We take care of your security holes.
One of the biggest energy corporations took advantage of dozens of platforms for its applications. It faced the problem of securing them, because the audit required lots of human resources. The company addressed AEC to create individual documentation for fifteen of the most widely-used platforms.
At CSE we made standards for the security setting (so-called hardening) so they would suit the required high level of security. These methodologies helped the company manage its suppliers with the applications' adjustment. After managing the successful project, we were entrusted to prepare new standards for forty more platforms.
Due to the huge amount of administrated technologies we proposed the implementation of a tool for vulnerability management (VMS) that made automated check ups of compliance with security standards and started to supply uncluttered reporting, which saved the customer on further human resources.
The Solution's Description
Hardening is a process of securing the system's configuration in a way, which reduces the occurrence of vulnerabilities that can be used by the attacker. Currently, systems' hardening is one of the basic security measures for information and companies' information system protection.
How does the hardening process work?The process of ensuring a high level of the security of applications and operating systems is continuous. During systems' hardening, it is necessary to follow the following phases:
- Analysis – in the introductory phase systems are defined that will be the object of hardening. These systems are generally selected according to their cruciality and the importance that they have within the company's information system. The selection of a suitable tool for automated setting check can even be part of it.
- Creation of the hardening security policy - these are the technical and procedural regulations that determine the applications' and systems' configuration, including the implementation of check ups verifying the compliance with reality. During this phase we rely on pre-existing and tested standards, for example CIS, benchmarks, NIST, and others. Hardening security policies are created in this form to make it possible to evaluate them manually, not only within the internal audits, but in particular automatically, which saves on internal resources that are necessary for performing the check ups.
- Processes building – Documents and regulations for ensuring a high level of configuration are part of the hardening process, and so are processes for policies maintenance and their updates, management, monitoring, enforcement, and further development.
- Technical check up and its deployment – It is necessary to put the processes created and technical regulations into practice. The implementation of a tool that can verify the deployment of the hardening policy in the defined device and identify the non-compliances in comparison with the approved policies, is usually a part of this phase.
Which of the systems can be hardened?
Any applications, systems and platforms that are a part of the company's IT infrastructure are suitable for hardening. For example:
- Servers and their application (operation system, databases, web servers, application servers, and others)
- Hardware devices (e.g. SCADA, hardware firewalls, access points – WiFi access points).
- BYOD and MDM devices.
- Work stations and AD GPO (Group Policy), web browser setting, Java and .NET frameworks' behavior, and so on.
Which devices can be hardened or not and enforcing their check up is usually a part of the analysis phase.
Which products are suitable for automated check up?For automated hardening policy check ups it is possible to use any VMS (Vulnerability Management System) product that can check and evaluate the system setting automatically. This product generally has the following features:
- Zero-configuration“ setting option, i.e. the possibility of setting a configuration etalon for defined system.
- Performing „agent-less“ check ups.
- Modification and creation of own security policies.
- Evaluation of compliance and non-compliance, exceptions' management.
- Connecting with SIEM and ticket-based system.
- Reporting and alerting.
Our services' benefits
The implementation of hardening has the following benefits:
- Significant increase of the security level of operated systems.
- Effective tool for vulnerability management, and monitoring the compliance with policies saves internal resources.
- Policies and processes are tailor-made to the customer's environment and systems.
- Definition of the configuration standard for systems used. Compliance with the standards even by the external suppliers can be required subsequently.
- Complete overview of the individual systems' setting, including the identification of the non-compliances against policies.
- Systems are secured at a high level according to international standards, best practice, and our experience gained from longterm practical experience in the field of configuration audits and penetrations tests.
- Risks resulting from existing vulnerabilities, configurational non-compliances, and ICT operation are identified and managed.
We have lots of experience with project implementation for important companies in their branches, e.g.:
- ČEZ ICT Services, a.s.
- ING Pojišťovna a.s.