This week, we’re discussing secure configurations, and why they matter. Our friends at the Center for Internet Security (CIS) listed “Secure Configurations” as the No. 5 most important security control on this year’s Top 20 hit list. When I first read this, I thought: Duh! Of course, I need to securely configure my devices. That goes without saying. However, that’s only the tip of the security control iceberg.
Standardizing Secure Device Configurations
This security control allows the use of best practices during set-up, unifies configurations, and monitors for changes. We know default configurations are intentionally less secure — to make life easier during deployment. Imagine a simple, quiet deployment, quickly ruined by the sudden screams of your boss asking why you let your organization get “hacked”!
We must define standard configuration templates to protect our organizations. We use templates for network devices, workstations, laptops, and servers so that all of our devices match our security templates. At my previous employers, we used server build sheets that outlined all steps to complete during a new server build. This included installing operating system updates, NTP servers, DNS servers, static IPs, audit log options, anti-virus, etc. Using t hold every server to a security standard, which we’re going to learn about here.
Network Device Configurations
For network devices, we should consider using RADIUS/TACACS+ for authentication purposes, not a shared user account. We need to disable silly protocols, such as “finger.” We should approach traffic filtering from a whitelisting perspective. Don’t begin with “permit all”, block a few protocols here and there, and take advantage of security features like “DHCP snooping” and “auto secure.”
Last, let’s remember to back up our network device configurations and monitor for changes. Ansible can help automate the backup, and you can learn more in this month’s how-to video that covers using Ansible to back up a Cisco ASA firewall. Don’t stop with the backup, though — we still need to monitor for changes. Use scripting to create a hash of each night’s backup, compare after each consecutive backup, and alert when the hashes don’t match. You can also use a commercial product such as Kiwi CatTools to automate the job.
Standardized Templates and Images
For workstations and servers, we need a standard build sheet to document each step in the process. Remember, we want to standardize the process to keep every system in our environment secure. I understand not everyone “builds” workstations and servers, as many organizations use imaging and virtual templates. However, we need to build those “golden images” and “templates” to a standard and continuously maintain. As soon as an image or template is out of date, we deploy insecure operating systems, which is what this security control prevents.
Monitoring Changes to Identify Attackers or Rogue Employees
Once we’ve created guidelines and templates for deploying secure devices and operating systems, we’re finished, right? Not quite. Once we’ve deployed these devices, we need to monitor for unauthorized changes that could indicate an attack. How do we do this kind of monitoring? As mentioned, network device changes can be found by comparing nightly backups or using a commercial tool.
When it comes to workstations, we can use RMM (remote monitoring management) tools. These tools provide reporting on changes to the operating system — but come with a price tag. We can also use some other IT-centric software packages, like Spiceworks, a free helpdesk ticketing system with some monitoring capabilities.
For servers, a SIEM is considered the best way to monitor activities: new services being created, software being installed, user and group changes, etc. However, if you don’t have a SIEM, some of the workstation options will work.
Security Control Automation Protocol (SCAP)
Another tool for checking for security configuration is SCAP (security control automation protocol). SCAP is a protocol used to scan for security configurations on systems. The idea is, you set up a SCAP system, define what security settings should be on your systems, then scan the systems and review a report identifying systems without those pre-defined settings. Red Hat offers OpenSCAP, can be used to scan Linux hosts for compliance but doesn’t scan Windows hosts. For Windows environments, you can use the DISA’s (Defense Information Systems Agency) SCAP tools. Here at Linux Academy, we even have labs that teach scanning with OpenSCAP in our DevSecOps Essentials course and our upcoming Red Hat Certified Specialist in Security course.
Now you’re prepared to standardize secure configurations and have ways to monitor those devices for changes that may indicate a compromise. Secure configurations are an important player in our attempt to fight the cyber evils of the world! Go out there and win!
As you’re securing your infrastructure, make sure you have an incident response plan. Use vulnerability scanning, and keep in mind the importance of data backups, as well as passwords and policies such as using MFA and proactively identifying compromised passwords. Lastly, there are several reasons for wanting to restrict outbound communications, here’s why.