Page 44 - CDM Cyber Warnings February 2014
P. 44




how to secure or harden an out-of-the box operating ● Are not saved or stored in any form of reversible en-
system or application instance. Some examples: cryption


● The hardening guide for Oracle Solaris v11 has 55 of Because of this level of control, prescriptive standards like
CIS tend to be more complex than vendor hardening
these critical configuration items (my house has just 30
guidelines. Some standards, like DISA or NIST, actually
doors and windows by comparison)
break these down into more granular requirements

● The vmWare guide for vSphere 5 highlights 60 critical depending on Hi/Med/Lo risk ratings for the systems being
security items that must be checked monitored.

● For Windows 2008, the Microsoft guide for minimal It�s worth mentioning, too, that there are dozens more – a
system hardening includes 158 settings that need to be veritable alphabet soup of acronyms and abbreviations –

immediately secured out of the box (it�s is a big house) that provide guidance across industry segments and areas
of interest. �NERC CIP � requirements provide standards
This still falls short of number of settings that need to be
for critical infrastructure protection in the energy space.
managed in prescriptive guides for information security.
HIPAA requirements govern systems that store or transmit
Prescriptive guidance comes from sources like the Center
patient health records. The list is long, and covers virtually
for Internet Security�s (CIS) �Benchmarks �, the Defense
every industry and nearly every region or country.
Information Systems Agency�s �Security Technical
Implementation Guides� (DISA STIGs), or NIST 800-53,
In any industry or setting, the discipline of security
the National Institute of Standards and Technology�s
configuration management seeks to find a balance between
�Recommended Security Controls for Federal Information
security and usability: somewhere between �server
Systems and Organizations.�
passwords are allowed to be blank� and a ridiculous
work-stopping requirement like, �the system needs to have
The degree of �prescriptive-ness � in these standards refers
a new, never-used, complex 30-character password that�s
to the level of specific guidance they provide: a non-
changed every 48 hours�, rests that ongoing balance.
prescriptive guide like SOX might say �Passwords should
be complex.� But prescriptive guidelines like the ones
Application and Version Hardening
above provide specific values that must be attained for each
If configuration hardening settings are �conditional,�
control. Compared to the simple SOX standard for
meaning they must find and keep that balance between
passwords, CIS requires passwords that:
security and productivity, hardening against known
vulnerabilities in applications and versions is much more
● Are at least 8 characters in length for standard enter-
black-and-white. If an exploit path has been found in an
prises servers operating system or application the vendor rushes to create
a patch or upgrade that removes the vulnerability.
● Are at least 11 characters for critical systems
�Hardening� in this sense means �make sure the holes are

● Are changed every 90 days, but not more often than known and that the most current security patches are
deployed.�
once a day

● Are different from the previous 24 passwords created To go back to our �secure house � analogy for a moment,
by the user imagine that the house I�m protecting has three external
doors and that they all use Secure-A-Door Model 800
● Contain characters from multiple classes: alphabet,
high-strength locks. But a tester at the Secure-A-Door
numeric, special characters, etc factory (or worse a professional burglar) has just discovered


CYBER DEFENSE MAGAZINE - ANNUAL EDITION 44
   39   40   41   42   43   44   45   46   47   48   49