Software is notorious for providing default credentials (e.g., username: admin, password: admin) upon installation. These default credentials are publicly known and can be obtained with a simple Google search. While vendors are slowly moving away from default credentials (where they require the organization to define the credentials themselves), many organizations are either following their defined strict password policy, or setting them to weak passwords that are no better than the defaults some software provide.
Hardening standards are used to prevent these default or weak credentials from being deployed into the environment. With the recent news coming out of the Equifax breach which disclosed that admin:admin was used to protect the portal used to manage credit disputes, the importance of hardening standards are becoming more apparent.
What is a Security Hardening Standard?
A hardening standard is used to set a baseline of requirements for each system. As each new system is introduced to the environment, it must abide by the hardening standard. There are several industry standards that provide benchmarks for various operating systems and applications, such as CIS. Each hardening standard may include requirements related but not limited to:
- Physical security – setting environment controls around secure and controlled locations
- Operating systems – ensuring patches are deployed and access to firmware is locked
- Applications – establishing rules on installing software and default configurations
- Security appliances – ensuring anti-virus is deployed and any end-point protections are reporting in appropriately
- Networks and services – removing any unnecessary services (e.g., telnet, ftp) and enabling secure protocols (e.g., ssh, sftp)
- System auditing and monitoring – enabling traceability and monitoring of events
- Access control – ensuring default accounts are renamed or disabled
- Data encryption – encryption ciphers to use (e.g., SHA-256)
- Patching and updates – ensuring patches and updates are successfully being deployed
- System backup – ensuring backups are properly configured
Why are Hardening Standards important?
Having consistently secure configurations across all systems ensures risks to those systems are kept at a minimum. Keeping the risk for each system to its lowest then ensures the likelihood of a breach is also low. Any deviation from the hardening standard can results in a breach, and it’s not uncommon to see during our engagements. It’s almost always one system that was just brought online or a legacy system that is missing the hardening and is used as our way to pivot. Attackers that are on your network are waiting for these opportunities, so it’s best to harden prior to deploying it on the network.
Staying Compliant with your Hardening Standard
To stay compliant with your hardening standard you’ll need to regularly test your systems for missing security configurations or patches. The best way to do that is with a regularly scheduled compliance scan using your vulnerability scanner. The vulnerability scanner will log into each system it can and check it for security issues. Doing so will identify any outlier systems that have not been receiving updates and also identify new issues that you can add to your hardening standard. By continuously checking your systems for issues, you reduce the time a system is not compliant for.