Hardening Baselines for reducing attack surface

Linkedin 12-01-2022 a

Most new digital assets, such as servers and operating systems, are unconfigured by default. When an asset is installed, all options are activated. While most new assets require several software and firmware updates, most aren't fully updated. System hardening helps here.

System hardening involves customizing an asset to limit its vulnerability to cyber threats. Disabling superfluous services, user accounts, and ports reduces the asset's attack surface. System hardening has one goal. In general, the smaller an asset's attack surface, the harder it is for an attacker to acquire unauthorized access.

Setting a Hardening Baseline
Setting a baseline is a critical step in system hardening. This involves a preliminary system 'hardness' assessment against a best practice framework. We recently addressed the CIS benchmarks and their purpose. Experts in the field of cybersecurity established the CIS benchmarks as a set of best practice configuration standards. CIS benchmarks are the worldwide recognized standard for secure setup, with over 100 accessible for key corporate technologies. So they're perfect for system hardening.

A manual or solution-assisted examination of systems and assets is required to identify a baseline. In the absence of a benchmark, this initial assessment becomes the baseline.

Then comes two steps:

  • Configuration flaws should be corrected.
  • Additional assessments should be done on a timetable to bring in-scope assets into compliance with CIS benchmarks and keep them compliant.
Follow-up assessments should be done often. A configuration or file update that violates a CIS benchmark exposes an asset to attack. The longer a asset is non-compliant, the greater the danger. To swiftly identify and handle non-compliance issues, many firms utilize automated systems to continuously monitor files and system settings.


Hardening a Network
Hardening a network means removing vulnerabilities before an attacker can exploit them. Three functions are required:

Configuration Control
Any secure network must be properly configured. correctly means 'as per CIS benchmarks.' As previously noted, there are two degrees of CIS benchmarks: minimal coverage and 'defence in depth'. Which is best for your network depends on your risk tolerance and threat landscape.

Management of Vulnerabilities
Network security is a never-ending job. Every day, new flaws are discovered, and vendors patch their products. Network hardening requires a rigorous scanning and remediation process.

Secure Development (SDLC)
A rigorous procedure for utilizing and reviewing secure development methods is also required for internal apps and services. A lack of it leaves the network open to cyber attacks.

Using these three hardening functions builds a solid cybersecurity programme. It eliminates unwanted access points that an attacker could exploit and protects the network from typical attacks. Even powerful security technology won't defend a network from cyber threats unless these actions are taken first.

CIS hardened Images
Organizations employ virtual machines (VMs) for several purposes, including providing computer access to users. VMs allow a server to act as several physical computers while allowing remote access via a user's own device or a thin client.

VMs are usually constructed using a pre-made image provided by the OS vendor. Not only does this save time, but it also poses a problem. Supplier images are unconfigured; thus, hardening a newly formed VM can be resource expensive. CIS Hardened Images are VM images that have been configured to CIS security criteria. This report includes any exceptions applied to allow the image to run in the cloud. They are also currently available through Extreme Compute.

Benefits of CIS Hardened Images:
  • The images are certified to CIS standards.
  • Manually hardening a base image takes significantly more resources.
Notably, adopting CIS Hardened Images does not totally fix the system hardening issue. While these images start out compliant with CIS standards, that doesn't mean they will stay that way. Regular assessments are required to guarantee that no configuration or file modifications have resulted in a VM falling below benchmark norms.

Why is System Hardening crucial?
System hardening is critical for security and compliance. System hardening is a prerequisite for security solutions like firewalls and EDRs. No matter how much money is spent on cybersecurity, a system that isn't properly set up and maintained won't be secure. 

Moreover, all major compliance frameworks require system hardening. For example, PCI-DSS 2.2 requires:

"[...] establish system component configuration standards. Check that they handle all known security issues and are in line with industry-accepted system hardening requirements."

What constitutes a system hardening standard? CIS benchmarks. As a matter of fact, all major compliance frameworks link to CIS benchmarks as the established best practice. As a result, if your company must comply with one or more frameworks, CIS benchmarks must be followed.

Hardening Systems Automation with Extreme Compute
In order to analyze system hardness, detect flaws and provide remedy recommendations, EC cloud automates the process. Extreme Compute continuously scans your surroundings and compares them to CIS benchmarks. When a misconfiguration is found, Extreme Compute notifies the user and gives clear instructions for restoring compliance. This feature allows organizations to:

Evaluate current system and asset hardness: Continuous scanning compares system setup to CIS benchmarks.

See errors and non-compliance in real-time: Manual examinations are time-consuming and only provide a snapshot of system compliance. Extreme Compute automates compliance and eliminates manual assessments.

Ensure systems are always 'hard': Extreme Compute reduces the attack surface of systems and assets by alerting and guiding non-compliance issues.

Know more about how Extreme Compute can help your firm reach security and compliance goals.