Fort Knox Got Nothing On Me ft. Bryon Singh, RailWorks Corporation

Fort Knox Got Nothing On Me ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On July 05, 2023

Steve’s Thoughts

Fort Knox is a United States Army post located in Kentucky and is famous for housing the United States Bullion Depository, which holds a significant portion of the country's gold reserves.

Fort Knox serves as a symbol of impenetrable security due to its robust physical and technological defenses. Similarly, in the digital realm, secure configuration acts as a virtual Fort Knox for enterprise assets and software, ensuring that they are protected against unauthorized access, data breaches, and other cyber threats.

It is essential to define security configuration standards for each type of asset and software. These standards should align with industry best practices and regulatory requirements specific to your organization. Considerations may include password complexity, encryption, network access controls, software patching, and user privileges. Clearly document these standards to ensure consistency across the organization.

Configuration management tools play a vital role in automating and simplifying the configuration process. These tools enable centralized control and monitoring of asset configurations, ensuring that security standards are consistently applied.

CIS offers their SecureSuite Membership, which is a reasonably priced suite of tools and content that allow you to assess, visualize, and remediate the posture of a system against the industry standard CIS Benchmarks at scale.

Bryon’s Thoughts

What makes this control critical?

The criticality of this control is due to the fact that systems and software are primarily designed for user friendliness and easy deployment, rather than prioritizing security. It is a known fact that default configurations of systems and software often lack proper security measures, making them vulnerable to exploitation by attackers. These vulnerabilities arise from default user accounts and passwords, protocols, and other insecure settings.

To ensure robust security, it is crucial to maintain and update security settings and configurations throughout the entire lifecycle of systems and software. This includes monitoring and tracking any changes made to configurations, which is essential for compliance purposes.

It is worth noting that the CIS Controls document also highlights the significance of considering service providers in this context. Service providers may adopt more relaxed controls to accommodate their diverse customer base. Therefore, organizations must be vigilant in assessing the security measures implemented by their service providers to ensure a high level of security is maintained.

The CIS Controls document provides a comprehensive list of security configuration checklists that can be used by systems administrators and security professionals to enhance the security of their systems. These checklists, including the NIST National Checklist Program and the CIS Benchmarks Program, offer valuable guidelines and recommendations.

They include:

  • Establish and Maintain a Secure Configuration Process
  • Configure Automatic Session Locking on Enterprise Assets
  • Implement and Manage a Firewall on Servers
  • Manage Default Accounts on Enterprise Assets and Software
  • Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
  • Configure Trusted DNS Servers on Enterprise Assets
  • Enforce Automatic Device Lockout on Portable End-User Devices

Here’s a link to a Secure Configuration Management Policy Template provided free of charge from the fine folks at the Center for Internet Security:

Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 4 – Secure Configuration of Enterprise Assets & Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software

(operating systems and applications).

Implementation Group 1

CIS Safeguard 4.1 - Establish and Maintain a Secure Configuration Process

Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.