SANS 20 Critical IT Security Controls #3: Securely configuring hardware and Software

The default configurations of many hardware and software products aren’t designed with security in mind, although that has been steadily changing over time. If your company installs hardware or software without immediately tightening their default configuration, you’re immediately exposed to a large number of automated computer attack programs roaming networks looking for vulnerable software.
To avoid this major security vulnerability, you can ask hardware makers to configure devices with the security controls already built in. You can also have formal policies in place that automatically scan your network for both hardware and software that needs security patches. You also must have a configuration management system in place, hopefully one that uses sophisticated configuration software to track system and software configuration across your enterprise.

You must create system images with documented and approved security settings. You must validate these “gold” system images frequently throughout the year, to update their security configuration based on all available security patches. The standard images should contain hardened versions of the operating system as well as all applications that run on that system, such as databases. Note that you must also include the implementation of intrusion detection and intrusion prevention systems and host-based firewalls among the system hardening procedures. You must then store the “gold” images on secure servers and use integrity checking tools and change management procedures to prevent any unauthorized changes to these images.

You can employ either a commercial or a free open source configuration management tools to check the server and application configuration and to track any deviations from the official “gold” configuration. You must also run file integrity checking tools round the clock to trap changes to critical system files. In addition, you must also put in place system scanning tools that send alerts concerning open ports, patch levels and software versions.

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact Us

If you have an urgent question regarding your software licensing or a software audit, please contact Miro right away.

(732)738–8511 x1208
Use the chat box on the right

About Us

Miro is a leading global provider of software asset management services, specializing in license management, audit advisory, negotiation tactics, support management, and cloud services. We help our clients maximize ROI on their software license investments, stay in compliance, and minimize the impact of audits. Miro's performance guarantee promises that our long-tenured, diverse, and passionate team of expert analysts provides insightful and actionable advice to help our clients achieve the best possible outcomes.