8/10/2019 Risk Management Minimum Security Baselines
02-07-2013
1/2
EssentialsA Minimum Security Baseline (MSB) is a
minimum information security
configuration standard, sometimes
referred to as an organizations internalbest practices. They can
be applied
toward many areas within an
organization, such as: router, switch,
firewall, server or a site. These
configuration standards detail many
important items such as security patch
minimums, disabling unnecessary
services, or determining the number of
required physical locks and surveillance
cameras.
BenefitsUnfortunately, many believe that
throwing additional security technology
at an area is the best preventative
security medicine. However, applying
standard information security
configurations to hardware and
software as well as adding physical
security measures is fundamental in
building a comprehensive and
sustainable information security
program. MSBs can also be integrated
into the Internal Vulnerability Scan
process. Many times, vulnerability
scanners report vulnerabilities that the
organization has already determined to
be an acceptable risk. MSBs can be
used to quickly eliminate these
vulnerabilities from the list findings of
the scanners reports. This process may
save the person in charge of the
Internal Vulnerability Management
process a significant amount of time.
Creating an MSB document is
just one step in the process
needed to gain the value and
security advantages that MSBs
have to offer.
ExpertiseSecureState has experts in all facets of
security, with many combined years of
experience implementing and
configuring hardware and software in asecure manner. We help
many
organizations not only build MSB
templates, but have also automated
the process of integrating MSBs into
the organization as well.
Minimum Security Baselines
(MSBs)
MSBs should be
created for operating
systems, applications,
databases and
network devices
deployed in your
environment.
There are a number
of free MSB templates
available online. A
common
misconception is you
can simply download
one of these MSB
templates and apply
them to your systems
to secure them. In
reality, this will mostlikely make the system
unusable and break
the applications that
run on the systems.
8/10/2019 Risk Management Minimum Security Baselines
02-07-2013
2/2
ApproachSecureState uses a cycle outline for the
MSB Service:
1. ASSESS
Understand business
requirements and IT
environmentthrough
interviews, documentation
review, and system
interrogation.
2.
DEVELOP
Develop customized MSB
based on devices function
and categorize MSBs intofunctional groups.
3.
LEVERAGE
Leverage technologyto
push GPO document if
100% of MSB settings
were/could not be
implemented on a
particular device with
explanation why.
4.
MONITOR
Monitor MSBsfor changes
by scanning devices
quarterly.
5.
UPDATE
Update MSBsas needed to
address latest security
threats.
SecureState takes a multiphase process
to developing and implementing MSBs.
First, SecureState reviews existing
MSBs or creates an initial draft, if it is a
new MSB. Next, SecureState
collaborates with IT to create a final
version of the MSB. Once a final version
is created, the clients IT organization
implements the MSB into production;
this also includes base images used to
create new systems. Once the MSBs arein production, it is
critical to test and
validate that the MSBs in fact have
been applied correctly. Based on the
testing, emerging threats and changes
in the environment of the MSB will be
improved. These improvements will
then be funneled back into the existing
MSB and the cycle outline will be
repeated. It is critical to repeat these
steps on a regular basis to ensure MSBs
stay current and relevant.
MSBs should be reviewed
annually to ensure they are
current against new attacks.
ExpertiseSecureStates pool of diversified
backgrounds provides deep technical
and strategic insight. SecureState has
experts in every area of enterprise
information security. MSBs are
designed by experts in system
hardening. MSBs are reviewed by our
penetration testing team.
MSBs need to be customized
to your systems to ensure they
do not break your systems or
applications.
