Configuration Management to Reduce Computer Vulnerabilities
How NIST 800 Standards Can Keep Your Computer Safe
Recently the government passed a requirement: small business supplying contractors to the Federal Government must assure that they protect Controlled Unclassified Information (CUI). This information includes financial and medical information about their employees, financial records about contracts, patents and trademarks, and other information. If revealed to competitors or hackers, CUI could harm the company or its employees. These companies need to audit their cyber security processes, people, and technologies to assure that adequate protections are in place to keep this information secure.
The National Institute of Standards and Technology (NIST) developed a checklist of controls and practices that facilitate the audit process: NIST Special Publication (SP) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and organization. The publication consists of 14 control families that help provide a defense to protect the confidentiality, integrity, and available of the information stored, processed, or transmitted.
But what about the individual at home? NIST SP 800 can educate the home user on procedures and tools that will make home systems more secure. These recommendations include the use of inexpensive or open source tools, external devices, and procedures that you can easily incorporate into your daily routine to protect your information. These lessons do not tell the reader how to implement these controls or practices – you can find these instructions on YouTube. Instead, these lessons provide a roadmap of ideas to make your system more resilient to hackers. These lessons follow the NIST control guidelines. The first lesson of this series covered access controls, and the second covers cyber awareness and training. Today we will discuss the third family of controls: configuration management controls.
What is Configuration Management?
Configuration management is a process of establishing and maintaining the integrity of your operating environment and applications. It consists of determining and documenting the appropriate specific settings for a system and managing those changes so that you always understand the setting.
Four main areas need configuration management, i.e. additional settings that make your system or information harder to compromise:
- Operating System
Browser Security Basics
Protect Your Browser Against Malware
Tech Support Alert provides an excellent checklist of settings to harden your Internet browser against malware and privacy concerns.
The key is staying in control of how the browser operates while you are on the Internet. Most browsers have a security, privacy, or advanced features section to implement these recommendations. Thus, regardless of the browser type, you should do the following:
- Disallow cookies without your permission (e.g. do not track request)
- Disallow application downloads without your permission
- Only connect to sites that support TLS v.1.2 or higher
- Only connect to sites that support HTTPS
- Turn on ad blocker (you can turn this off for specific sites that require it)
- If you purchase a third party malware detection/security protection application: use the blacklist function to warn you when you attempt to log into a potentially malicious site
- Keep your browser up to date. Fortunately, the big three (Edge/IE, Chrome, Safari) make this easy. Simply type in the browser of choice on the search line and the latest version for download often comes up as the first search result.
How To Search Anonymously
Did you know that search engines such as Google, Bing, and Yahoo record your search information and IP address? Why not use a search engine that does not record your searches or your address? Instead, use one of these 12 search engines that do not track your search requests.
Finally, for real protection, consider connecting to the Internet via an anonymous IP address. There are two ways to do this:
Protect Your Operating System (OS)
Regardless of your operating system, take these actions to protect your information:
- Turn off all unnecessary services. A booted operating system activates many background services or applications. Applications like JAVA or Flash have a history of vulnerabilities that allow hackers to compromise systems.
- Set rarely-used services to activate on demand. In Windows, use MSCONFIG in the command line, then click on the startup tab. Uncheck any application that you don’t need or want running during normal computer use. For the Mac, remove unnecessary items from the folder MacHD/Library/Startup Items/.
- Remove auto-installed “bloatware” utilities, such as auto-loaded foreign languages.
- Remove all utilities that allow remote access to your computer, such as Telnet and RDP. This prevents you from remotely logging into your computer – but most people use cloud services when they are not at home, and these are available from their phone or tablet.
- Install the latest service packs and updates. These provide protection against the operating system’s known vulnerabilities. Most systems have an auto-update feature. In Windows, it is available via the control panel option; in Macs, this feature is enabled by default.
Application and Software Security
Unused Applications Increase Vulnerabilities
Remove unused applications. All applications have exploitable vulnerabilities. Removing seldom-used applications frees up space and reduces your vulnerability footprint.
On Windows, click the start button, then control panel and then select program and features. This lists all installed applications. Remove old programs. Often you will see patches installed by Microsoft – do not remove these.
On a Mac, from the OS X Finder, click Command+Shift+A to jump to the /Applications folder. Pull down the View menu and choose “List” to scroll through an easy-to-read list of all apps in the Applications folder. Also, check to ensure that the latest version of the application is running; install needed updates.
Common secure configurations (also known as security configuration checklists) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology platforms and products. Once implemented, checklists verify that changes to the system have been reviewed from a security point-of-view. A common audit examines the system’s configuration to see if major changes (such as connecting to the Internet) have occurred that have not yet been analyzed.
The NIST checklist repository, maintained as part of the National Vulnerability Database (NVD), provides multiple checklists which can be used to check compliance with the secure configuration specified in the system security plan. Examples of configuration management controls include: baseline configuration, configuration change control, security impact analysis, least functionality, and software usage restrictions.
Updates and Antivirus Software
Keep your operating systems up to date. All operating systems have vulnerabilities. Even Mac users now should be aware that their operating systems can be compromised. Turn on “auto-update” and you won’t have to remember to do this.
Install an antivirus program. Many antivirus programs also perform system health checks. They also will adjust your firewall setting to minimize the active ports and services that can be used to exploit your information.
Make Your Wi-Fi Router Secure
Change the Default Router Password
All routers and firewalls come with a default login setting that allows the initial installer to configure the device. Refer to the awareness and training post for reasons to change the default password and login credentials.
Also, change the Wi-Fi password. Most devices have a complex password printed on the device. While this may be a strong password, the fact that is constantly displayed presents major vulnerability. Change the password to a complex password (such as a mix of random upper and lowercase letters, numbers, and symbols), and then keep this password secure.
Limit Router Signal Range
Check your signal range. Take your tablet or laptop and see how far the signal can reach outside the perimeter of your house. Change the setting so that the signal is barely detectible beyond your property line.
Customize Firewall Security Settings
Tighten the firewall security setting. Most routers have firewall settings ranging from low to high. Set the firewall to “medium” to provide protection against the most common type of malware; this is usually the default setting. Set your firewall to “high” if you have financial or personal information on your workstation. However, this may require you to take additional steps when you log into certain sites. A high setting usually restricts outbound access to known standard protocols. If you are not familiar with communication protocols, you may find your gaming console or other similar device has been blocked. In this case, you need to create a specific access policy. If this sounds complicated, then keep the default medium setting and encrypt your personal and financial information.
Practice Safe Computing Habits
Now that you have taken some steps to make your systems more secure, examine your computing habits. Remember you are the CEO of yourself, so ultimately you have the responsibility to be as safe as possible when you are online – both at home and on the go.
- Never connect to open Wi-Fi accounts; your information is not protected.
- Refuse connecting to any site deemed unsafe by your antivirus application.
- Avoid opening e-mails or clicking on hyperlinks from an unknown address.
- Do not discuss anything that you used to verify your identity.
- Hover over the address or hyperlink to determine where the link is really going. If is not going to the name or address being displayed, then it is probably malicious.
- Do not post travel plans on your social network. This creates a green light to burglars that your home is vulnerable.