Security hygiene

Good information systems security hygiene is a foundational security concept, and is defined as keeping systems in good repair to reduce the risk of preventable compromise.  This is accomplished by maintaining software - ensuring versions are supported and fully patched - and by hardening common operating systems and applications to eliminate dangerous default configuration settings.

To assist Simon Fraser University with these tasks, the Information Security and Compliance (ISC) group within IT Services runs regular vulnerability scans to detect software vulnerabilities and provides guidance on system and application hardening through the tools and instructions provided by the nonprofit Center for Internet Security (CIS)

As we are members of the CIS SecureSuite, all SFU community members may create an account and gain access to the resources there.

What is System Hardening?

System hardening is the process of eliminating dangerous default configuration within common operating systems and applications.  Although each application and operating system has unique configuration guidelines, these requirements fall into several common categories:

  • Ensure software is supported and patched.
  • Change or remove default accounts and passwords.
  • Disable unused or broken encryption algorithms and keys.
  • Uninstall or disable unnecessary or unused filesystems, software, and services.
  • Restrict remote access to administrator accounts and audit privileged use.
  • Configure local security controls such as a web application firewall (WAF) and system firewall to control system access at the application layer.
  • Ensure prudent file permissions are set on system configuration files, sensitive applications, and data.
  • Ensure network time synchronization and logging of important events is enabled and monitored.
  • Harden the network stack against protocol anomalies and abuses, and disable unnecessary protocols.

Note: this list does not replace the detailed hardening guides at the Center for Internet Security, but rather gives an idea of the types of things that hardening resolves.

What is Software Maintenance?

Keeping software up-to-date and replacing unsupported software can greatly reduce the risk of compromise.  The National Institute for Standards and Technology (NIST) maintains a list of common application vulnerabilities and rates them using the Common Vulnerability Scoring System (CVSS) for how easily they can be exploited and how severe the impact would be to the system on a scale of one to ten.  This rating is used to help organizations identify and prioritize security risks and ensure resources are allocated efficiently.

Simon Fraser University (SFU) maintains a vulnerability management program that helps system administrators identify system vulnerabilities and address them in a timely fashion.  Regular system scanning and email notifications are used to communicate these risks.

Scanning is also performed by well-meaning external entities and malicious sources like attackers and botnets.  Vulnerabilities that are easy to exploit and/or have high impact (CVSS high/critical vulns) are built into malicious software to enable compromise at scale for botnet controllers and other criminals.  SFU has developed a standard to set expectations around the level of effort and timing that should be dedicated to eradicating these types of issues.