System Configuration Standards
Description
System components within the CDE must be configured per industry-accepted hardening standards (CIS benchmarks, vendor security guides).
⚠️ Risk Impact
Vendor-default configurations include legacy services, weak ciphers, and exposed administrative interfaces. CDE systems with default configurations are immediate compliance findings.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Apply CIS benchmarks per platform. Use hardened base images (CIS-published or vendor-hardened AMIs/Marketplace images). Continuous configuration scanning. Document hardening evidence.
💀 Real-World Attack Scenario
A payment processor's MongoDB instance ran with default port (27017) + no authentication 'for internal use'. Internal use turned out to be 'visible to any pod in the K8s cluster'. A compromised application pod scraped the entire transaction history via internal network access.
💰 Cost of Non-Compliance
PCI 2.2 violations: $5K-$100K/month. Avg breach via default-config exposure: $3.2M.
📋 Audit Questions
- 1.Which hardening benchmarks are applied?
- 2.Show evidence of CIS benchmark adherence.
- 3.Are vendor-default credentials removed?
- 4.How is configuration drift detected?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Vendor-default images deployed without hardening
- ⛔CIS adherence documented but not continuously enforced
- ⛔Internal services running with default credentials 'because they're internal'
📈 Business Value
Hardening baselines eliminate vendor-default attack surface.
⏱️ Effort Estimate
40-80 hours initial CIS rollout + quarterly review
EchelonGraph runs 440+ misconfig rules continuously
🔗 Cross-Framework References
Automate PCI DSS 2.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →