What is System Hardening?

Most digital assets come in an unconfigured state. By default, everything is enabled—all services are turned on, all ports are open, etc. This is useful from a usability perspective but terrible for security. 

Often, assets aren't fully up-to-date, either. They may require several software and firmware updates before they are ready to use. This is where system hardening comes in. 

System Hardening is...

 

the process of reducing an asset's vulnerability to cyber threats by configuring it in line with security best practices.

System Hardening includes:

Installing

all the latest software and firmware patches. 

Disabling

unnecessary services, user accounts, and ports.

Changing

default credentials and account information. 

Maintaining

configuration settings in line with a best practice framework.

By making (and enforcing) these changes to every asset, an organization can dramatically reduce the risk of serious security incidents and breaches.

What is the Purpose of System Hardening?

The purpose of system hardening is simple: to reduce each asset's attack surface


NIST defines attack surface as:

"The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from."


An asset's attack surface amounts to the sum of vulnerabilities, entry points, and methods an attacker could use to compromise it. An organization's attack surface is the sum of those same vectors across all its assets and IT infrastructure. 

The smaller an asset's attack surface—the fewer entry points it has—the harder it is to compromise.

Try the most powerful file integrity monitoring solution.

Watch Cimcor founder Robert E. Johnson, III run through a preview of CimTrak, the industry's only true Next-Gen FIM tool. No sign-up required.

Benefits of System Hardening

System hardening is an essential part of any cybersecurity program.

Enforcing secure configuration management across an IT environment is a fundamental first step in protecting IT and information assets—without it, no amount of spending on fancy tools will meaningfully reduce cyber risk. 

Organizations Use System Hardening to...

  • Build and maintain a best practice security profile.

  • Eliminate insecure configuration settings.

  • Protect the organization from known threats.

  • Offload unnecessary cyber risk by narrowing the attack surface.

System hardening is mandated by all major compliance frameworks.

For example, PCI-DSS requirement 2.2 requires organizations to:

"[...] develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with security accepted system hardening standards."

Accepted system hardening standards include CIS Benchmarks and DISA STIGs, which we'll cover in more detail shortly.

All major compliance frameworks, including PCI-DSS, HIPAA, and FedRAMP, point to these frameworks as accepted best practices for system hardening. If your organization needs to be compliant with one or more frameworks, adhering to one of them is essential.

System Hardening Standards
(NIST, CIS, and DISA)

Trying to manually determine the most secure configuration for every asset is a highway to nowhere. 

Operating systems and other IT assets are often highly customizable, with thousands of ports, services, and settings to configure. If organizations had to determine the ideal configuration for every individual asset, it would take years to build a secure environment. That's why most organizations opt to follow system hardening best practices in the form of a recognized standard.


To help you identify and maintain the configuration settings needed for a hardened attack surface, several organizations provide system hardening standards. These include:

NIST also maintains Special Publication 800-70, its checklist program for IT products.

These standards provide best practice security configuration guides for a wide range of common IT assets, including operating systems, cloud environments, network devices, servers, and more. 


While useful, the NIST publication and checklists have a slightly different purpose and audience. For most organizations, choosing a system hardening standard comes down to CIS Benchmarks vs. DISA STIGs. To help you choose between them, the next section provides a breakdown of the two standards, how they're structured, and whot they are intended for.  

What are CIS Benchmarks?

Published by the Center for Internet Security (CIS), CIS Benchmarks are best-practice security configuration guides developed in collaboration with government organizations, businesses, academic institutions, and security industry experts.

The Benchmarks are designed to help organizations ‘harden’ digital assets. Over 100 benchmarks are available across 14 technology groups, including assets produced by Microsoft, Cisco, AWS, and IBM.

Although not a regulatory requirement, most major compliance frameworks—including PCI-DSS and HIPAA—have configuration management requirements that map closely to CIS Benchmarks.

Combined with regular updates and inputs from a range of industry stakeholders, this makes CIS Benchmarks an ideal system hardening framework for any organization.

Who are CIS Benchmarks For?

Organizations across all industries and geographies use CIS benchmarks to help them achieve security and compliance objectives. The CIS benchmarks are the only best-practice security configuration guides that are both developed and accepted by government, business, industry, and academic institutions. They are also globally recognized, unlike DISA STIGs, which are developed exclusively for the US.

CIS Benchmarks are very popular in heavily regulated industries such as healthcare, financial services, and government.

Aside from their security and compliance benefits, Benchmarks are freely available. Any organization can get started by downloading the relevant content from the CIS website.

CIS Benchmark Level 1 vs Level 2

Each CIS Benchmark is split into two 'tiers' to accommodate different security and compliance needs.

CIS Benchmark Level 1

An entry-level set of requirements that helps an organization rapidly minimize its attack surface while prioritizing business functionality. Achieving level 1 compliance across all assets is the minimum level of security an organization should aim to meet.

CIS Benchmark Level 2

More robust requirements that promote ‘defense in depth’. Level 2 is essential for organizations with high security and compliance needs, such as those in heavily regulated industries. Level 2 compliance is more complex and resource intensive to maintain.

All CIS Benchmarks can be downloaded for free in PDF format via the CIS website. Each document is extremely thorough, with some running as long as 800+ pages. Ensuring compliance with CIS Benchmarks across all assets can be a complex undertaking—particularly when relying on manual audits and interventions.

CIS Hardened Images are...

Virtual Machine (VM) images that have been configured to secure standards based on the relevant CIS Benchmark. Currently, they are available through AWS, GCP, Microsoft Azure, and Oracle Cloud marketplaces and come with a report that details the image's compliance, including any exceptions made to enable the image to run on the cloud. 

Benefits of CIS Hardened Images

Protect

Images are certified in line with
CIS Benchmarks

Remediate

Far less resource-intensive
than manual hardening

Note, however, that using CIS Hardened Images doesn’t completely solve the problem of system hardening. While these images start from a position of compliance with CIS benchmarks, there is no guarantee they will stay that way.

To ensure they remain compliant, regular assessments must be completed to ensure that any configuration or file changes made have not caused a VM to drop below benchmark standards.

A full list of Hardened Images is available on the CIS website

Maintain Continuous Compliance with
CIS Benchmarks

Trying to maintain a hardened attack surface is practically impossible—even with CIS Hardened Images.

A Next-Gen FIM tool can help your organization enforce best practice configuration across its entire IT environment. To see how this can help you reduce risk and prevent costly data breaches, download our free guide:

What are DISA STIGs?

The Defense Information Systems Agency’s (DISA) Security Technical Implementation Guides (STIGs) are a set of best practice rules for installing and supporting IT systems. 

Each STIG relates to a specific asset—e.g., an operation system, application, or piece of network hardware—and lays out the configuration and maintenance practices needed to ensure it is set up and managed securely.

The application of STIGs for system hardening ensures federal government information is stored and accessed by IT assets that have been configured in line with a best practice standard.

Who are DISA STIGs For?

Developed by DISA on behalf of the Department of Defense, STIGs are the accepted standards used by federal government organizations and contractors to ensure the security of government information. For these organizations, using DISA STIGs is a regulatory requirement.

DISA STIG Library

There are over 500 STIGs in the DISA STIG library, containing more than 20,000 controls. STIGs are updated every 90 days, making them a relevant and up-to-date source of configuration guidance.

Because each STIG is so comprehensive, ensuring your organization complies with all relevant STIGs can be complex. However, once you have the systems and processes in place to achieve and maintain compliance, you will see a significant reduction in cyber risk.

DISA STIG Viewer

One of the easiest ways to view, download, and work with STIGs is via the DISA STIG Viewer tools available through the DoD Cyber Exchange. These tools allow the user to view the XCCDF associated with each STIG, create a checklist of requirements, and assess assets for compliance.

CIS Benchmarks vs. DISA STIGs...

For day-to-day system hardening, most organizations make the choice of CIS Benchmark vs. DISA STIGS. For most organizations, we recommend using CIS Benchmarks. This is for several reasons:
  • They cover all commonly used IT assets

  • They are developed in collaboration with government organizations, businesses, academic institutions, and security industry experts

  • They are directly tied to regulatory and compliance frameworks such as ISO 27001, NIST CSF, HIPAA, PCI-DSS, and many more.

By making (and enforcing) these changes to every asset, an organization can dramatically reduce the risk of serious security incidents and breaches.

How to Implement System Hardening

One of the most important steps in system hardening is establishing a baseline. This requires an initial assessment of system ‘hardness’ against an established best practice framework—either CIS Benchmarks or DISA STIGs.

Identifying a baseline requires a manual or solution-assisted assessment of IT systems and assets to see how closely they align with best practices. This initial assessment—along with clear documentation of any areas where configuration differs from a benchmark by necessity—becomes the baseline.

From there, two steps are required:

1. Configuration shortcomings should be addressed.

2. Regular assessments should be completed to ensure assets remain compliant over time.

Follow-up assessments should be completed as frequently as possible. If a configuration or file change causes an asset to fall out of compliance, it may become vulnerable to attack. The longer the asset remains non-compliant, the greater the risk it poses to the organization.

For this reason, many organizations use automated solutions to continually monitor files and system configuration to identify and resolve non-compliance issues as quickly as possible.

The Role of Change Management in
System Hardening

How do you know when an asset falls out of compliance with the relevant CIS Benchmark or DISA STIG?

Change Management

Everything that happens in an IT environment starts with change. A file, configuration setting, or device is altered, deleted, added to, or read by a user or service. Every security incident begins with change, but so does every necessary action. The challenge is determining the difference between good and bad.

The Change Management Process

one icon

Determine what changed in the environment.

two icon

Check if the change is authorized under the baseline.

three icon

Allow, block, or roll back the change as appropriate.

step 4 (500 × 400 px)

Update the baseline with newly allowed changes

When one of these changes causes an asset to become insecure, that's a system hardening issue.

Change management is about monitoring changes against a trusted baseline—in this case, the relevant CIS Benchmark or DISA STIG. Organizations need a simple way to detect these insecure changes and either prevent or roll them back automatically.

Why is Automated Enforcement Important?

We've noted that manually configuring every asset is more than unrealistic—it's unfathomable. The same is true of maintaining secure configuration over time. The only realistic way to ensure assets remain in line with their CIS Benchmark or DISA STIG over time is to have an automated change detection and configuration enforcement program in place.

Automate System Hardening with CimTrak

CimTrak is the industry’s only genuine Next-Gen File Integrity Monitoring tool. It provides a complete  IT integrity, security, and compliance toolset that automates the system hardening process, identifying non-compliance issues in real time and preventing or rolling back changes that would lead to insecure configuration.

CimTrak continually scans your environment and assesses current asset configuration against CIS benchmarks or DISA STIGs. When it identifies a misconfiguration, CimTrak either blocks or rolls back the change automatically or raises an alert and provides clear guidance on how to re-establish compliance.

This makes it easy for organizations to:

Assess the current hardness of systems and assets

Continuous scanning provides a real-time snapshot of configuration vs. best practice.

Instantly identify misconfigurations and non-compliance

Ensures continuous compliance and removes the need for manual assessments.

Ensure systems remain 'hard' at all times

By identifying and rolling back non-compliance issues, CimTrak continuously minimizes your organization's attack surface.

CimTrak customers include banks, global technology companies, critical infrastructure providers, and other organizations that absolutely must have a hardened attack surface at all times.

See Automated System Hardening in Action

Watch Cimcor founder Robert E. Johnson, III run through a 10-minute instant preview of CimTrak to see how it can improve your security posture and prevent costly data breaches.

No sign up required.