Critical Security Controls – Control 5 – Configuration of the Operating System
Critical Security Control 5 requires the creation of secure baseline configurations for each of these systems. These configurations should dictate the removal of insecure or outdated settings or software. Using a standards-based configuration scanner then continuously comparing the configuration of network-attached systems against this/these baselines allows one to monitor and correct any deviation.
Control 5 goes further to require that once baselines for systems are established, a secure repository of these images is maintained. Take the time to protect the repositories where “golden images” and related configuration baseline template data are stored. Many attacks have originated within this image. Attackers plant backdoor/software into the image with the corresponding changes which grants access to a wide number of target systems.
This control provides a baseline configuration which is known as good for all computing assets within an organizations control. This is inclusive of laptops, desktops, servers, and mobile devices. The use of Mobile Device Management and Mobile Application Management would come into play when an organization operates under bring your own device. This control extends from the device through the organization into the cloud. Applying this control in a meaningful and continuous way to provide a level of assurance that the very configuration of an organization’s computing resources is not a risk or detriment themselves.
For a deeper understanding of CSC Control 5, check out CIT’s CSC Controls 5 blog.