between. Each one of these layers requires a unique method of security.

 

Security Content Automation Protocol

SCAP is a method for using commonly accepted standards to enable automated vulnerability management and security policy compliance metrics. It started as a collection of specifications originally created by the US government which are now an industry standard.

It was developed through the cooperation and collaboration of public and private sector organizations, including government, industry and academia, but the standard is still maintained by the the US National Institute of Standards and Technology.

 

Benefits of SCAP

Automated tools that use SCAP specifications make it easier to continuously verify the security compliance status of a wide variety of IT systems. The use of standardized, automated methods for system security management can help organizations operate more effectively in complex, interconnected environments and realize cost savings.

SCAP Components

  • CVE - Common Vulnerabilities and Exposures
    • Catalog of known security threats
  • CCE - Common Configuration Enumeration
    • List of “identifiers” and entries relating to security system configuration issues
    • Common identification enables correlation
  • CPE - Common Platform Enumeration
    • Structured naming scheme to describe systems, platforms, software
  • CVSS - Common Vulnerability Scoring System
    • Framework to describe the characteristics and impacts of IT vulnerabilities.
  • XCCDF - eXtensible Configuration Checklist Description Format
    • Security checklists, benchmarks and configuration documentation in XML format. 
  • OVAL - Open Vulnerability and Assessment Language
    • Common language for assessing the status of a vulnerability
  • OCIL – Open Checklist Interactive Language
    • Common language to express questions to be presented to a user and interpret responses
  • Asset Identification
    • This specification describes the purpose of asset identification, a data model and methods for identifying assets, and guidance on how to use asset identification.
  • ARF - Asset Reporting Format
    • Data model to express the transport format of information about assets, and the relationships between assets and reports.
  • CCSS - Common Configuration Scoring System
    • Set of measures of the severity of software security configuration issues
  • TMSAD - Trust Model for Security Automation Data
    • Common trust model that can be applied to specifications within the security automation domain.

image

Security Baselines

US Government Configuration Baseline

The purpose of USGCB initiative is to create security configuration baselines for Information Technology products widely deployed across the federal agencies.

The USGCB is a Federal government-wide initiative that provides guidance to agencies on what should be done to improve and maintain an effective configuration settings focusing primarily on security.

IT-Grundschutz

The aim of IT-Grundschutz is to achieve an appropriate security level for all types of information of an organization. IT-Grundschutz uses a holistic approach to this process.

Through proper application of well-proven technical, organizational, personnel, and infrastructural safeguards, a security level is reached that is suitable and adequate to protect business-related information having normal protection requirements. In many areas, IT-Grundschutz even provides advice for IT systems and applications requiring a high level of protection.

There are also the IT-Grundschutz Catalogues where you will find modules, threats and safeguards.

CERN Mandatory Security Baselines

The Security Baselines define a set of basic security objectives which must be met by any given service or system.

The objectives are chosen to be pragmatic and complete, and do not impose technical means.

Therefore, details on how these security objectives are fulfilled by a particular service/system must be documented in a separate "Security Implementation Document".

Microsoft Security Baselines

A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings.

These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Cisco Network Security Baseline

Developing and deploying a security baseline can, be challenging due to the vast range of features available

The Network Security Baseline is designed to assist in this endeavor by outlining those key security elements that should be addressed in the first phase of implementing defense-in-depth.

The main focus of Network Security Baseline is to secure the network infrastructure itself: the control and management planes.

 

Security Standards

These are common industry-accepted standards that include specific weakness-correcting guidelines. The main ones are published by the following organizations:

 

Center for Internet Security

CIS Benchmarks are recommended technical settings for operating systems, middleware and software applications, and network devices. Developed in a unique consensus-based process comprised of hundreds of security professionals worldwide as de facto, best-practice configuration standards.

 

International Organization for Standardization

ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).

 

National Institute of Standards and Technology

The National Checklist Program (NCP), defined by the NIST SP 800-70 Rev. 3, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. NCP is migrating its repository of checklists to conform to the SCAP thus allowing standards based security tools to automatically perform configuration checking using NCP checklists.

 

Defense Information Systems Agency

The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.

 

Bundesamt für Sicherheit in der Informationstechnik

The BSI Standards contain recommendations on methods, processes, procedures, approaches and measures relating to information security.

 

Compliance Requirements

Any organization managing payments, handling private customer data, or operate in markets controlled by security regulations, need to demonstrate security compliance to avoid penalties and meet customer expectations. These are some of the major compliance requirements:

 

Payment Card Industry Data Security Standard

The PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. It was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.

 

Health Insurance Portability and Accountability Act

The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, essentially defines how healthcare provider entities use individually-identifiable health information or the PHI (Personal Health Information).

 

Information Technology Infrastructure Library 

ITIL compliance guidelines include categories such as change management, security architecture and help desk systems. Companies can then find ways to accomplish ITIL compliance by using the appropriate systems and strategies.

 

Control Objectives for Information and Related Technology

COBIT is a framework created for IT governance and management. It is meant to be a supportive tool for managers and allows bridging the crucial gap between technical issues, business risks and control requirements.

 

National Institute of Standards and Technology

The NIST is responsible for developing cybersecurity standards, guidelines, tests, and metrics for the protection of federal information systems. While developed for federal agency use, these resources are voluntarily adopted by other organizations because they are effective and accepted globally.

Next post: Windows 7 Hardening (Part 1)