TCS Corporate Office2350 Corporate Park Drive, Suite 500

Herndon, VA 20171866.230.1307

TCS Trusted Operating Systems Lab2021 S. First Street, Suite 207

Champaign, IL 61820217.384.0028

TCS Texas Office10010 San Pedro, Suite 220

San Antonio, TX 78216210.340.3151

Security Blanket is a trademark of Trusted Computer Solutions, Inc. Linux is a registered trademark of Linus Torvalds. All other trademarks and registered trademarks are the property of their respective owners. **Security Blanket is compliant with Section 508 of the Rehabilitation Act of 1998.

100253.0609

About Trusted Computer SolutionsFounded in 1994, Trusted Computer Solutions (TCS) is an industry leader in cross domain and cyber security solutions and services that facilitate compliance with security requirements that support business objectives. The company’s flagship cross domain solutions enable government to securely share information, striking the right balance between information protection and information sharing, a vital component to national security. Known as the SecureOffice® Suite, these products adhere to stringent security standards set by U.S. Government and are installed and accredited in operational systems around the world. TCS’s cyber security solutions automate, accelerate and simplify the application of high levels of security. Security Blanket™ is an award-winning tool that automatically locks down enterprise-wide operating system server deployments, according to security best practices. CounterStorm™ uses behaviorial, statistical, and content-based anomaly detection to identify non-signature, targeted and zero day attacks, with unprecedented speed and accuracy. TCS is headquartered in Herndon, VA, with offices in Champaign, IL, and San Antonio, TX. www.TrustedCS.com

Enterprise Security Management

2

1.866.230.1317

Increased IT Complexity, Reduced ResourcesIT is challenged by increased complexity, accelerated software changes, growing compliance requirements, and pressure to reduce resources. It is now more difficult to assess the security state of the enterprise and consistently remediate security failures to ensure rapid compliance.

How can you configure your enterprise-wide server operating systems to meet security policy while maintaining the flexibility to repurpose systems and reverse changes that impact productivity?

Security Blanket – Automated Configuration to Meet Policy

Security Blanket™, from Trusted Computer Solutions, is the only enterprise platform that automatically locks down your operating systems to meet industry standard security guidelines. It is a cost-effective way to consistently and predictably secure your enterprise-wide systems in a fraction of the time it takes to lock them down manually.

It is critical that your servers are secured, but they must also provide the uptime and stability needed for applications and users.

Until now, system administrators have used a variety of costly, time-consuming, and inadequate options to secure their operating systems, if they secure them at all.

A case study of a global manufacturing

company shows that one server, left

unsecured, can bring down an entire data

center.

18% of organizations don’t lock down their

critical servers and 26% don’t lock down their

internet-facing servers.

Security officers average 32 hours per

month reacting to security problems.

www.TrustedCS.com/SecurityBlanket

3

Scriptsare available, but

they don’t conform to aspecific policy.

I know thatconsultants are an option,

but they’re expensive.What happens when I need to

make changes afterthey leave?

I’ll readsome books on OS

lock down and hope I don’t make any mistakes.

I don’thave time to takeclasses on this

stuff.

I’m experienced with Windows. How am I

going to secure all of these Linux and Solaris

servers?

Guidelines for SecurityCommercial and government organizations refer to a number of published guidelines and standards for operating system (OS) security. In cases where standards are not mandated, organizations need the flexibility to establish their own standards and implement them automatically.

Security Blanket includes predefined security Profiles from some of the most respected security industry leaders in the world. Customized Profiles can be easily created by using an industry standard Profile as a template, or building your own Profile by selecting individual guidelines.

Governing Organization Standard

Defense Information Systems Agency (DISA)

UNIX Security Implementation Technical

Guide (STIG)

The Center for Internet Security (CIS)

CIS RHEL 4 and 5, and Solaris 10 Benchmarks

Payment Card Industry Security Standards Council

Payment Card Industry (PCI) Data Security Standard

(DSS)

Department of Defense (DoD)

Joint Air Force Army Navy (JAFAN) 6/3

North American Electric Reliability Corporation (NERC), formed by the

Federal Energy Regulatory Commission (FERC)

Critical Infrastructure Protection (CIP)

Director of Central Intelligence Directive (DCID) DCID 6/3

SANS Institute

Top 20 Security Risks as related to Linux, Apache, MySQL, and PHP (LAMP)

and Solaris, Apache, MySQL, and PHP (SAMP)

National Security Council (NSC)

National Industrial Security Program Operating Manual

(NISPOM)

4

1.866.230.1317

Security Profiles and Modules Security Profiles are a compilation of individual security guidelines that are recommended for locking down operating systems. The individual lock down guidelines are referred to as Modules. Security Blanket has incorporated predefined industry

Security Management Across the EnterpriseNot only do organizations need the ability to automatically assess and configure the security of their OS against defined standards, they also need to be able to manage their servers at the enterprise level. Whether your IT department has five servers or five hundred, Security Blanket is your solution.

The Standalone version of Security Blanket provides a low-cost solution for managing a small number of servers. An agent is installed on each server and an easy-to-use interface is provided to guide you through quick, automated assessment and lock down.

Organizations with larger numbers of servers need the ability to centrally manage security across the enterprise. Security Blanket Enterprise Edition includes an Administration Console from which system administrators can manage any number of servers.

Security Blanket Enterprise Edition allows system administrators to congregate servers requiring the

guidelines from various security governing organizations. If your company doesn’t follow a specific industry guideline, Security Blanket offers security Profiles based on security criteria, such as Reliability/Availability, Integrity, and Confidentiality.

same security settings and associate industry standard or user-defined lock down Profiles to the server Group. The solution takes into consideration the fact that organizations may have different security policies for production servers than they do for test servers, for example.

Operating System Version

Red Hat Enterprise Linux (RHEL) 4 and 5

Oracle Enterprise Linux (OEL) 4 and 5

Novell SUSE Linux and openSUSE Linux 11

Fedora 10

CentOS 4 and 5

Solaris 10

WEB SERVERS EMAIL SERVERS

HR ADMIN SERVERS

ADMINISTRATION CONSOLE

Manage Profiles, Clients and Groups

Baseline, Scan, Apply, Report, Undo

www.TrustedCS.com/SecurityBlanket

5

Assessing Enterprise Compliance A Scan assesses the security level of a Group of servers against a selected security Profile. Assessment Reports provide conformance information for each server within the group and a “Pass,” “Fail,” or “Not Applicable” indication for each Module. For convenience, the system administrator has the option of viewing only Modules that have failed.

Enterprise-Wide OS Configuration An Apply initiates changes to the OS configuration to match the security Module specifications outlined in the Profile selected, creating a state of lock down or compliance. The OS of each server in a group is automatically configured to bring any failed Modules into compliance with the Profile selected. As an example, if a Scan identified that the “Maximum Time Between Password Changes” Module had failed, an Apply would automatically configure the OS to the required value in the Profile. This process is also known as “hardening” the OS.

Automatic Configuration Undo We all know that things can, and will, go wrong. When that happens, Security Blanket ensures that your operations continue with no downtime. If a Group is configured to meet compliancy guidelines and the system administrator discovers that the lock down adversely affects an application on the OS, the Undo function in Security Blanket automatically reverses the lock down configuration and restores the OS to the prior system configuration. An Undo can be activated for an entire Profile or at an individual Module level. Additionally, if only one server in a Group is negatively affected, an Undo can be used to reverse the lock down for just that server. This unprecedented flexibility is key to preserving the uptime of the enterprise.

Flexible SchedulingBest practices advise verifying the security posture of the enterprise on a regular basis to ensure that compliance has not been compromised. Security Blanket provides the ability to schedule routine Scan, Apply, and Undo actions, or reports, for whatever time frames work for you.

Productivity Enhanced (Not Hampered)Security Blanket is designed for easy use. System administrators can administer and manage OS security without having expertise in a particular operating system. Your Windows system administrators, for example, can now be proficient in securing Linux or Solaris servers, allowing you to maximize resources and maintain productivity. Little or no training is necessary to use Security Blanket. Users can directly link to the Enterprise Administration Guide and the Security Blanket Modules Guide from the user interface. Online Help is provided with thorough, easy-to-understand guidance. There are clear, concise descriptions and tips provided for every security Module, as well as a cross-reference between Modules and the guidelines they satisfy. This cross-reference can be invaluable for a system administrator preparing for an industry guideline audit.

Comprehensive Technical SupportIf Security Blanket’s online Help, robust documentation, Module cross-references, and automatic Undo capabilities can’t solve the problem, our top-caliber support group can. Security Blanket engineers are always available to assist with whatever the customers need.

Low Impact On Network and Personnel Resources Security Blanket is designed for minimal operational and hardware intrusion, and is sensitive to an administrator’s needs when deploying new OS distributions.

» Use of the Apache web server for authentication and delivery of static content provides flexibility, reliability, and performance.

» Supports 32- and 64-bit architectures.

» Supports IPv4 and IPv6 networks simultaneously.

» Console-to-Client communications are encrypted and authenticated using Public Key Infrastructure (PKI) in conjunction with Transport Layer Security (TLS). This protects Clients from “denial-of-service” (DoS) attacks, unauthorized Scans, disclosure of Assessment Reports, and access to Client information.

6

1.866.230.1317

Reporting That Ensures Audit Compliance Reporting is particularly important in today’s environment, with numerous security breaches occurring on a daily, if not hourly, basis. It’s not enough to perform the necessary processes to secure your operating systems. You also need the reports to confirm that systems are successfully locked down and remain secure.

All Security Blanket reports are generated in XML, allowing system administrators to create customized reports by deploying their own XSLT template files.

Assessment Reports

A Security Blanket Assessment Report displays the results of a Scan and can be run against individual servers or Groups. The report shows which Modules passed and which ones failed for every server in the Group as well as the severity level of the Module’s impact on the security state of the system. Like all Security Blanket reports, Assessment Reports can be archived for viewing at a later time.

Baselines and Baseline Comparison Reports

A Baseline can be run, typically after a Scan and Apply, to capture a “snapshot” of the system configuration of a Client or Group. The Baseline Comparison Report compares the current system state to a prior state and identifies changes in hardware, files, software, and network access configurations. A system administrator may run a Scan on a previously locked down server to find that it is no longer in compliance. By initiating a Baseline and then running a Baseline Comparison Report, the system administrator can easily identify changes in the system that occurred between the two Baselines and determine why the compliance state changed.

Detailed Logging Reports

Security Blanket provides detailed logging of each Security Blanket action. This information gives administrators insight as to exactly how the OS is being configured. As an example, the logging will identify previous file permissions and the permissions Security Blanket set when lock down actions were applied.

Implementation Flexibility

Enterprise or Standalone

Security Blanket’s flexibility allows it to serve as a solution for small, medium, and large enterprises. Smaller organizations with fewer servers may elect to run the Standalone version, which runs on individual servers. Each server can be managed via an easy-to-navigate user interface or the command line.

Organizations with larger numbers of servers will want the ability to centrally manage servers across the enterprise using Security Blanket Enterprise Edition. From the Administration Console, administrators can organize servers into Groups, assign lock down Profiles, run Scans, lock down Groups of servers and generate reports. As with the Standalone version, the Enterprise Edition can be managed via the user interface or the command line.

Operational Management

Security Blanket incorporates Role Based Access Control (RBAC) to ensure that users perform operations that are appropriate for their specific roles. As an example, system administrators with responsibility for lock down and policy assurance may have a higher level of functional authority than security officers who may only need access to Assessment and Baseline Reports.

Integration for Enhanced Functionality

Security Blanket supports the ability to communicate with external third-party applications through a variety of protocols. Its comprehensive Baseline Report contains key system information valuable to applications such as patch management, configuration management, and inventory management. Security Blanket utilizes a plug-in architecture to allow easy addition of new protocols and interfaces to communicate with applications. For example, an email plug-in supports the generation of emails after key Security Blanket events.

Platform Options

Security Blanket supports various platforms, including Solaris x86 and SPARC, ESX clients, and RHEL 5.2 or higher on IBM System z.

“Best Security Product”

www.TrustedCS.com/SecurityBlanket

7

What Security Blanket Clients Are Saying

“With Security Blanket, I can lock down a Linux or Solaris system to DISA STIG

compliance in under a minute. The ability to reverse the security implementation one

security module at a time is a great feature in order to ensure that the system is in

a usable state and still sustain the highest level of security possible. Before Security

Blanket, I would have to maintain scripts and ‘hand jam’ changes. The task of locking

down a system was a long and drawn-out process that could take days. Even then my

systems were not as secure as they are with Security Blanket. Security Blanket can turn

even the most novice Linux/Solaris administrators into system security professionals.”

Senior Engineer, Intelligence Community

“I have been buttoning down secure UNIX OSs for over a decade. I always considered it a

black art and a major pain. No more. It is all over. I am not joking when I say that Security

Blanket demystified the whole process. It is easy to use, extremely flexible, and should

be used by anyone who really is interested in securing their machine and keeping it that

way. The other key point is its ability to automatically, on a scheduled basis, check to see

that all is still in order. I am amazed it could be this simple. Thank you.”

Engineer, Department of Defense

“Thanks to Security Blanket, I was able to lock down all 18 of my classified servers in one

day. Prior to using Security Blanket, locking down one server would have taken an entire

week. It was so easy to create a custom profile by modifying the default DISA STIG profile

for our specific site needs. Now I have a custom security profile that I can use for all of

my servers. Having the ability to automatically run weekly Baseline Reports is also a big

time-saver! Now that I am using Security Blanket, I have more time to focus on mission-

critical tasks and projects.”

Principal Field Support Engineer, National Test Range

“After downloading the free trial version of Security Blanket and successfully locking

down one of my Linux servers, I was compelled to purchase Security Blanket Enterprise

for all of my Linux and Solaris servers. Being able to group my servers by their

function and lock the groups down using different guidelines has saved me days of

implementation time. I can get new servers into production much faster now. What a

time-saver!”

Production Control Manager, Fortune 1000 Wholesale Distributor

Security Blanket performs the DISA STIG profile scan 88% faster

than running a DISA SRR scan.

99% of Security Blanket’s security

modules complete their configuration in less

than 1 second.

A new Red Hat 5.2 installation includes ~150 files with “excessive file permissions” (based on

DISA UNIX STIG v5, R1.17).