Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • CIS Control 4: Secure Configuration of Enterprise Assets and Software
  • Data Breach
  • Vulnerabilities

CIS Control 4: Secure Configuration of Enterprise Assets and Software

4 years ago Matthew Jerzewski
CIS Control 4: Secure Configuration of Enterprise Assets and Software

Key Takeaways for Control 4

Most fresh installs of operating systems or applications come with pre-configured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with policies your organization is trying to adhere to.

Throughout the CIS Controls, many Controls will play off one another, or some may need data from previous Controls to get a better understanding of what is secure and what is not. An example is Control 4. This measure deals with secure configuration of those enterprise assets and software identified by Controls 1 and 2.

Remember to go with a layered approach to cybersecurity. Implementing and managing firewalls is a cornerstone of cybersecurity, but putting all your eggs in one basket and hoping you can catch or stop every threat is not realistic. Having multiple layers of security can improve your effectiveness at slowing, delaying, or hindering a threat until it can be completely neutralized.

Safeguards for Control 4

4.1) Establish and Maintain a Secure Configuration Process

Description: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. This safeguard can be implemented by leveraging other benchmarks and checklists such as CIS Benchmarks or NIST NCP (National Checklist Program). With CIS benchmarks and NIST NCP, you can augment or adjust the baselines that satisfy your enterprise security policy.

4.2) Establish and Maintain a Secure Configuration Process for Network Infrastructure

Description: Establish and maintain a secure configuration process for network devices. Review and update documentation annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. As with safeguard 4.1, network devices are also in need of hardening. The benchmarks and tools mentioned earlier can be augmented and adjusted to fit this field, as well.

4.3) Configure Automatic Session Locking on Enterprise Assets

Description: Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.

Notes: The security function associated with this safeguard is Protect. Enabling automatic session lockouts helps prevent unauthorized access to devices. I reiterate this because most operating systems have this policy disabled or not defined.

4.4) Implement and Manage a Firewall on Servers

Description: Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.

Notes: The security function associated with this safeguard is Protect. Firewalls are a cybersecurity foundation for many enterprises. With that said, it’s never a good idea to put all your eggs in one basket when dealing with cybersecurity. A good analogy is to look at how you defend a castle. You have a mote, high walls, and an inner wall. This represents layers. Good cybersecurity practice is to layer your security, so if one instance of security is breached, you have several other layers to fall back on as protection.

4.5) Implement and Manage a Firewall on End-User Devices

Description: Implement and manage a host-based firewall or port-filtering tool on end-user devices with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed

Notes: The security function associated with this safeguard is Protect. As stated above in Safeguard 4.4, firewalls can be the first line of defense against penetration attacks, but it is also good to implement several other cybersecurity defenses on top of an End-Users firewall.

4.6) Securely Manage Enterprise Assets and Software

Description: Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols such as Telnet (Teletype Network) and HTTP unless operationally essential.

Notes: The security function associated with this safeguard is Protect. It is important to be using secure and encrypted protocols when managing assets and software. You should also be having your software on the latest patches for security benefits, as well. It doesn’t matter how secure you think your endpoints are with outdated software. It can leave the door open for potential attacks.

4.7) Manage Default Accounts on Enterprise Assets and Software

Description: Manage default accounts on enterprise assets and software such as root, administrator, and other pre-configured vendor accounts. Example implementations can include disabling default accounts or making them unusable.

Notes: The security function associated with this safeguard is Protect. There is no need for an administrator or root account to be active unless the need for recovery. Administrative accounts are highly privileged, and if an attacker has access to them, they are now able to create other users. This is why it’s important to have them deactivated or have a strong unique password attached, if needed.

 4.8) Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Description: Uninstall or disable unnecessary services on enterprise assets and software such as an unused file sharing service, web application module, or service function

Notes: The security function associated with this safeguard is Protect. Not all system components and services are needed for functionality. For example, many vulnerabilities have been linked to RDP in its default configuration. There are several improvements that can be made to make RDP more secure. Alternatively, you can just disable the service.

4.9) Configure Trusted DNS Servers on Enterprise Assets

Description: Configure trusted DNS servers on enterprise assets. Example implementations include configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. 

Notes: The security function associated with this safeguard is Protect. A key component of the internet, DNS has vast importance, and it should be properly secured. There are several frameworks that implement this. One such framework is by SANS Institute for DNS defense. They recommend:

  1. Patches and Latest Builds
  2. Split internal and External DNS
  3. Disable Recursion
  4. Single-Purpose DNS Server
  5. Diverse Location of DNS Servers
  6. Restrict Zone Transfers
  7. Authenticate Zone Transfers
  8. Restrict Dynamic Updates
  9. Restrict Access
  10. Restrict external access to the DNS servers by using queries for clients with public IP address.

4.10) Enforce Automatic Device Lockout on Portable End-User Devices

Description: Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts. For tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

Notes: The security function associated with this safeguard is Respond. Similar to safeguard 4.3, having a threshold for attempts on local devices is important in helping to prevent unauthorized access.  

4.11) Enforce Remote Wipe Capability on Portable End-User Devices

Description: Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices or when an individual no longer supports the enterprise.

Notes: The security function associated with this safeguard is Protect. This safeguard I feel has been more prominent as of late. Remote wiping of end-user devices has always been around, but with the state of employment, many companies are switching to remote work. Therefore, company devices are being moved more often. Having the capability to remote wipe a device if it becomes lost or stolen will keep your companies data more secure.

4.12) Separate Enterprise Workspaces on Mobile End-User Devices

Description: Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.

Notes: The security function associated with this safeguard is Protect. Keeping your personal workspace and enterprise workspace separated on your platforms is important because it lowers the risk of attackers being able to leverage what you do with personal usage to access the enterprises network.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

The post ” CIS Control 4: Secure Configuration of Enterprise Assets and Software” appeared first on TripWire

Source:TripWire – Matthew Jerzewski

Tags: Android, High Severity, Microsoft, TripWire

Continue Reading

Previous No Patch for High-Severity Bug in Legacy IBM System X Servers
Next You Can Now Sign-in to Your Microsoft Accounts Without a Password

More Stories

  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

13 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

18 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

19 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

20 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

1 day ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

1 day ago [email protected] (The Hacker News)

Recent Posts

  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT