Control 5:   A framework for an offense-informed defense. 

As we discussed in our earlier blog posts on the 20 Critical Security Controls, they provide an offense-informs-defense framework through which an organization can effectively defend against cyberattacks.  In this installment, we’re examining Control Five.  This control is one of the ‘Basic control’ and represents the most basic “hygiene” controls. Control 5 focuses on the configuration of the Operating System and associated applications to harden and monitor their configuration against unauthorized or insecure changes. 


Critical Control #5

“As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared towards ease-of-deployment and ease-of-use – not security. Basic controls, open services and ports, default accounts or passwords, older (vulnerable) protocols, pre-installation of unneeded software; all can be exploitable in their default state.” 

In order to satisfy the requirements of Control 5 an organization must first understand what hardware and software are connecting to their network systems. Once this is understood, then Control 5 requires the creation of secure baseline configurations for each of these systems. These configurations should dictate the removal of insecure or outdated settings or software. Using a standards-based configuration scanner then continuously compare the configuration of network-attached systems against this/these baselines in order to monitor and correct any deviation. 

Control 5 goes further to require that once baselines for systems are established a secure repository of these images is maintained. We commonly refer to this as “checking the checkers”. Taking efforts to secure and protect the repositories where “golden images” and related configuration baseline template data are stored is a prudent effort. Numerous attacks have originated within the “golden image” of an organization. Simply planting a backdoor or vulnerable software into this image with the corresponding changes to the related configuration scanning templates can grant a patient attacker access to a very wide number of target systems. 

CIT utilizes Security Content Automation Protocol (SCAP) combined with the emerging OSCAL standard to perform systematic and automated configuration evaluation and reporting. The SCAP workbench

Critical Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Sub-control Applies to: Security Function (intention) Sub-control Title Description
5.1 Applications Protect Establish Secure Configurations Maintain documented, standard security configuration standards for all authorized operating systems and software.
5.2 Applications Protect Maintain Secure Images Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.
5.3 Applications Protect Securely Store Master Images Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.
5.4 Applications Protect Deploy System Configuration Management Tools Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
5.5 Applications Detect Implement Automated Configuration Monitoring Systems Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.


Critical Control 5 provides what is commonly referred to as “hardening” of devices against attack. This control is provides a baseline configuration which is known as good (and secure) for all computing assets within an organization’s control. This control is inclusive of Laptops, Desktops, Servers, and Mobile Devices. In an era of Bring Your Own Device (BYOD), we’re commonly asked how can this control extend onto personally owned devices. In these instances, the use of Mobile Device Management and Mobile Application Management (MDM / MAM) would come into play. These technologies provide information containers and very limited interaction between the information assets of a company and the underlying device.  Control 5 extends from the device through the organization and into the cloud. As organizations outsource compute resources into cloud-based datacenters, Control 5 remains equally important. It’s incumbent on each tenant within a cloud hosting model to provide the required Operating System and Application hardening. Such activity is rarely provided by the cloud provider. Going back to what we outlined earlier; the default configuration being geared toward ease-of-use rather than security. Applying Control 5 in a meaningful and continuous way provides a level of assurance that the very configuration of an organization’s computing resources are not a risk or detriment themselves. 

Missed previous 20 CSC Controls, check out CIT’s blog page.


Who is Corporate Information Technology (CIT)::

Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including Critical Control centric Managed and Co-Managed technology services, information security policy creation & assessment, cybersecurity services, penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations maximize and optimize their technology systems while identifying and mitigating cybersecurity risks presented by those very systems. 

Contact us to learn more and let us show you how good I.T. can be!


All references to tools or other products in this document are provided for informational purposes only, and do not represent the endorsement by CIT of any particular company, product, or technology.
This material has been compiled using material licensed for public use under the Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License. The link to the license terms can be found at Creative Commons

Comments are closed

Learn More
error: Alert: This Content is protected!