Security standards may contain hundreds or even thousands of individual settings that experts recommend to improve system security. Most organizations simply don’t have the resources or expertise to develop their own standards. In this video, you’ll learn how vendors and third-party security organizations develop and create industry standards that may serve as the starting point for enterprise security efforts.
- [Instructor] Security configuration standards may contain hundreds or even thousands of individual settings that experts recommend to improve system security. While each of these settings is important, most organizations simply don't have the resources or expertise to develop their own standards. Fortunately, vendors and third-party security organizations develop and create industry standards that may serve as an effective starting point for enterprise security efforts.
One of the most common sources of security standards is the vendors who create devices, applications, and operating systems. After all, they know their products better than anyone else and they have a vested interest in helping you operate it securely. If you have a security breach, it not only jeopardizes your organization, but also reflects poorly upon the products that you use for security. Here's an example of the security standards offered by Microsoft. The Microsoft Security Compliance Manager is a tool that assists with system configuration and management.
As you can see here, the Compliance Manager includes a large number of built-in security configuration baselines for various versions of the Windows Server and Windows Desktop operating systems, Internet Explorer, Exchange Server, and Microsoft Office. Organizations can use these baseline templates as the starting point for their own security efforts. Some people simply don't trust that vendors will provide objective security advice so they want to turn to other sources of expertise when developing security standards.
The U.S. Government spends quite a bit of time and energy developing security standards and the National Institute of Standards and Technology, or NIST, is an excellent source of security guidance. Here's one NIST standard. This document, a draft of NIST Special Publication 800-179, provides security guidance for users of Apple's Macintosh OS X 10.10, more commonly known as Yosemite. This 126-page document goes into deep detail on Yosemite's security settings.
We can scroll down here, I'm just going to show you a few pages of this. Beginning with the Table of Contents, you can see here the scope of this document is really, really broad. It covers how the guide was developed, components of OS 10, the installation, backup, and patching procedures, how to manage the security configuration, and then special NIST guidelines, covering everything from system hardware and firmware, to auditing and network services. And it goes on and on. I'm just gonna scroll down here to somewhere in the middle of the document to give you a flavor of what this document includes.
If we look here at section 6.3, this section goes into all sorts of detail on login. It covers whether automatic login should be enabled, what should be included in the login window, how the restart, sleep, and shut down buttons should be included. It talks about whether password hints should be used. You can see here, there some really some great guidance for system administrators as they go through and try to configure the security settings of the Mac operating system. There are documents like this available for all sorts of different operating systems and platforms.
Finally some organizations want an even more objective source than the government and seek out third-part organizations that exist solely to provide security advice. One of these, the Center for Internet Security, publishes a series of security benchmarks that represent the consensus opinions of a large number of subject matter experts. Here's a list of the benchmarks currently available from the Center for Internet Security. You can see they've been very recently updated and they cover everything from Cisco network devices to Oracle databases, different versions of the Linux operating system, the Apache web server, Microsoft Windows products, and just as you scroll through you see operating systems, applications, database servers, there's Docker containerization software, again more different versions of operating systems, the VMware platform, how to do MIT Kerberos authentication securely, Apple IOS for mobile devices, and the way the Center for Internet Security decides which benchmarks they're going to develop is based upon input from the community.
If there's sufficient community interest in a new baseline, they'll go ahead and work with a series of subject matter experts from the security community to develop that benchmark. These industry security benchmarks provide organizations with a great starting point for their own system configuration efforts. Beginning with a solid foundation can save countless hours of work and provide a secure starting point for an organization's customized security standards.
Members who take all eight courses in the series will be prepared to take and pass the CISSP exam. Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
- Understanding data security policies and roles
- Limiting data collection
- Developing security baselines
- Leveraging industry standards
- Restricting access to data with Windows and Linux file permissions
- Encrypting data
- Securing cloud storage