Domain 4 · 4.1 Securing Computing Resources

4.1.1 Secure Baselines

Establish, deploy, maintain.

11 min

A secure baseline is a set of minimum security standards and configurations applied to an environment to ensure a consistent, pre-validated state of security and functionality.

Establishing the Baseline Before deployment, organizations must define the required security posture based on the CIA triad. The goal is to balance functionality, security, and available resources to prevent creating a system that is secure but unusable. - Requirement Analysis: Identifying the specific security controls needed for the environment, such as DNS Security, SSH for remote access, and SRTP for secure voice communications. - Physical Integration: Establishing environmental baselines, including Temperature and Humidity Controls and Hot and Cold Aisles to maintain system availability. - Standardization: Using benchmarks (like CIS or vendor guides) to disable unnecessary services and ports by default.

Key Management and Scalability A critical component of a secure baseline is the management of cryptographic keys, which ensures data Confidentiality. - Symmetric Scaling Issues: Symmetric encryption requires K = N(N-1)/2 keys. In large organizations, manual distribution via USB sticks or email is impractical and insecure. - Asymmetric Key Exchange: Baselines often incorporate Diffie-Hellman (DH) to allow two parties to establish a symmetric key over an insecure channel. - Perfect Forward Secrecy: Utilizing DHE (Diffie-Hellman Ephemeral) ensures that temporary keys are generated, used once, and discarded, protecting past sessions if a long-term key is compromised.

Deployment and Maintenance Once established, baselines must be deployed consistently across various architectures, from local hardware to the cloud. - Deployment Models: Baselines must account for different architectures, including Public, Private, and Hybrid cloud models. - Specialized Systems: Security standards must be extended to Embedded Systems, SCADA, and Industrial Control Systems (ICS), which often require specific, long-term stability. - Continuous Monitoring: Maintaining a baseline involves Environmental Monitoring and regular audits to prevent "configuration drift," where systems slowly deviate from the secure starting point. - Redundancy and Backups: Ensuring Availability through redundant systems and business continuity planning to keep the baseline operational during failures.

Quick recall - CIA Triad: The foundation of any baseline (Confidentiality, Integrity, Availability). - Hardening: The process of implementing the baseline by removing unnecessary risks. - Ephemeral Keys: Short-lived keys used in DH to provide temporary secure sessions. - Scaling Formula: N(N-1)/2 highlights why symmetric key exchange is difficult to manage at scale. - SCADA/ICS: Specialized systems that require unique, souvent rigid, secure baselines.