Steve’s Thoughts
Fort Knox is a United States Army post located in Kentucky and is famous for housing the United States Bullion Depository, which holds a significant portion of the country's gold reserves.
Fort Knox serves as a symbol of impenetrable security due to its robust physical and technological defenses. Similarly, in the digital realm, secure configuration acts as a virtual Fort Knox for enterprise assets and software, ensuring that they are protected against unauthorized access, data breaches, and other cyber threats.
It is essential to define security configuration standards for each type of asset and software. These standards should align with industry best practices and regulatory requirements specific to your organization. Considerations may include password complexity, encryption, network access controls, software patching, and user privileges. Clearly document these standards to ensure consistency across the organization.
Configuration management tools play a vital role in automating and simplifying the configuration process. These tools enable centralized control and monitoring of asset configurations, ensuring that security standards are consistently applied.
CIS offers their SecureSuite Membership, which is a reasonably priced suite of tools and content that allow you to assess, visualize, and remediate the posture of a system against the industry standard CIS Benchmarks at scale.
Bryon’s Thoughts
What makes this control critical?
The criticality of this control is due to the fact that systems and software are primarily designed for user friendliness and easy deployment, rather than prioritizing security. It is a known fact that default configurations of systems and software often lack proper security measures, making them vulnerable to exploitation by attackers. These vulnerabilities arise from default user accounts and passwords, protocols, and other insecure settings.
To ensure robust security, it is crucial to maintain and update security settings and configurations throughout the entire lifecycle of systems and software. This includes monitoring and tracking any changes made to configurations, which is essential for compliance purposes.
It is worth noting that the CIS Controls document also highlights the significance of considering service providers in this context. Service providers may adopt more relaxed controls to accommodate their diverse customer base. Therefore, organizations must be vigilant in assessing the security measures implemented by their service providers to ensure a high level of security is maintained.
The CIS Controls document provides a comprehensive list of security configuration checklists that can be used by systems administrators and security professionals to enhance the security of their systems. These checklists, including the NIST National Checklist Program and the CIS Benchmarks Program, offer valuable guidelines and recommendations.
They include:
- Establish and Maintain a Secure Configuration Process
- Configure Automatic Session Locking on Enterprise Assets
- Implement and Manage a Firewall on Servers
- Manage Default Accounts on Enterprise Assets and Software
- Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
- Configure Trusted DNS Servers on Enterprise Assets
- Enforce Automatic Device Lockout on Portable End-User Devices
Here’s a link to a Secure Configuration Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/secure-configuration-management-for-cis-control-4
Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 4 – Secure Configuration of Enterprise Assets & Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software
(operating systems and applications).
Implementation Group 1
CIS Safeguard 4.1 - Establish and Maintain a Secure Configuration Process
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.