By Jeff Elliott
We have entered the era of multiple security frameworks. Sometimes mandatory, often voluntary, security frameworks are created to provide federal and commercial organizations with an effective roadmap for securing information technology (IT) systems. The goal is to reduce risk levels and prevent or mitigate cyberattacks.
To accomplish this task, security frameworks typically provide a series of documented, agreed upon, and understood policies, procedures, and processes necessary to secure the confidentiality, integrity, and availability of information systems and data.
In the United States, the overarching framework is the National Institute of Standards and Technology (NIST) Cyber Security Framework. As part of the Department of Commerce, NIST is responsible for developing technical standards and guidelines for information security, among other things. NIST standards apply to U.S. federal agencies and critical infrastructure, but are also widely used throughout the private sector.
Read more on security on SAE.org (choose from more than 15,000 resources) and the Cybersecurity Knowledge Hub on SAE MOBILUS.
Specialized frameworks are less comprehensive and address specific aspects of information compliance. HIPAA, for example, provides security requirements to protect patient privacy; PCI in the retail sector addresses credit card processing; FedRAMP covers Federal cloud standards; and the energy sector relies on the NERC Critical Infrastructure Plan. The list is long, and today even individual states are adopting their own cybersecurity frameworks (e.g., NYDFS).
If a drawback to security frameworks exists, however, it is that most provide a “30,000-foot view” of information security. Most identify potential risks as well as how to protect, detect, respond, and even recover from cyberattacks. Specific implementation steps, on the other hand, are rarely addressed.
One critical exception exists. At the core of most, if not all, the frameworks are a set of security-related controls that affect the security posture and/or functionality of the system.
Now, with established, recognized standards to accomplish this network security “hardening,” along with new automation solutions, IT personnel have an effective starting point and foundation for implementing security frameworks.
Critical security controls and configuration settings
Critical security controls provide specific safeguards for any and all systems connected to the network, including mainframe computers, servers, endpoints, attached devices, network appliances, operating systems, middleware, and applications.
The controls impact areas such as access control, audit and accountability, identification and authentication, contingency planning, incident response, configuration and change management, and physical and environmental security. By changing configuration settings in hardware, software, or firmware, companies can improve their security posture.
Of all the available frameworks, NIST SP 800-53 provides the most comprehensive baseline for security controls in its latest published revision, which are prioritized and categorized by level of risk. Yet, it is still up to the individual organization to establish company-specific configuration settings and changes to registry settings, account, file directory permission settings, and settings for functions, ports, protocols, services, and remote connections.
This task often falls to information security and IT staff, many of whom lack the background and training in the area. It introduces the potential that systems will be under-protected and/or left with exploitable security gaps.
As a result, many organizations – even those that apply security frameworks voluntarily – are moving away from proprietary security hardening efforts in favor of recognized and established best practices. This simplifies deployment and configuration, enhances change control, and automates auditing – reducing risk.
NIST and other security frameworks point to one of two publicly available configuration standards: Security Technical Implementation Guides (STIGs) or CIS Benchmarks.
STIGs and CIS
STIGs, published by the Defense Information Systems Agency, a support agency for the Department of Defense (DoD), outline hundreds of pages of detailed rules that must be followed to secure or “harden” the DoD computing infrastructure properly. STIGs are mandatory for DoD agencies, but any civilian agency and even commercial companies are welcome to use STIGs.
For most commercial organizations, however, CIS is the security standard of choice. The Center for Internet Security (CIS) is a non-profit organization originally formed in 2000 with a mission to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense.”
CIS employs a closed crowdsourcing model to identify and refine effective security measures, with individuals developing recommendations that are shared with the community for evaluation through a consensus decision-making process.
“Most organizations need a starting point that works today and that they can explain in simple language to their board on what needs to be done, and that is really where the CIS Benchmarks and CIS Critical Security Controls provide is that starting point,” says Curtis W. Dukes, executive vice president and general manager of the best practices and automation group at CIS.
Although minor differences exist between STIGs and CIS Benchmarks, the two overlap and are pretty much interchangeable, says Brian Hajost of SteelCloud, focused on automated security control compliance, in Ashburn, Virginia.
Implementation of either STIG or CIS Benchmarks can be a challenge, however, if the process isn’t automated in some manner, due to the disparate requirements and configurations of networks.
Changes to security settings can also have unintended consequences. When the configuration settings of an application are re-configured, it can cause the installed application to “break,” such that it won’t install and/or run properly.
“If the same security policies and configurations could be implemented on all systems, compliance would be a rather easy exercise,” Hajost explains. “All applications respond to security policies differently. Because configuration settings have the potential to ‘break’ applications, the settings for each system, therefore, have to be uniquely adapted or tuned to each application in the operational environment.”
For example, if some of the configuration settings of a Windows or Linux operating system on which an application operates are reconfigured, the application will break. If an application requires specific settings to operate and those settings are prohibited or blocked, the application will fail to load or operate.
Often, server policies must be manually adjusted on an application-by-application, server-by-server basis – a painstaking task that can take many weeks and often falls to system administrators, application administrators, or information assurance staff.
“There are thousands of IT staff that are tasked with addressing compliance manually, but many are not experienced or trained in it,” Hajost adds. “So, they muddle through, but the initial effort can take weeks or even months.”
Automation can come into play here. Software tools can automate implementation of a security benchmark, even across complex and disparate environments with varying security policies. (Read more under "About ConfigOS" below.) Automated software also simplifies ongoing compliance, which in IT is a constantly evolving process.
“New security updates are introduced periodically to account for newly discovered vulnerabilities as well as changes and updates by the vendors supplying the major operating environment components,” Hajost describes.
Limiting risk and liability
Automating configuration security settings can be of immense value, but it is not intended to provide a complete cybersecurity framework. Still, the automation and associated documentation provided can play a critical role in reducing legal liability and attaining cyber insurance.
Legislation enacted recently in Ohio and in 2017 in California establishes legal protections for organizations that have implemented an established security framework, such as CIS Critical Security Controls, should the organization suffer a data breach.
“If a data breach gets litigated or adjudicated in a court of law, you want to be able to demonstrate to a judge or jury that you had reasonably implemented and followed a security best practice framework,” Dukes says.
Although many of the security frameworks are still voluntary in the commercial sector, Dukes has seen increased adoption from forward-thinking organizations in the retail, IT consulting, and academia sectors.
“In the near future, more security frameworks are going to move from being voluntary to mandated,” Dukes predicts. “Organizations should spend time getting educated and starting the process toward more effective cyber defense now, and not wait until it is mandated. There is too much at stake.”
About the author
Jeff Elliott is a Torrance, Calif.-based technical writer. He has researched and written about industrial technologies and issues for the past 20 years.
ConfigOS from SteelCloud currently supports more than 6,000 standard CIS and STIG configuration settings. The software produces a domain-independent comprehensive policy “signature” including user-defined documentation and policy waivers. In this step, weeks or months of manual work can be completed in an hour.
The signature and documentation are included in a secure, encrypted signature container used to scan endpoints (laptops, desktops, physical/cloud servers) without being installed on any of them. The time it takes to implement hundreds of configuration security settings on each endpoint is typically under 90 seconds and ConfigOS can handle multiple implementations at a time.
Automating the process reduces initial hardening time by 90 percent, Hajost estimates, while reducing system security policy maintenance expenses by roughly 70 percent. More information on ConfigOS from SteelCloud is available at www.steelcloud.com.
Bookmark http://www.sae.org/news to keep pace with the latest aerospace technology news & information.
Learn about AeroPaks to access 8,000+ SAE aerospace standards, specifications, recommended practices, and resource documents available in SAE MOBILUS.
Subscribe to SAE MOBILUS for access to more than 200,000 resources, including aerospace standards, technical papers, eBooks, magazines, and video.
Visit SAE International's Knowledge Hubs -- access points to the best industry resources, training, and current news -- designed to provide everything you need to know about emerging mobility technologies.