In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses system hardening best practices - and how to get started. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Hey, Robert, welcome back. Great to be speaking with you.
A: Great to be back in your show, Hillarie.
Q: For this episode of data security, we're going to continue our system hardening conversation and go over some system hardening best practices. And I know you know we've talked about system hardening a few times, but even though we keep talking about it, people aren't doing it. So I guess, you know, why aren't people doing it is my first question for you, Robert. As well as is it because it's such a manual task just to harden a system? Is that perhaps why they're not doing it?
A: Good question, you know. I wonder the same sometimes. Well, I think that many diligent security professionals actually are implementing system hardening. And in fact, I believe that they're really reaping the rewards of having a strong security posture as a result. However, I get your point, and I agree that not enough people have truly embraced system hardening. And I think there are probably two issues. The first: the process of hardening a system can involve modifying up to 300 different configuration settings in a system to ensure it's configured in that secure manner, according to consensus-based best practices. This can be a daunting task because many people don't know exactly how to do this, nor what are those exact steps necessary to configure their systems into this hardened state. So, they really don't understand where to start. And then, on top of that, once your systems are configured in this hardened state, how do you ensure that they actually stay that way? Because, you know, once you install software or say you perform updates, your system will slowly drift away from that strong and hardened state. So, of those 300 settings, which ones have been modified due to a security patch? Or which ones are no longer set correctly? This is a daunting question and the thought of manually checking 300 settings to ensure that they're somehow all in the right state, and just imagine doing that for hundreds of systems. In fact, just imagine doing that for one system. That's just absolutely overwhelming.
Q: My next question that I'm thinking about is, you know, is there a way that people can automate this process? We're hearing more and more about automation in every aspect of cybersecurity, and I'm just curious if, perhaps, this could extend to system hardening in some way as well.
A: Right. Well, there are a couple of tools that can actually help accelerate the process. There are some tools that are available that can provide security professionals with details, and the exact steps, and the exact commands necessary to configure those systems into a hardened state. And then, second, there are also a category of tools that can be used to assess those systems in your infrastructure, to ensure that they're configured in that hardened manner.
Q: What are some, I guess, best practices for those looking to continue or or begin hardening their systems?
A: Well, I believe the first step is to identify which set of hardening standards that you would prefer to implement within your organization. For instance, if you are a federal agency, you will likely find that DISA STIGs are the best set of hardening standards for your organization. And if you are a commercial enterprise or some other type of organization, you'll likely find that CIS Benchmarks are the best choice. You know, we find that CIS Benchmarks are amazing because they cover a wide variety, a wide range of operating systems and devices. In fact, CIS has benchmarks for over 140 different types of devices and operating systems. This is enough to ensure that you can configure almost all of the important assets in your infrastructure into a secure manner.
Another best practice is to use a tool to help automate all of it, just like you asked in a previous question. Such as our tool, the CimTrak Integrity Suite, which can be used to monitor your assets continuously, so that you can ensure that all of your critical assets are always configured in a hardened state. This provides you with insight to what exactly has deviated from a secure configuration. For instance, if you have a hundred systems, it can let you know that these three systems have deviated from the expected secure configuration and provide you with the exact so step-by-step instructions on how to configure those systems in a manner that complies with those benchmarks. This not only saves you time and money, but it can dramatically help you improve your security posture and most of all to your auditors, you can prove it.
So, you've been a great friend of Cimcor, Hillarie, and in return, we're willing to provide free trial licenses to anyone in your audience. Have them visit our website at www.cimcor.com. That's C as in cat, I, M, C, O, R.com. They can sign up for a free demo. Hardening systems and monitoring them continuously - it doesn't have to be difficult. I think that CimTrak is the easiest way to achieve a strong security posture, whether your infrastructure is on-prem or in the cloud.
Q: Thank you for offering that to folks, and just thank you for always joining me, and having such a great time together, Robert. I'm. Looking forward to our next conversation together.
A: I appreciate it. Thank you so much for inviting me back to your show.
February 28, 2023