It is important to understand the purpose of what a server’s function is going to be in the network and what data will be stored on the server in order to determine any threats that could pose a risk to the company. This is done by performing a risk assessment and using the results to mitigate those threats. However, in addition there are general security guidelines that can be followed to help harden a system. These guidelines include removing or disabling any unnecessary services or applications, patching the OS or any applications on the server, configuring access controls to utilize the principle of least privilege, and backing up critical information. Implementing these guidelines can help reduce the chances of a breach from occurring. Also, if a breach does occur then using the backups to restore the system if data or the operating system is damaged.
I found section 3.3 to be important. This section covers management practices for servers. Server security is vital to the upkeep of a server. Some of the management techniques are Organizational Information System Security Policy, Configuration/Change Control and Management, Risk Assessment and Management, and Security Awareness and Training. The section also covers what should be included in a system security plan. These plans should cover System identification and controls. Finally, this section laid out the guidelines for federal system security plans, which are more strict. In a federal agency, all information systems must be covered in a system security plan. Other organizations are not required to provide a system security plan for all but are encouraged to do so.
Security practices always start with management and the policies they lay down. And even their tone and example as well. I think it’s important that roles and responsibilities for server security are defined somewhere in policies. There should also be policies and procedures in place to ensure proper change management, risk assessment, BC/DR planning, and training.
One of the biggest things, I think, is accountability. Policies are nice, but if they are not enforced and no one is held accountable for them, then they do not do much. It’s up to management to designate those who monitor compliance with policies and what the penalty for non-compliance is.
The section on the human resources requirements was eye-opening for me, in particular this quote “Appropriate and sufficient human resources are the single most important aspect of effective server security.” An organization can have the most technologically advanced systems and security measures available but it will be ineffective if there are not an appropriate number of staff with the specific skillset to administer the systems. It is also important to think about staffing during the implementation phase, similarly to when security in general needs to be considered. Considerations should include the required number of staff to administer the systems, the skillset required to effectively administer the systems and an assessment of the current available resources. Another important aspect is continual assessment of current staff and training and knowledge enhancement opportunities due to the ever evolving technological landscape and new security threats and vulnerabilities arise. As threat actors become smarter, the IT security professionals have to become smart too.
From this reading, it is important to understand that many members of an organization have a role, direct or indirect, in securing the servers within their information architecture. The CIO, while by no means directly responsible for server maintenance, is responsible for maintaining the overall information security of the enterprise, and issues guidance to the rest of the organization to ensure acceptable information risk levels are maintained. The Information Systems Security Program Managers (ISSPM) are responsible for verifying that the organization’s security requirements are met and policies are adhered to, including those involving the server architecture. The Information Systems Security Officers (ISSO) guide the operations of a particular business unit, including any servers it is responsible for, in such a way that the policies are adhered to. Finally, the administrators of various IT disciplines are directly responsible for the management of the servers themselves.
One of my takeaways is to configure resource controls appropriately. Commonly used server operating systems provide the feature of specifying access rights to files, directories, devices, and other computing resources. Administrators can prevent users from making configuration changes that may reduce security. It will limit the attacker’s ability to attack servers or other hosts on the network. Careful setting of access control can deny unauthorized access by personnel. Server administrators can reduce intentional and unintentional security vulnerabilities. Sometimes, the administrator configures the operating system to provide an isolated virtual environment in which the server software will run. Users can only access the virtual environment, separate from the underlying operating system. Limit the execution privileges of most system-related tools to authorized systems.
Hi To-Yin. This a great point you bring up regarding configuring resource controls appropriately. I think that appropriately analyzing and assigning access control to individuals or at an individual level is the best way to mitigate unauthorized access in a network system. It is important to note that in most organizations the access controls are assigned at a group level and not at an individual level. This lack of detailing can make the data vulnerable to both internal and external data breach threats. If a cyber attack were to occur, an appropriate access control could limit the cyberattacker’s access to sensitive information.
A key takeaway from this reading is server security planning – arguably the most important step in server security. This server security principle includes; identifying the of server; purpose of the server; choice of OS; physical security protection; security management staff; identifying information system assets and implementing safeguards necessary to protect the CIA triad; SSP and finally human resources. These various elements of planning will ensure that server is as secure as possible and aligns with the organization policies and security best practices.
The main function of security testing is to identify threats in the system, and prevent malicious attacks from intruders; which is why security testing such as vulnerability scanning and penetration testing are essential in managing risks, prevent data theft, and making sure there is no unauthorized access. Vulnerability scanning searches and identifies vulnerabilities in networks and applications. Penetration testing methods are that of an attacker – compromising networks and exploiting weak areas to gain access. Periodic scanning using both vulnerability scanning and penetration testing is highly recommended to help prevent attacks on organization’s networks.
The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers. This document addresses common servers that use general operating systems (OS) such as Unix, Linux, and Windows. The one key point I took from this reading is the User Authenticate Configuration. Enabling authentication involves configuring parts of the OS, firmware, and applications on the server, such as the software that implements a network service. To ensure the appropriate user authentication is in place, organizations should implement authentication and encryption technologies, such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to protect passwords during transmission and reduces the likelihood of spoofing attacks.
One of the key takeaways I had from this reading is that it identified appropriate and sufficient human resources as the single most important aspect of effective server security. I would imagine if you asked most IT management or leadership about effectively managing server security, many if not all respondents would talk about general hardening and technical controls in place to protect servers. I think it is a really important call-out that the human aspect of this was emphasized, and also that it was emphasized as a part of planning, and not an afterthought or post-implementation consideration. The reading gave some specific considerations around planning for personnel needs, including required personnel, required skills, and available personnel, and also talked about how this should be periodically reassessed as organizations and technology are constantly changing.
I thought it was helpful how this NIST document broke down server hardening into six different steps. It shows how complex security can be, but also how to make it manageable. My biggest takeaway is that after planning, an organization should already know how each step will be carried out. Security should not be an afterthought or something added on at the end of implementation.
Here are the steps:
1. Plan the installation and deployment of the OS and other components.
– This involves identifying the purpose of the server and categorizing it (in terms of security). The purpose and sensitivity should really drive how it is secured.
– Everything from how users will be authenticated to protocols used should be determined before implementation. This leads to better security.
2. Install, configure, and secure the underlying OS
– The OS should be patched and up to date
– Unnecessary services and protocols should be disabled
– Host-based firewalls, IDS should be considered
– Security testing should be performed
3. Install, configure, and secure the server software
– Apply patches and upgrades
– Remove unneeded add ons
– Configure access controls and secure files
4. Ensure content on the servers is properly secure
– Configure logs
– Select encryption
5. Employ appropriate network protection mechanisms
– Firewalls, ACLs, IDS/IPS
6. Employ secure administration and maintenance processes
– Security does not stop after implementation. It is a continuous process
An interesting perspective covered by NIST 800-123 involves advice to organizations to treat public-facing servers, such as web servers, as sensitive to the organization’s reputation. These public-facing servers could be damaged if the integrity is compromised. With that in mind, the physical security of the servers is to be considered. This involves restrictive physical access to the servers, environmental controls, redundant power sources, redundant network connections, and consideration of natural disasters.
My biggest takeaway from the reading is chapter 3. It outlines, in-depth, the implementation, planning, and administration that is necessary to develop a system security plan. It outlines best practices and responsibilities based on roles. You can’t build a house without a solid foundation. First and foremost, it is important that you have the groundwork laid out. Once you have solid ground, then you can start building up. A strong foundation is important for reasons not needing explanation, but most importantly, having a plan and accountability allows you to weather any storm and have a solution to every problem. A strong, universal document can act as a bible for a company. Whenever there is uncertainty, you should be able to find, at the very least, the next steps for your solution.
The NIST 800-123 covers 17 security-related areas that relate to protecting confidentiality, integrity, availability of federal information systems. This includes all the areas we recognize that is important to information systems such as access control, managers and users must be limited access and have role-based access. Everyone must be training and awareness of security risks on a frequent training basis. All organizations must audit records to monitor controls are effective and implemented correctly. Configuration management makes sure organizations must configure and maintain baseline inventories of everything. By following everything in this guy and all 17 security areas will definitely set most companies up for success.
The concept i found the most interesting was in Section 4. It explains that a patching procedure should be implemented. This is true and emphasized through out this program. The patching process also contributed the the Maersk case study due to an old OS. This is another reading that supports and shows the value in have a patching procedure.
I like how you compared this week’s lesson to a previous case study. You are correct in your observation. No patching can have disastrous effects on an organization and you supported your claim with great evidence.
According to The NIST 800-123 covers, a crucial factor in assessing server security that whether being in the cloud or locally is to properly test the system that the server is truly working. Without testing the server, a company or firm could spend a lot on a server that may not even work properly or efficiently. One type of test is called penetration testing which is essentially a simulation of a server being attacked by a cyber attacker. As we have learned in security architecture, humans are the greatest factor in cybersecurity. To secure the operating system of a company, the company needs to make sure that the operating system has the latest patches and updates installed. The operating system patches can protect the server greatly from data breaches and external cyber-attacks.
The section on server vulnerabilities, threats and environments particularly stood out to me. I learned that many threats against data and resources are possible because of mistakes. These could be from either bugs in operating system and server software that create exploitable vulnerabilities, or errors made by end users and administrators. As a result organizations should conduct risk assessments to identify the specific threats against their servers and determine the effectiveness of existing security controls in counteracting the threats.
It is important to understand the purpose of what a server’s function is going to be in the network and what data will be stored on the server in order to determine any threats that could pose a risk to the company. This is done by performing a risk assessment and using the results to mitigate those threats. However, in addition there are general security guidelines that can be followed to help harden a system. These guidelines include removing or disabling any unnecessary services or applications, patching the OS or any applications on the server, configuring access controls to utilize the principle of least privilege, and backing up critical information. Implementing these guidelines can help reduce the chances of a breach from occurring. Also, if a breach does occur then using the backups to restore the system if data or the operating system is damaged.
I found section 3.3 to be important. This section covers management practices for servers. Server security is vital to the upkeep of a server. Some of the management techniques are Organizational Information System Security Policy, Configuration/Change Control and Management, Risk Assessment and Management, and Security Awareness and Training. The section also covers what should be included in a system security plan. These plans should cover System identification and controls. Finally, this section laid out the guidelines for federal system security plans, which are more strict. In a federal agency, all information systems must be covered in a system security plan. Other organizations are not required to provide a system security plan for all but are encouraged to do so.
Security practices always start with management and the policies they lay down. And even their tone and example as well. I think it’s important that roles and responsibilities for server security are defined somewhere in policies. There should also be policies and procedures in place to ensure proper change management, risk assessment, BC/DR planning, and training.
One of the biggest things, I think, is accountability. Policies are nice, but if they are not enforced and no one is held accountable for them, then they do not do much. It’s up to management to designate those who monitor compliance with policies and what the penalty for non-compliance is.
The section on the human resources requirements was eye-opening for me, in particular this quote “Appropriate and sufficient human resources are the single most important aspect of effective server security.” An organization can have the most technologically advanced systems and security measures available but it will be ineffective if there are not an appropriate number of staff with the specific skillset to administer the systems. It is also important to think about staffing during the implementation phase, similarly to when security in general needs to be considered. Considerations should include the required number of staff to administer the systems, the skillset required to effectively administer the systems and an assessment of the current available resources. Another important aspect is continual assessment of current staff and training and knowledge enhancement opportunities due to the ever evolving technological landscape and new security threats and vulnerabilities arise. As threat actors become smarter, the IT security professionals have to become smart too.
From this reading, it is important to understand that many members of an organization have a role, direct or indirect, in securing the servers within their information architecture. The CIO, while by no means directly responsible for server maintenance, is responsible for maintaining the overall information security of the enterprise, and issues guidance to the rest of the organization to ensure acceptable information risk levels are maintained. The Information Systems Security Program Managers (ISSPM) are responsible for verifying that the organization’s security requirements are met and policies are adhered to, including those involving the server architecture. The Information Systems Security Officers (ISSO) guide the operations of a particular business unit, including any servers it is responsible for, in such a way that the policies are adhered to. Finally, the administrators of various IT disciplines are directly responsible for the management of the servers themselves.
One of my takeaways is to configure resource controls appropriately. Commonly used server operating systems provide the feature of specifying access rights to files, directories, devices, and other computing resources. Administrators can prevent users from making configuration changes that may reduce security. It will limit the attacker’s ability to attack servers or other hosts on the network. Careful setting of access control can deny unauthorized access by personnel. Server administrators can reduce intentional and unintentional security vulnerabilities. Sometimes, the administrator configures the operating system to provide an isolated virtual environment in which the server software will run. Users can only access the virtual environment, separate from the underlying operating system. Limit the execution privileges of most system-related tools to authorized systems.
Hi To-Yin. This a great point you bring up regarding configuring resource controls appropriately. I think that appropriately analyzing and assigning access control to individuals or at an individual level is the best way to mitigate unauthorized access in a network system. It is important to note that in most organizations the access controls are assigned at a group level and not at an individual level. This lack of detailing can make the data vulnerable to both internal and external data breach threats. If a cyber attack were to occur, an appropriate access control could limit the cyberattacker’s access to sensitive information.
A key takeaway from this reading is server security planning – arguably the most important step in server security. This server security principle includes; identifying the of server; purpose of the server; choice of OS; physical security protection; security management staff; identifying information system assets and implementing safeguards necessary to protect the CIA triad; SSP and finally human resources. These various elements of planning will ensure that server is as secure as possible and aligns with the organization policies and security best practices.
The main function of security testing is to identify threats in the system, and prevent malicious attacks from intruders; which is why security testing such as vulnerability scanning and penetration testing are essential in managing risks, prevent data theft, and making sure there is no unauthorized access. Vulnerability scanning searches and identifies vulnerabilities in networks and applications. Penetration testing methods are that of an attacker – compromising networks and exploiting weak areas to gain access. Periodic scanning using both vulnerability scanning and penetration testing is highly recommended to help prevent attacks on organization’s networks.
The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers. This document addresses common servers that use general operating systems (OS) such as Unix, Linux, and Windows. The one key point I took from this reading is the User Authenticate Configuration. Enabling authentication involves configuring parts of the OS, firmware, and applications on the server, such as the software that implements a network service. To ensure the appropriate user authentication is in place, organizations should implement authentication and encryption technologies, such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS) to protect passwords during transmission and reduces the likelihood of spoofing attacks.
One of the key takeaways I had from this reading is that it identified appropriate and sufficient human resources as the single most important aspect of effective server security. I would imagine if you asked most IT management or leadership about effectively managing server security, many if not all respondents would talk about general hardening and technical controls in place to protect servers. I think it is a really important call-out that the human aspect of this was emphasized, and also that it was emphasized as a part of planning, and not an afterthought or post-implementation consideration. The reading gave some specific considerations around planning for personnel needs, including required personnel, required skills, and available personnel, and also talked about how this should be periodically reassessed as organizations and technology are constantly changing.
I thought it was helpful how this NIST document broke down server hardening into six different steps. It shows how complex security can be, but also how to make it manageable. My biggest takeaway is that after planning, an organization should already know how each step will be carried out. Security should not be an afterthought or something added on at the end of implementation.
Here are the steps:
1. Plan the installation and deployment of the OS and other components.
– This involves identifying the purpose of the server and categorizing it (in terms of security). The purpose and sensitivity should really drive how it is secured.
– Everything from how users will be authenticated to protocols used should be determined before implementation. This leads to better security.
2. Install, configure, and secure the underlying OS
– The OS should be patched and up to date
– Unnecessary services and protocols should be disabled
– Host-based firewalls, IDS should be considered
– Security testing should be performed
3. Install, configure, and secure the server software
– Apply patches and upgrades
– Remove unneeded add ons
– Configure access controls and secure files
4. Ensure content on the servers is properly secure
– Configure logs
– Select encryption
5. Employ appropriate network protection mechanisms
– Firewalls, ACLs, IDS/IPS
6. Employ secure administration and maintenance processes
– Security does not stop after implementation. It is a continuous process
Jonathan,
You explained the points in a simple understandable format. Your comment helped emphasize the steps presented in the reading. THank you,
An interesting perspective covered by NIST 800-123 involves advice to organizations to treat public-facing servers, such as web servers, as sensitive to the organization’s reputation. These public-facing servers could be damaged if the integrity is compromised. With that in mind, the physical security of the servers is to be considered. This involves restrictive physical access to the servers, environmental controls, redundant power sources, redundant network connections, and consideration of natural disasters.
My biggest takeaway from the reading is chapter 3. It outlines, in-depth, the implementation, planning, and administration that is necessary to develop a system security plan. It outlines best practices and responsibilities based on roles. You can’t build a house without a solid foundation. First and foremost, it is important that you have the groundwork laid out. Once you have solid ground, then you can start building up. A strong foundation is important for reasons not needing explanation, but most importantly, having a plan and accountability allows you to weather any storm and have a solution to every problem. A strong, universal document can act as a bible for a company. Whenever there is uncertainty, you should be able to find, at the very least, the next steps for your solution.
The NIST 800-123 covers 17 security-related areas that relate to protecting confidentiality, integrity, availability of federal information systems. This includes all the areas we recognize that is important to information systems such as access control, managers and users must be limited access and have role-based access. Everyone must be training and awareness of security risks on a frequent training basis. All organizations must audit records to monitor controls are effective and implemented correctly. Configuration management makes sure organizations must configure and maintain baseline inventories of everything. By following everything in this guy and all 17 security areas will definitely set most companies up for success.
The concept i found the most interesting was in Section 4. It explains that a patching procedure should be implemented. This is true and emphasized through out this program. The patching process also contributed the the Maersk case study due to an old OS. This is another reading that supports and shows the value in have a patching procedure.
Hi Michael,
I like how you compared this week’s lesson to a previous case study. You are correct in your observation. No patching can have disastrous effects on an organization and you supported your claim with great evidence.
According to The NIST 800-123 covers, a crucial factor in assessing server security that whether being in the cloud or locally is to properly test the system that the server is truly working. Without testing the server, a company or firm could spend a lot on a server that may not even work properly or efficiently. One type of test is called penetration testing which is essentially a simulation of a server being attacked by a cyber attacker. As we have learned in security architecture, humans are the greatest factor in cybersecurity. To secure the operating system of a company, the company needs to make sure that the operating system has the latest patches and updates installed. The operating system patches can protect the server greatly from data breaches and external cyber-attacks.
The section on server vulnerabilities, threats and environments particularly stood out to me. I learned that many threats against data and resources are possible because of mistakes. These could be from either bugs in operating system and server software that create exploitable vulnerabilities, or errors made by end users and administrators. As a result organizations should conduct risk assessments to identify the specific threats against their servers and determine the effectiveness of existing security controls in counteracting the threats.