Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers- CIS Control 5 is one that a lot of companies fall short of, due to the difficulty to stay on top of it. However, CIS Control 5 is the biggest step in beginning to look at just how mature you want your company’s security to be.
This control is unique from the others that we have talked about, because as far as CIS controls go, it is extremely crucial if you are a larger corporation to implement this control. And if you’re a smaller business, it is extremely crucial to be aware of these security checkpoints, even if you do not have an entire team hired for the monitoring of this control.
In the simplest terms, CIS Control 5 is making sure that everything you put out has been validated and is now being stored in your sources. It is establishing, implementing and actively managing the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control processes, in order to prevent attackers from exploiting vulnerable services and settings.
Recently, the largest area within companies in which have been affected by the failure to implement CIS Control 5, is supply chain. Quite a few recent, and large, watering hole attacks have affected companies. They download what they think is a good update and it hits them, causing damage.
SCAP – Security Content Automation Protocol is another piece of the Control 5 puzzle. It is an automated monitoring system used to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. Whenever you’re doing all of these software configurations, SCAP monitors them. If it falls out of that configuration, it would alert you, so a team of people would be able to recognize a config is out of range and fix it. One of the big players in the this is Big Fix, which is an IBM product. The product is expensive, but a lot of larger companies use it because they do care about this stuff and there is a large financial impact for them if that happens.
CIS Control 5 can be broken down into two pieces- hardware and software.
The hardware portion includes things such as-
- Firewalls (Firmware)
- Firewall Configurations
- PLC Configurations
Before you do anything with firewalls, you want to backup the configuration. If you are replacing the hardware by backing up the configuration, it simplifies the process and you are able to just load that configuration onto the replacement. The configuration is a text document that has very specific formatting in it. CIS Control 5 encourages backing up ALL configurations. However, a lot of people who don’t, end up seeking a pretested driver.
You never want to download a configuration online, it’s just not something you do. Always make sure to download drivers from known good sources, like the manufacture’s website. Never attempt to download drivers from a third party as many of them either come with secondary malicious payloads or could contain rootkits.
A testing environment is nice for identifying potential impacts to productivity before a new configuration/drive is deployed to production. Continual monitoring of configurations should happen not only in testing but in production. This piece of CIS Control 5 is actually why a lot of people end up finding harmful shortcuts or simply ignoring the necessity of this control. Secured configuration files include drivers within them, which requires a team to monitor them. Having a department to continually test this, doesn’t always seem cost effective- so it typically gets overlooked.
If you’ve got PLCs, you’ve probably got a bank of configurations laying around. You want to make sure those configs are secure, not only because you want to be sure what you put in there doesn’t break something but because if attackers get ahold of those configs, they are going to know the ins and outs of your setup. Which is why this control is so important.
The software piece includes things such as:
Imaging is used as a security standpoint for a lot of people if they are following Control 5. Typically, they bring in a team to monitor this as well. At The IT Company, we have an imaging server here and that’s one of the things we do. But we don’t always use it necessarily from a security standpoint, we use it for ease of use. But the benefits of imaging are vast.
Updates are the same way- they are not always used for security but there are benefits of doing so. Often a WSUS server will be used and updates will be downloaded on the server and pushed out.
Windows 10 has set out a new feature with updates, in which it will be able to, instead of reaching out to Windows for updates, reach out to a computer that is already on the network for updates. At The IT Company, we believe this feature can and should be disabled.
Installers is where there is a lot of people make the mistake of downloading from invalid sites. People go to a website like softpedia, or some other website that is not necessarily a valid source for installers- it happens all the time. People can download what they think is a valid videogame but really they are infecting your system. And that’s what ends up getting a lot of end users that don’t have controls in place to keep them from installing stuff. They’ll end up saying “hey I wanted to install this one application, why do I have these six other programs installed too?”
For Control 5 it really starts to get into a cost benefit analysis. How secure do you want to be? How expensive are you willing to go? If you are a large corporation, these are the questions you need to start asking yourself and begin implementing CIS Control 5.
For The IT Company customers, while CIS Control 5 may seem inapplicable to you because of the small size of your business, don’t be fooled. The IT Company wants you to be aware of the elements of CIS Control 5 so that you remain secure and have the capability to grow. Knowledge is key, but outside of just being aware of the steps of CIS Control 5, be sure you are getting any applications you download from validated sources.