Cuyamaca College Security Technical Implementation Guides Discussion

Security Technical Implementation Guides (STIGs) and Their Use inSystems Analysis and Design
ASSIGNMENT
Follow the provided instructions to download STIG viewer, and load a STIG that is applicable to a system
you own and have permission to modify. Style points if you use the VM set up in Assignment #2
Then you will assess 15 items against your system, take a screen shot of your STIG viewer window
showing your Open/Not Reviewed/Not a Finding/Not Applicable pie-chart (example provided below),
and some STIG items that were completed. Once completed, you will upload a standard word
document with this screen shot in Canvas as well as answers to the below questions
1) What STIG did you choose, and why?
1 sentence expected
2) How might STIG’s be useful for Systems Analysis and Design? (think about how this applies to
security requirements and hardening/securing application servers, end points, hosts)
2-5 sentences expected
3) How might STIGs be useful for new/junior level IT professionals in learning their way around
different systems and technologies? 2-5 sentences expected
Required
STIG Viewer requires Java to run. It may be downloaded at:
https://www.java.com/en/download/manual.jsp
STIG Viewer may be downloaded at:
https://public.cyber.mil/stigs/srg-stig-tools/
STIGs for various Operating Systems and Applications may be downloaded by clicking the associated
entry on the following list:
https://public.cyber.mil/stigs/downloads/
A detailed user guide for STIG Viewer may be downloaded at the same location as the STIG Viewer,
https://public.cyber.mil/stigs/srg-stig-tools/
GOOD NEWS WINDOWS USERS! Java is not needed as there’s now a .msi installer for STIG Viewer! It
works a lot better and crashes less. You can find it at the same STIG Viewer link above, just select the
x64 MSI version and install it like a normal program.
What is a STIG? The Security Technical Implementation Guides (STIGs) are the configuration standards
for DOD IA (Department of Defense, Information Assurance) and IA-enabled devices/systems. The STIGs
contain technical guidance to harden or “lock down” information systems/software that might
otherwise be vulnerable to a malicious computer attack. They contain a list of items relating to specific
configurations or settings. Each item contains many types of information, but most importantly it tells
you what the issue is, how to check if that issue is present, how to fix it, and the severity of the issue.
What is System Hardening?
Systems hardening refers to the tools, techniques, and best practices that aim to reduce vulnerabilities
in technology applications, systems, infrastructure, and other areas. The goal of systems hardening is to
reduce security risk by eliminating potential attack vectors and reducing the system’s attack surface.
This commonly includes removing extraneous programs, closing/disabling unneeded
ports/protocols/services, restricting account permissions, and applying secure configurations.
Following a STIG is also a great way to start on creating a golden image, (also known as a master image)
for configuration management by establishing a minimum security baselines that systems should adhere
to, and be imaged from. See Intel’s writeup for more info
https://www.intel.com/content/www/us/en/business/enterprise-computers/os-imagedeployment.html
Why does it matter to Information Systems Design? Imagine you’re working for a firm that is building a
system for a client. The system uses multiple Windows servers, SQL Server databases, in addition to an
application that is deployed on mobile devices for remote/travelling employees. The client of course
wants the servers hardened, the mobile devices secured, and for the application/data to be secure. How
do you code securely? How do you harden a server? How do you protect data on a mobile device? STIGs
provide a comprehensive (though not exhaustive) checklist on how to securely configure these devices,
and even a guide on developing secure software. It doesn’t make it 100% secure, but it’s an excellent
starting point.
If you’re dealing with protected or sensitive data (Personally Identifiable Information {PII}, Personal
Health Information {PHI}, payment processing info, Controlled Unclassified Information {CUI}, etc),
there’s often regulatory requirements for protecting this information. STIG’s aren’t common as a
security baseline for those requirements, but they’re underlaid by NIST security controls which are
frequently the root of security guidance. Again, it’s a great starting point.
Instructions:
1) Download the user guide from https://public.cyber.mil/stigs/srg-stig-tools/ and go to page 4
for how to install and run STIG viewer. As of 18 Jan 2022 Version 2.15 is the latest version of
the STIG viewer, and the latest User Guide is from 18 Nov 2021
**note, the screenshots of the download website in this user guide are outdated**
2) Download a STIG for the operating system or application you choose to do from the
https://public.cyber.mil/stigs/downloads/ website. Apple iOS, Google Chrome, Mozilla Firefox, and
Microsoft Windows 10 are a good place to start if any of those apply to your devices. Please don’t choose a STIG for a
program/device you don’t own… how can you do the STIG if you don’t have the actual program/application in
question??
3) Load the STIG you downloaded into STIG Viewer. Go to page 6 of the user guide, and follow the
instructions through page 9.
Skip step 3.1 / Leave as No Profile
4) Click any items on the list that interest you. Check out the “Discussion” field, and “Check Text”
to see what you need to examine to see if your device has that vulnerability or not.
5) If your device does not have the vulnerability, document your finding in the “Finding Details”
textbox. And mark the item “Not A Finding” in the Status drop-down in the upper right side.
6) If your device does have the vulnerability, document your finding in the “Finding Details”
textbox. And mark the item “Open” in the Status drop-down in the upper right side.
OR
View the “Fix Text” information, and consider implementing the fix to remediate the
vulnerability. If you choose this option, document your actions in the finding details or
comments textboxes, and mark the status of that item as “Not a Finding”.
Be cautious when implementing a “Fix Text” as you don’t want to
accidentally break your system. Especially for Microsoft Windows registry
changes.
Please note that many items will not apply to your system, as they require Windows Enterprise
to show up in the registry/settings. Or in the case of Mobile devices, they won’t have the
necessary MDM installed to show many of the settings.