CertiGuide to Security+  9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)

Reporting Incidents to Third Parties 1 2 3.5.1  OS/NOS Hardening

Security Baselines are standards that specify a minimum (that is, “baseline”) set of security controls that are suitable for most organizations under normal circumstances. They typically address both technical issues (such as software configuration) and operational issues (such as keeping applications up to date with vendor patches). The idea of security baselines is that for any particular platform (hardware, OS, network, application), there is a minimum set of security recommendations which, if followed, will significantly decrease its vulnerability to security threats, and that it shouldn’t take an expensive consultant doing an extensive risk analysis of your environment to determine a reasonable set of security controls for you to implement. In this way, even a small mom-and-pop business without access to a major IT consulting firm can have some assurance that they are taking at least some worthwhile steps to computer security.

There are multiple schools of thought on the use of security baselines. Some think adopting a common set of security baselines across the industry is the way to go – a kind of set it and forget it approach that ignores the risk analysis step. Others think that baselines are just a starting point for the bare minimum acceptable level of security and those organizations that can, should expand upon them to further increase the security of their system as time, knowledge and budget permits and their particular risk situation requires.

When establishing Security Baselines, you may consider:

• Any existing security baseline documents for the hardware and software you use
  
  
• Any “best practices” guides that exist for hardening the hardware/software you use, which may exceed the recommendations in any proposed baselines for that hardware/software
  
  
• Specific issues you may have run into the past which deserve extra attention (suppose your web server has historically been a favorite target of hackers)
  
  
• What other administrators are saying and doing (do you really want to run the easiest FTP server for “Warez” folks to take over, on the whole Internet? If not, take the same step other administrators customarily take to secure their servers)
  
  
• Unique characteristics of your environment (in terms of security risks faced, how much collaboration takes place, management’s views on the security requirements vs. ease of use tradeoff, etc.)

Reporting Incidents to Third Parties 1 2 3.5.1  OS/NOS Hardening