CDM-CYBER-DEFENSE-eMAGAZINE-March-2019

More documents

Recommendations

Info

Unfortunately, once an application environment is hardened to the STIG specifications, it can cause installed application to “break,” meaning it won’t install and/or run properly. This impacts both new and legacy applications installed on the system. Why do applications break? Because they are rarely designed or tested to operate in STIG environments. For example, if the STIGs require altering some of the controls of the Windows or Linux operating system the application is built on, the application will break. If an application requires specific capabilities to operate and the STIGs prohibit or blocks those capabilities, the application will fail to load or operate. And so on. Unfortunately, there are no generic set of STIG “rules” that can be applied to all applications. Instead, server policies must be manually adjusted on an application by application, server by server basis - which can take many weeks and cost in excess of $10,000 annually, per server instance. “If the same policies and configurations could be implemented on all systems, STIG compliance would be a rather easy exercise,” explains Brian Hajost of Steel Cloud and an expert on automated STIG compliance. “Commercial and government applications respond to security policies differently. The controls for each system, therefore, have to be uniquely adapted or tuned to each application environment.” This painstaking task often falls to system administrators, application administrators or information assurance staff. “There are thousands of IT people across government that are asked to address the STIG compliance manually, but many times are not experienced or trained to do so,” says Hajost. “So, they muddle through, but the initial hardening effort can take weeks or even months.” Fortunately, new automated tools are available that automate STIG compliance. Products such as ConfigOS from Steel Cloud harden existing government networks automatically, even across complex and disparate infrastructures with varying security levels. ConfigOS identifies and hardens all controls considered a potential security risk. As outlined in the STIGs, risks are categorized into three levels (1/2/3) with Category 1 being the most severe and having the highest priority. The software then produces a domain-independent comprehensive policy “signature” including user-defined documentation and STIG policy waivers. In this step alone, weeks, or months of manual work can be completed in an hour. The signature and documentation are included in a secure, encrypted signature container that is used to scan endpoints (laptops, desktops, physical/cloud servers) without being installed on any of them. The time it takes to remediate hundreds of STIG controls on each endpoint is typically under 90 seconds and ConfigOS executes multiple remediations at a time. “The government publishes the [STIG] book and we are just automating the tedious work to get the job done,” says Hajost.
ConfigOS supports over 6,000 standard STIG controls in a wide range of tested content. However, the software is also designed to allow users to tailor controls to respond to an application’s requirements. “We could enforce the STIGs to the letter, but that doesn’t work if it means the application will not run,” explains Hajost. “So ConfigOS creates an operational policy that is as close to the published STIGs as possible, but still allows the application to function as designed,” explains Hajost. The signature containers can then be transported across large and small networks, classified environments, labs, disconnected networks, and tactical environments with connected and disconnected endpoints. No other changes are required to the network, security and no software is installed on any endpoints. To date, ConfigOS has been licensed by just about every branch of the Department of Defense, as well as parts of DHS, HHS, and Department of Energy. The product is also used by large defense contractors and in programs for all branches of the military. Hajost adds that automation is even more important given that STIG compliance is an ongoing process with new security updates introduced periodically The STIGs, for example, are updated every 90 days to account for newly discovered vulnerabilities as well as changes and updates to by the vendors supplying the major operating environment components. With ConfigOS that means that within two business days after DISA publishes a new version of the STIGs, new tested production content is made available to customers. “When it is a manual task, security updates to existing applications and operating systems are typically delayed by months,” says Hajost. The software can also speed implementation of new network applications, servers and appliances by evaluating and hardening each prior to installation. Hajost estimates automating the process reduces initial hardening time by 90%, while reducing system security policy maintenance expenses by about 70%. Given the potential cost savings of automating STIG policy compliance exceeds hundreds of millions of dollars annually, IT personnel struggling to secure government networks manually may find this one task they are happy to automate. About the Author Jeff Elliott is a Torrance, Calif.-based technical writer. He has researched and written about industrial technologies and issues for the past 20 years. For more information about ConfigOS from SteelCloud call (703) 674-5500; or visit www.steelcloud.com.
Page 1 and 2:
Data Breaches: Beyond Exposing Iden
Page 3 and 4:
CONTENTS (cont') Prioritizing Secur
Page 5:
@CYBERDEFENSEMAG CYBER DEFENSE eMAG
Page 22 and 23:
Data Breaches: Beyond Exposing Iden
Page 24 and 25:
About the Author Kem Gay is an Inte
Page 26 and 27:
Rip Off the Band-Aid This leaves us
Page 28 and 29:
Why Biometric Data Use Poses Unique
Page 30 and 31:
• DNA Kits: If you purchased or u
Page 32 and 33:
How to be Workforce Ready and Stand
Page 34 and 35:
Maximiliano Gigli, a third-year cyb
Page 36 and 37:
Interestingly, the two groups diffe
Page 38 and 39:
Cross-site Scripting Is an Underrat
Page 40 and 41:
Stealing HTML5 web storage data: HT
Page 42 and 43:
Cybersecurity in New York City, the
Page 44 and 45:
A boom in cybersecurity startups se
Page 46 and 47:
illion risks and threats among its
Page 48 and 49:
Some Important Developments in the
Page 50 and 51:
About the Author Sharmistha Sarkar
Page 52 and 53:
employees to contractors and sub-co
Page 54 and 55: The Internet of Things Engineering
Page 56 and 57: About The Author Milica D. Djekic i
Page 58 and 59: kind. Many of them require some kin
Page 60 and 61: 2019 Risks in Focus: Cyber Incident
Page 62 and 63: However, the past year has also wit
Page 64 and 65: Why Insider Threats Are One of the
Page 66 and 67: Unlike with outside security threat
Page 68 and 69: Organizations will also frequently
Page 70 and 71: The US Must Catch Up to Other Promi
Page 72 and 73: The fact is, the wider internationa
Page 74 and 75: Integrate Compliance and Regulation
Page 76 and 77: Security have and have-nots How org
Page 78 and 79: 1. People Having the right people c
Page 80 and 81: sources (such as syslog’s, Net Fl
Page 82 and 83: Limitations of Current Endpoint Sec
Page 84 and 85: For effective detection, most EDR s
Page 86 and 87: Why Wi-Fi Hacking Will Persist Desp
Page 88 and 89: About the Author Ryan Orsi is Direc
Page 90 and 91: questions such as, “Who added a w
Page 92 and 93: About the Author Josh Paape is an O
Page 94 and 95: for well-known, repeatable needs fi
Page 96 and 97: Overcoming Software Security Issues
Page 98 and 99: Implementing Security Checks at Str
Page 100 and 101: Phishing in the Dark: Employee Secu
Page 102 and 103: phishing threats. Furthermore, almo
Page 106 and 107: Software Should Come with a “Nutr
Page 108 and 109: vulnerabilities. If they find vulne
Page 110 and 111: I can't get no satisfaction, I can'
Page 112 and 113: How Organizations Should Choose a L
Page 114 and 115: load balancers capable of integrati
Page 116 and 117: SaaS DNS Security: Are you Protecte
Page 118 and 119: associated with any security event
Page 120 and 121: 120
Page 122 and 123: 122
Page 124 and 125: 124
Page 126 and 127: 126
Page 128 and 129: 128
Page 130 and 131: 130
Page 132 and 133: 132
Page 134 and 135: 134
Page 136 and 137: 136
Page 138 and 139: 138
Page 140 and 141: 140
Page 142 and 143: 142
Page 144 and 145: 144
Page 146 and 147: 146
Page 148 and 149: 148
Page 150 and 151: We’ve launched http://www.CyberDe
Page 152 and 153: Marketing and Partnership Opportuni
Page 154 and 155:
Regent University’s Institute for
Page 156 and 157:
156
show all

CDM-CYBER-DEFENSE-eMAGAZINE-March-2019

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?