CIS Control 5: Secure Configuration for Hardware and Software on Devices

Home  »  Blog  »  Cyber Security  »  CIS Control...

By Bill Minahan   |   February 5, 2021   |   0 Comments

CIS Control 6

CIS Control 5: Secure Configuration for Hardware and Software on Devices

What is CIS Control 5?

The CIS controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

CIS Control 5 focuses on secure configuration for hardware and software on mobile devices, laptops, workstations, and servers.

Specifically, this control focuses on establishing, implementing, and then actively managing the security configuration of devices using rigorous configuration management and change control processes in order to prevent hackers from exploiting vulnerable services and settings.

Why is this CIS Control Critical?

The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.

CIS Control 5 is critical because default configurations for operating systems and applications are mostly geared towards ease-of-use and not security. As a result, basic controls, open services and ports, default accounts or passwords, older protocols, and pre-installation of unnecessary software can be easy to exploit in their default state.

Therefore, it is important to develop configuration settings with sophisticated security properties. However, this can be a complex task beyond the ability of individual users. In fact, it can require analysis of hundreds or thousands of options in order to make the right choices.

For instance, even if a strong initial configuration is developed and installed, it must be continuously managed in order to avoid security degradation as software is updated or patched, new security vulnerabilities are reported, and configurations are tweaked. In most cases, configurations are tweaked to allow the installation of new software or in order to support new operational requirements.

If it is not, attackers will find opportunities to exploit both network-accessible services as well as client software.

As a result, it is critical to develop and implement a secure configuration of your devices.

How to Implement CIS Control 5

 

Sub-Control

Security Function

Control Title

Control Descriptions

5.1

Protect Establish Secure Configurations  

Maintain documented security configuration standards for all authorized operating systems and software.

5.2

Protect Maintain Secure Images  

Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

5.3

Protect Securely Store Master Images  

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.

5.4

Protect Deploy System Configuration Management Tools  

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.

5.5

Detect Implement Automated Configuration Monitoring Systems  

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.

 

Implementing CIS Controls

If your team is struggling to implement CIS Control 5 and could use the assistance of a third-party security provider, aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation.

If you are interested in learning more about CIS Controls, view our comprehensive list here.

If you are interested, then please contact us below.

Contact Us

If you are looking for more resources, then please check out our resource center.

Finally, you can always find us on TwitterLinkedIn, and Facebook.


Category: Cyber Security