Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absichern können

&
IT-SECURITY „MUST HAVE“:
HARDENING AS PART OF A HOLISTIC
SECURITY STRATEGY
11. Oktober 2023

Who is talking to you?
Introduction
2 TEAL Technology Consulting GmbH
Fabian Böhm
CEO & Founder @ TEAL
Florian Bröder
CEO & Founder @ FB Pro GmbH
https://www.fb-pro.com/
LinkedIn
https://www.teal-consulting.de/
LinkedIn

§ Hardening – the why
§ Hardening – the what
§ Hardening – tool based
§ Hardening – how to rollout
§ Hardening – how can we help you
§ Q&A
AGENDA
3

HARDENING – THE WHY

Real life examples – fresh on the table!
JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF (defense.gov)
Unrühmliche Hitparade: NSA und CISA teilen Top-Sicherheits-Fehlkonfigurationen | heise online

Real life examples – fresh on the table!
Cyberangriffe in Deutschland 2023: Diese Unternehmen hat's schon
erwischt - CSO (csoonline.com)
Daten von "Motel-One"-Hotelgästen im Darknet veröffentlicht | tagesschau.de
Keine Mails, keine Internetseite: Hackeralarm an der
Uniklinik Frankfurt | hessenschau.de | Panorama

Real life examples
Karlsruhe: Hacker greifen Stadtwerke an und spähen Daten aus - DER
SPIEGEL
Stadtwerke Pirna - Cyberangriff bei den Stadtwerken Pirna
(stadtwerke-pirna.de)
Potsdam: Stadtwerke nach möglichem Cyber-Angriff online
nicht mehr erreichbar | rbb24

Real life examples
https://netzpolitik.org/2023/staatstrojaner-predator-vietnam-wollte-
offenbar-deutsche-us-botschafterin-hacken/#netzpolitik-pw
Medibank hack: Email reveals staff details compromised by
data breach | news.com.au — Australia’s leading news site

Real life examples
Top 5 AWS Misconfigurations That Led to Data Leaks in
2021 | Spiceworks It Security
Clear statement
§ 99% of cloud breaches is “misconfiguration”
§ Missing secure configuration
§ Missing “hardening”
§ No control
§ No process / no checks

10
How are administrative permissions assigned?
What do you think about these
samples?
Is the print spooler running?
Account segregation activated?
etc.
Questions

“Measures in detection and response area need
to be enriched as they are no longer sufficient
to ensure adequate information security!"
“Shifting responsibility of IT security and protection
of assets to backoffice, accounting and non IT
people seems to be a very strange approach.”

HARDENING – THE WHAT

Definition
In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is
larger when a system performs more functions
Hardening
…considers information security as well as
data protection
…is one of several technical measure's organizations
may adopt
Legal requirements are in place
§ …GDPR enforce “state of technology” (Art. 32
“security of processing”)
§ “State of the art” is defined (see Teletrust e.V.)
§ Several industry specific requirements enforce more
detailed configuration (e. g. VAIT for insurances, IT-
Sicherheitsgesetz for KRITIS relevant organizations, ISO
27001:2022 and many more…)

It is necessary
Product law in America
Designed to make “everything” work to avoid legal
impacts
§ “Dry the guinea in a microwave oven”
§ …other stories
Vendors recommend hardening
Microsoft: “We recommend that you implement an
industry-standard configuration that is broadly known
and well-tested, such as Microsoft security baselines, as
opposed to creating a baseline yourself. This helps
increase flexibility and reduce costs.”
How critical is secure configuration?
§ A running print spooler service was considered
uncritical until printer nightmare end of 2021.
§ Using SMBv1 was uncritical until WannaCry
Ransomware used EternalBlue exploit in 2017
§ Using Kerberos tickets based on RC4 encryption is
outdated since 2015 – why is it still activated?
§ A “non configured” Office installation is again target of
an attack - so is “non configuration” of Office
uncritical?
…an open door in your house is uncritical until
somebody walks in who is not allowed to do so?
Security baselines guide - Windows security | Microsoft Docs

It is necessary
The NIST Cyber Security Framework covers five critical
functions where the marked ones are most relevant for
securing (known) endpoints.
PROTECT
DETECT
RESPOND
RECOVER
IDENTIFY
Technology PROTECT DETECT RESPOND
Anti-Malware solutions X X
Threat-Intel solutions X X
EDR/XDR solutions X X
MDR solutions X X
Vulnerability scanner X
SIEM solutions X
X
(SOC, IM
process)
Compromise Assessment X X
Hardening X
Enforce Administrator X X IM process
What does make more sense? Have a 24/7 team monitoring the door or just close the door and lock it?

Frameworks and legal:
System hardening is widely mentioned (some examples)
https://www.cisecurity.org/controls/
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Kom
pendium/IT_Grundschutz_Kompendium_Edition2020.pdf?__blob=publication
File&v=6
https://www.teletrust.de/publikationen/broschueren/stand-der-
technik/?tx_reintdownloadmanager_reintdlm%5Bdownloaduid%5D=10505&
cHash=f39d74868a8b38e98e6cc09b0ab16f6f

Frameworks and legal
Extract from SWIFT questionnaire (end 2021)
BAFIN for banking and insurance sector (03/2022)
Cyber risk insurance questionaire (2022)
Questions for companies starting with 50.000.000 €
revenue up to 150.000.000 €. “Hardening” is first
questions in sector “basic”.

Frameworks and legal:
System hardening (“secure configuration”) in ISO 27001(2):2022
ISO 27001:2022
is updated and published!

System hardening - strategical part
NIST defines it as…
“The management and control of
configurations for an information
system to enable security and
facilitate the management of risk.”
NIST also published a…
Guide for Security-Focused
Configuration Management of
Information Systems | NIST
SecCM consists of four phases:
Security Configuration Management (SecCM) - Glossary | CSRC (nist.gov)
Guide for Security-Focused Configuration Management of Information Systems (nist.gov)
Planning
Identifying and
Implementing
Configurations
Controlling
Configuration
Changes
Monitoring
Figure 2-1 – Security-focused Configuration Management Phases

TOOL BASED

HARDENING – TOOL BASED
Hardening is not only „scripting“ and technology
There are different approaches to
“harden” systems
Several technological approaches exist in the wild:
§ Several Computer news papers deliver “security tools” |
Who wants to use this in a professional area?
§ Github repositories with thousands of lines of code |
Who wants to take the risk to deploy it to a SME company?
§ Consulting providers deliver “hardening” on time & material
base | What happens if provider leaves, but something is not
working as expected?
Your advantages of a tool based approach
§ Automated optimization of your system configuration
§ Continuous monitoring of your security
§ Comprehensive and up-to-date system curing packages
§ Reduced operating costs through auto-optimization
§ Professional operation via “Managed services”
Technology based approach
Integrated approach
Just search for „hardening tools“ in
your favorite search engine

Enforce Administrator Architecture

Why not via “Group Policy objects”?
1) How quickly are several hundred hardening settings implemented? We are ready to use after installation.
2) How is it controlled that all settings arrive on the target systems?
3) How is a "restore" of settings performed when an application is no longer functional due to hardening
configurations?
4) How is the IT team notified if IT systems are suddenly no longer "compliant" with the specified settings?
5) How does meaningful process integration (incident management, ConfigMgmt) take place?

System hardening – the benefits
Security
Configuration
Management
Raise efficiency and save
(internal) resources
Raise protection
level
Be compliant and
transparent
Security of
investment
A new insight?
Detected mistakes fixed early in a chain reduce
overhead and save money in the end.
Conclusion: Hardening is cost effective!
§
€

HOW TO ROLLOUT

Common “pit falls” in hardening projects
Hardening projects really support in creating a better cyber hygiene! Possible exploited attack vectors are deactivated.
Some things can be automated, some things need to be tested/evaluated. So, in most cases hardening projects support
in getting to know the own infrastructure better as before:
§ Which services are activated but never used
§ Which server (or business critical application) is still running on old operating system
§ Are administrators still using one account / one machine for internet surfing and administering?
§ Are “built in accounts” still active and/or even more critical still in use?
§ And many more…
HARDENING – HOW TO ROLLOUT
So, most common pit falls are amongst others the following ones:
§ Missing knowledge of own infrastructure
§ Missing documentation and overview of systems
§ Missing documentation and overview of application
§ Missing knowledge of how for example administrators maintain systems
§ “Old fashioned” (aka insecure) ways to maintain/administer IT systems

Useful approaches
Option 1 – layered hardening
Hardening as part of a security project.
Classify systems as T0/T1/T2 and start to
harden T0 as much as possible. Other
layers are done after T0 is done.
Option 2 – rapid hardening
Rollout a base hardening set to realize
results quickly. Increase security level
iterative afterwards.
Option 3 – lifecycle hardening
Rollout hardening set during a lifecycle
project (e.g. Windows 11 rollout).

Pro:
§ Critical systems are identified and handled more secure than other services.
§ Critical systems are secured first, and security level is very strict. Focus is on -
as less attack surface as possible.
§ Afterwards the environment will be cleaned-up as every single system was under
investigation to clean up misconfigurations.
§ New systems will be hardened from start.
§ As part of a broader project scope other security controls will improve the
environment as well – not “just” hardening.
§ Classify systems in Tier0/1/2
§ Harden T0 services with a strict benchmark (e.g. CIS level II) to achieve a high security level.
§ Harden T1 and T2 services with a solid benchmark (e.g. CIS level I) to achieve a good security level.
§ Ensure that every new system or system which will be reinstalled will comply with the respective benchmark.
§ Other security controls such as tiering, account separation, processes etc. are implemented in parallel.
When to use:
§ After a security breach.
§ When focus is on high security.
Con:
§ Slow process as the focus is on reducing the attack surface.
§ Complex to rollout as every old misconfiguration / uncertainty will come up.

Pro:
§ Fast rollout as less testing is required due to minimal hardening
set.
§ Good to report progress and comply with audits.
§ Create a base benchmark that is good enough (e.g. CIS level I, minus critical settings or MS benchmarks)
§ Rollout benchmark to systems. Rollout approach depends on customers infrastructure and could be controlled via several dimensions, for
example: Role oriented - Technology oriented (operating system, etc.) - Location oriented - Rollout approach targeting newly deployed systems
§ After initial rollout, increase the security level based on the system criticality.
When to use:
§ To comply with audit – Tisax / ISO / Insurance.
§ To start hardening activities and build trust into a solution.
Con:
§ Attack surface is not as reduced as it could be with more effort.
§ Compliant on paper, but not in reality.
§ Systems must be tested more often as benchmarks will be
improved iteratively.
§ Critical systems are “just” as good secured as less critical
systems.

Pro:
§ Within a lifecycle project application landscape will be assessed
and tested with new image. Hardening settings can be tested
without additional effort.
§ Overall, the effort is not related to the hardening project as
rollout efforts exist anyway.
§ Combine hardening activities with a lifecycle project. For example, Windows 11 or Server 2022 rollout.
§ Create a solid benchmark (e.g. CIS level II)
§ Rollout benchmark to systems when they are initially deployed. Rollout approach depends on customers infrastructure and could be controlled
via several dimensions, for example: Role oriented - Technology oriented (operating system, etc.) - Location oriented - Rollout approach
targeting newly deployed systems
When to use:
§ To reduce effort related to hardening activities.
Con:
§ A lifecycle project must be in place and willing to include
hardening activities.
§ Critical systems are “just” as good secured as less critical
systems.

Useful approaches
Hardening as part of a security project. Classify
systems as T0/T1/T2 and start to harden T0 as
much as possible. Other layers are done after
T0 is done.
Rollout a base hardening set to realize results
quickly. Increase security level iterative
afterwards.
Rollout hardening set during a lifecycle project
(e.g. Windows 11 rollout).
Security level
Complexity
Effort
Duration
Security level
Complexity
Effort
Duration
Security level
Complexity
Effort
Duration
Excellent Good Poor
Satisfactory Very poor

Referenz
“Der Enforce Administrator hat uns geholfen, unsere Server-Landschaft und die Arbeitsplätze
auf dem Stand der Technik abzusichern. Die Zusammenarbeit mit den Spezialisten der
FB Pro GmbH war zielführend, effizient und professionell.”,
so Florian Brugger, Leiter IT & Prozessmanagement STADTWERK AM SEE.
STADTWERK AM SEE, ein Energie- und Verkehrsunternehmen, hat seine IT-Infrastruktur zur Sicherung der
kritischen Infrastruktur erheblich verbessert, um Angriffe auf die Strom-, Wasser- und Wärmenetze zu verhindern.
Dies wurde aufgrund von gesetzlichen Anforderungen wie der DSGVO und dem IT-Sicherheitsgesetz umgesetzt.
Die implementierte Lösung besteht aus dem Enforce Administrator, der eine automatisierte Systemhärtung nach
Industriestandards ermöglicht und Echtzeit-Reports über den IT-Systemstatus bereitstellt. Die Implementierung
erfolgte phasenweise in Zusammenarbeit mit FB Pro. Die Ergebnisse sind eine erhöhte Informationssicherheit
und die Fähigkeit, regulatorische Nachweise für Systemhärtungsmaßnahmen einfach zu erstellen.

HOW CAN WE HELP YOU

Regulatory Insurance
Services
Projects PoC
Consulting
Roll out hardening settings in
the short term to pass an audit.
Generate reports that serve as
evidence to an auditor.
We help you to comply with
insurance requirements.
Our consulting services help you to increase
your security level within your organization.
AD Tiering, BloodHound – Attack Path
Management, PAW, Cloud Security etc.
Try Enforce Administrator and
harden your systems with us
in a Proof of Concept.
We help you delivering complex
projects such as OS upgrades,
hardening rollouts, security projects.
Do you have time to manage your
hardening service? If not, we will do it
for you. But also, other service e.g.
Tier0 administration can be done by us.

Contact us for more information,
FB Pro and TEAL
INFO PAGE
https://aktionen.teal-consulting.de/systemhaertung-
fuer-energieversorger/
CONTACT US
E-Mail: info@teal-consulting.de
Phone: 0211/93675225
…in case you want to reduce your attack surface and protect yourself against ransomware attacks.
…in case you have to remediate already found and known vulnerabilities.
…in case you want to reduce your cyber insurance rate.
…in case you need to prepare for an external audit.
..in case you have regulatory requirements to implement “secure configuration”.
…in case you want to reduce risk of liability.
…in case you need to ensure business continuity.

THANK YOU!

Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absichern können

Recommended

Recommended

More Related Content

Similar to Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absichern können

Similar to Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absichern können (20)

Recently uploaded

Recently uploaded (20)

Präsentation: Wie Energieversorger ihre IT-Systeme durch Systemhärtung absichern können