whitelist. To test solutions that implement a black list, the organization can define a specific benign executable as not being allowed, such as a simple word processor contained in a single EXE file. They can then attempt to run the program and test whether execution is blocked, and whether an alert is generated. For white-list solutions, the organization can attempt to run a similar benign executable not on the white-list, again checking for blocked execution and alerts.
Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
How do attackers exploit the lack of this control?
On both the Internet and internal networks that attackers have already compromised, automated computer attack programs constantly search target networks looking for systems that were configured with vulnerable software installed the way that it was delivered from manufacturers and resellers, thereby being immediately vulnerable to exploitation. Attackers attempt to exploit both network-accessible services and browsing client software using such techniques. The two possible defenses against these automated exploits are to ask every computer user to reconfigure systems to be more securely configured or to buy and install computer and network components with the secure configurations already implemented and to update these configurations on a regular basis. Despite a majority of agencies that still use the former approach, only the latter approach (i.e., updating configurations on a regular basis) is effective. Establishing and monitoring secure configurations provide the motivation to the agency to ensure systems are purchased with secure configurations baked in.
How can this control be implemented, automated, and its effectiveness measured?
QW: System images must have documented security settings, be approved by an agency change control board, and registered with a central image library for the agency or multiple agencies. Government agencies should negotiate contracts to buy systems configured securely out of the box using these images, which should be devised to avoid extraneous software that would increase their attack surface and susceptibility to vulnerabilities. These images should be