Budgetless CIS Top 20: Control 5: Secure Configuration for Hardware and Software on Mobile Device, Laptops, Workstations and Servers

Summary: Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

The first part of this is just using security technical implementation guidelines (STIGs) instead of the default vendor recommendations. That is a heavy sounding sentence. You don’t have to come up with these yourself and you are probably already doing a lot of this already. But basically, be mindful of these CIS controls and NIST framework, etc as you are setting up systems. Also, check out this site to view STIGs for lots of different software. For example, when I came across this site, I reviewed alot of the settings for Airwatch. Obviously, I had it configured with a signed certificate and in a DMZ, etc, but there were a bunch of non-default settings about connections to help make it much more secure that I was able to implement pretty easily.

The next 2 subcontrols here are to maintain a golden image for each device on your network (which you are likely doing anyway) and then securing those images, either offline or with encryption and running a had against them to ensure they have not been modified without your knowledge. WinMD5 is a good free tool for checking MD5 hashes. If you aren’t using some kind of imaging software, check out FOG, it is free and open source.

You should also make sure when you patch your workstations that you patch your golden images.

That’s about all you can do in this control without spending some cash. The last 2 subcontrols involve deploying tools that will scan systems periodically and redeploy any security settings that were changed or system files that were changed and alerting when changes are made. Essentially, you want to establish a baseline and scan against the baseline and force it back into compliance and alert on changes. Both of those controls, as far as what I can find, can’t be done cheaply. If someone knows of something, I’d love to hear about it. And that’s in for Control 5. See you next week for Control 6, the last of the ‘Basic’ controls.

Comments are closed.