Security Compliance

Meet federal, state, and industry
information security regulations instantly

Since security breaches can cause serious damage, the relationship between information security and the economic growth of businesses has been subject of many research studies. [1] [2] 3 [4]

The corresponding economic model, proposed by Lawrence A. Gordon and Martin P. Loeb in 2002, implies that:

If data were perfectly invulnerable, then no investment in information security would be made,
At some sufficiently larger level of vulnerability, it would be optimal to make a positive investment in information security measures in order to reduce the probability of data loss, and therefore the expected monetary loss.

Optimal information security policy should incorporate both possible approaches:

A reactive one — having a well-defined vulnerability assessment strategy,
And a proactive one — application of currently available computer protection mechanisms, or countermeasures, in order to prevent, eliminate, or minimize the impact of security flaws.

Though security vulnerabilities are difficult or even impossible to predict, many of them require multiple conditions to be met at once in order to be successfully exploited:

For example, attackers tend to mask their presence on the target system while exploiting a security flaw. For this reason, they often target rarely used user accounts to perform — or attempt to perform — the attack under,
Brute-force password guessing attacks have higher probability of success when shorter and dictionary-based passwords are used to secure some of the user accounts on the particular system,
Some protocols, though reliable, have been designed to operate with information in plaintext (unencrypted) form. These typically provided sufficient security at the time they have been implemented, but are not sufficient any more.

All three of the provided conditions can be avoided using the same strategy — through application and enforcement of a security policy which fulfills the following criteria:

Prevent retired user accounts from being reused,
Define and enforce strong passwords based on multiple criteria such as length and character variety, insert a delay between unsuccessful login attempts, and track these attempts,
And finally, forbid the use of protocols which are no longer considered secure.

In order to minimize the threat of an attack on computer infrastructure, or even completely prevent it, many institutions in both the private and public sectors have adopted the concept of enforcing a security policy or a security benchmark. These policies define security requirements which all systems used by the institution must meet. It applies not only to systems physically located within the organizations, but often to any third party environments have access to the organizations’ computer infrastructures. In some cases, these policies are defined by government regulations, but many businesses adopt their own security policies even if they are not specifically required to do so by law.

The specific requirements for security policy differ depending on the area of activity of a particular organization. For example, a solely private sector based cloud solutions provider will have different security norms, and will be required to fulfill different information security requirements by law, than a United States federal agency.

Despite the variety of the possible requirements, there are many common steps and procedures that any institution or business wishing to protect itself should perform. These include, but are not limited to:

Determine the specific security baseline which the underlying computer infrastructure must comply with

Obtain a security checklist for the requirement(s) in a format suitable for machine processing

Quickly identify the current state of the computer infrastructure against the requirement(s)

React promptly — perform corrective operations for requirements the system did not meet at a specific point in time

Prefer an automated approach — perform compliance analysis and corrective operations (remedial actions) in a machine-controlled, unattended way on a regular basis, regardless of the infrastructure’s complexity

Utilize proper software tools to carry out these tasks with minimal effort, and at the same time, attempt to reduce any required outage periods related to these tasks to a minimum.

The term security compliance (of a computer system against a particular security baseline) is used in the field of information security to denote the fact that, after performing a qualified analysis of necessary features of the system, the system in question has been recognized to be configured in a way that is in line with all of the requirements as demanded by the particular security policy.

Compliance assessment usually involves both steps — the compliance analysis of the system as well as the subsequent remedial action (performing corrective operations where the original inspection detected non-compliance).

In many countries, information security is recognized as having an important role in the effort to protect economic growth and security interests. With cyberspace vulnerable to a wide range of attacks, many countries have adopted an approach where strengthening the security and resilience of computer infrastructure must be performed at any level, be it public or private sector. Many government agencies are mandated by law to establish and manage their computer infrastructure in a specific way to protect sensitive information and prevent attacks. In the private sector, businesses handling credit cards from major card schemes are obligated to follow the Payment Card Industry Data Security Standard (PCI DSS) in order to ensure controls around cardholder data to reduce credit card fraud via its exposure.

Depending on its area of business, there may be numerous standards a particular organization must meet simultaneously in order to be compliant with all applicable laws and contractual obligations. This makes software tools like the OpenSCAP family, which can perform compliance assessments and corrective operations in an automated and continuous fashion, the perfect candidates for any organization trying to find a way to establish a proper and sustainable security compliance management policy.

How the OpenSCAP Ecosystem Can Help

Obtain a list of security requirements in a format suitable for machine processing

In order to be able to perform security compliance analysis of a computer infrastructure in an automated way, the corresponding security benchmark (the compliance requirements) need to be expressed in a specific, unambiguous format. Many security benchmarks provided by various security compliance authorities are supplied in the form of plaintext files. While this form is universal enough to be applicable to any computer infrastructure regardless of the underlying operating system, it is not appropriate for direct application. Therefore, a substantial effort is currently being invested into conversion of these security guidance baselines and associated validation mechanisms into the form of various specifications as defined by the Security Content Automation Protocol (SCAP). The SCAP Security Guide project provides these baselines as practical security guidance, and also links them to compliance requirements in order to ease deployment activities such as certification and accreditation. This way it is possible to overcome the gap between generalized policy requirements (as produced by official compliance authorities) and specific implementation guidance (in SCAP format) applicable to a specific computer environment or software product.

Quickly identify the current state of the computer infrastructure against the requirements

Ensuring security compliance of a system is a continuous process, and the ability to quickly compare the current state of a system to the requirements at any time is crucial. Additionally, both software and the underlying infrastracture tends to change over time and any changes require reevaluation to ensure continued compliance. Tools in the OpenSCAP family can be easily used to perform a security compliance analysis at any time, even as part of a deployment process, which allows you to identify any potential issues before you deploy your updates to production without the risk associated with temporary use of non-compliant infrastructure.

Perform instant corrective operations on any non-compliant systems

As we already mentioned in the previous section:

The term security compliance denotes a process, rather than state,
Software updates are necessary to keep systems secure,
Existing infrastructure often requires enhancements or even deployment of completely new software.

These factors can all cause the initial compliance scan to report one or more areas where your system doesn’t conform to the selected security policy. In that case it is vital to take steps to perform corrective operations as soon as possible. The SCAP-formatted security baselines, which are provided by the SCAP Security Guide from the OpenSCAP ecosystem, allow you to immediately remedy any non-compliance. Provided corrective scripts (also called “remediation scripts“) can automatically perform configuration changes to your system. It is even possible to combine both steps — the original compliance analysis and subsequent remediation can be done at the same time using OpenSCAP tools.

Execute security compliance analysis and necessary corrective operations in automated, unattended way on regular basis

Another key concept to success when managing the diversity of security compliance requirements is the possibility to automate the necessary tasks as much as possible.

Having the automation available it is easy to schedule the compliance scans as often as desired in both of the ways:

Either on regular basis (to cover the case of routine inspection of the infrastructure to identify if the infrastructure used did not digress from mandated requirements for security compliance),
Or to schedule an out-of-order scan (to properly handle the situation when new software product needs to be included into the existing solutions).

Minimize required effort and outage periods

Many system administrators and experts prefer scheduled maintenance and outage periods when upgrading and updating their systems, with these periods often being scheduled on a particular day of the week or month. At the same time, updates and enhancements deployed during these maintenance periods must be checked to ensure their security compliance – as we said before, security compliance enforcement is a continuous process. The OpenSCAP project provides tools that allow you to test your upgrades beforehand and to quickly and accurately verify updates. This keeps required downtime and outage periods down to a minimum, and allows you to employ management tools such as Cockpit to automate most relevant tasks and reduce required effort.

Practical Examples

The examples below demonstrate how various tools from the OpenSCAP family can be used to assist you in establishing and maintaining a sustainable security compliance process. See the Tools page for a more detailed description of each tool and additional examples.

Performing security compliance analysis of a freshly installed Red Hat Enterprise Linux 6.7 system using the United States Government Configuration Baseline (USGCB) profile from the security benchmark for Red Hat Enterprise Linux 6 Server system, provided by the scap-security-guide RPM package:

Performing both security compliance analysis and corrective operations (remedial action) against the United States Government Configuration Baseline (USGCB) profile from security benchmark for Red Hat Enterprise Linux 6 Server provided by the scap-security-guide RPM package using the oscap command line tool:

# oscap xccdf eval −−remediate −−profile usgcb-rhel6-server \
−−results /tmp/usgcb-rhel6-server-results.xml \
−−report /tmp/usgcb-rhel6-server-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

rhel6_7_usgcb_remediation

Meet federal, state, and industry information security regulations instantly