Why do you need a build review?
The goal of System hardening a system is to remove any unnecessary functionality and to configure what is left in a secure manner and should occur when any system is deployed into a production environment. As every unnecessary application, service, driver, feature, and setting can introduce security vulnerabilities.
Once a system is hardened and deployed into an environment, it’s critical to maintain its level of security through proactively updating or patching it to mitigate vulnerabilities and weaknesses that are later discovered.
For both internal build reviews and cloud build reviews, system builds can be then bench-marked against the various hardening standards whether CIS, iSO, SANS or NIST standards.
Servers are the main focus of attention for an attacker as this is where the most sensitive information traditionally resides. The following introduces the assessment process ProCheckUp would take when looking at server build reviews, but it could also translate to the process of auditing other devices.
In addition to the server/workstation build review offerings by ProCheckUp, a configuration review of network devices (e.g. switches/routers/load balancers etc.) is offered as a separate service, however, this is covered in more detail in the ‘Firewall Rule and Configuration’ section.
Prerequisites and Overview
In order to assess the security of your server build, an account with local administrator privileges will be needed for the system. In addition to this account, a management login channel will also be needed; the exact nature of this can be agreed based on the specific types of systems being reviewed.
Using a combination of host-based audit tools built into the Nessus Vulnerability Scan application, bespoke information gathering scripts and manual checking, ProCheckUp will be able to assess the security posture of the desired systems. ProCheckUp will approach this review using the top three layers of the defence in depth model. These are:
- Application Layer
By using this approach, ProCheckUp can help you ensure that every element of your build standard has been assessed and hardened.
Defence in Depth: Host
The lowest level of a build review, this phase will focus primarily on the operating system and core services. The objective of this phase is to identify vectors which may enable or increase the chances of an attacker gaining control of a system via the hosting infrastructure.
Typical checks within this phase would include, but are not limited to:
- Operating System and application patch levels
- Antivirus and firewall configuration
- User rights management
- Operating System hardening
- File permissions
- Network footprint and running services
Defence in Depth: Application
Moving up the Defence in Depth model, the second area of focus is on the application layer. The term application can broadly include any software or service that facilitates the server’s primary role. This could include web servers, database software or even something as broad as Active Directory.
Application level auditing will examine the configuration of the software installed, this can include, but is not limited to:
- Default accounts and passwords
- Default or sample data
- Application specific settings
- Network communication channels
Defence in Depth: Data
The final phase of the standard build review is the highest tier of Defence in Depth, Data. This phase will combine the information from the previous two phases to ensure that any data stored on the audited system will remain protected. This phase will also attempt to ensure that the data being stored on the system is appropriate for the level of protection offered by hardening or configuration.
Hardening Guidelines and Good Practice
Hardening guides and good practice guidelines exist for a wide variety of systems and are published by multiple entities. ProCheckUp will typically use one or a combination of the following standard publishing bodies:
- Software publisher (i.e. Microsoft)
- CESG (where applicable for HMG customers)
ProCheckUp recognise that every organisation is different, with different needs. To further complicate this, different environments within an organisation may require different security standards. For these reasons, ProCheckUp can also perform a standard build review against a completely bespoke standard that have been defined to meet the business needs.
At the end of any ProCheckUp assessment the final deliverable is a technical report which includes full details of all issues identified (along with recommended remediation steps) as well as an executive summary (management) section which includes a high-level description of the higher-risk security issues identified. Both CVSS scoring and a ProCheckUp risk rating are provided for each issue to ensure that their impact and severity can be easily understood. It should be noted that immediate notification of any serious security vulnerabilities (i.e. those rated as high or critical risk) will be made to a designated client point(s) of contact throughout the engagement to ensure a close working relationship between ProCheckUp and their clients.
Please contact us for more information on how Build Review Services can help you.