ControlsInsight 3.0 was released today adding coverage of security control effectiveness for Windows servers, which extends coverage of the attack surface to include servers, as well as, the desktop controls that have been supported since its initial release last year.
According to the 2014 Verizon Data Breach Investigations Report (http://www.verizonenterprise.com/DBIR/2014/), the rising number of breaches from servers already far exceeds the number of breaches from every other category of asset. The graph below is from the report:
Prevention of breaches is the best possible outcome when employing security controls, but concentrating on prevention alone would be short-sighted. Security controls that contain a breach must also be employed. Once a server is compromised, access to that server is often used to pivot and gain access to other assets. The security controls now supported by ControlsInsight have been vetted by Rapid7 security experts for their effectiveness in prevention and containment of security breaches and aligned with industry standards such as ASD and SANS.
Here is a list of the new security controls for servers now supported by ControlsInsight:
- Default credentials removed
- Operating system supported and up to date
- Passwords hardened
- Code execution prevention enabled
- Service processes run as a limited user
- Limited egress
- Desktop applications not installed
- Obsolete services disabled
- Configuration management in use
- Web services use dedicated or remote database
- Single critical role installed
- UAC enabled
- IPv6 disabled if not managed
- Compilers and libraries not installed
Also of note in the 3.0 release, the code execution prevention control now supports EMET 5.0 for desktops as well as servers.
In the coming weeks, there will be further blogs by Rapid7 engineers that detail ControlsInsight 3.0 and its new server controls. Stay tuned; there's more to come!