Today, I will be going over Control 5 from version 7 of the CIS top 20 Critical Security Controls – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. I will go through the five requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 5

  • More than just vendor guidelines. Some vendors have recommended configuration guidelines in terms of performance and/or security. Most software and operating systems are configured in an open and insecure state, and external sources such as CIS hardening guides and DISA STIGs can provide additional guidance. Windows will have a roughly 65% pass rate for CIS hardening benchmarks. Know that these are available and can reduce your attack surface tremendously.
  • FIM as a key driver. File Integrity Monitoring is something Tripwire has been doing for over two decades. I firmly believe that FIM is a key component of every aspect of control 5. FIM will alert to changes in key files such as master images. FIM can monitor configuration files to report when they are changed in real time. FIM can do much more than people realize.
  • Bring in data from earlier controls. You’re going to need insight from controls one and two in order to know what to secure. After all, you can’t protect that which you do now know about.
  • Prepare for incidents. Control 5 will be tightly coupled with Control 19. A configuration change can lead to a configuration vulnerability, which can lead to a breach. Make sure SCM resources can be available in the Incident Response program when you get to Control 19.

Requirement Listing for Control 5

1. Establish Secure Configurations

Description: Maintain documented, standard security configuration standards for all authorized operating systems and software.

Notes: To me, I read this (Read more...)