Effective monitoring, system hardening and more: Security Configuration Management makes it possible to create “secure environments”. These points should be considered and implemented.
What does Security Configuration Management mean?
Security Configuration Management (SCM for short) is an integrated approach to looking at configuration management from an information security perspective. Loosely translated based on NIST (National Institute of Standards and Technology) “Special Publication 800-128“, SCM has the following purpose:
“An IT infrastructure is composed of many components that can be interconnected in a variety of arrangements to meet a variety of business and information security requirements. The way these system components are networked, configured, and managed is critical to ensuring adequate IT security and supporting an organization’s risk management process.”
Why do IT configuration discrepancies occur in the first place?
Whether intentional or unintentional, changes are commonplace in IT infrastructures. Managers deploy and install software updates, end users or administrators change configuration settings intentionally or unintentionally, managers introduce new applications and systems with vigor … and so on.
When such decisions are made in haste, security considerations are often “left out of the equation.” As a result, implementations are made quickly and without regard to change/release processes in order to meet deadlines and schedules.
Even if IT systems have defined settings during the initial installation, deviations occur over time. The big question soon becomes: Where exactly do the configuration deviations appear?
How can deviations be prevented?
It is usually difficult to keep track of the changes that lead to a configuration deviation via standard measures such as the widely used group policies.
As a result, a management tool that provides a comprehensive and transparent overview becomes necessary. This allows an IT department to effectively monitor the situation and also take appropriate action if necessary.
The best way to deal with configuration deviations is to strictly organize configuration management. In addition to this organizational measure, it is also imperative to technically monitor the actual, implemented configuration. It is essential to introduce professional security configuration management.
The combination of regular and effective monitoring at the technical and process levels helps to create comprehensive security awareness via SCM and to keep the IT infrastructure under control. Another plus point is that evidence for internal and external audits is generated almost as a side effect.
How does an SCM process work?
The best way to detect and, in the best case, prevent configuration deviations of IT systems consists of a multi-stage process. It looks like this, for example:
The initial configuration must be clear. Often, compliance departments and/or information security officers know existing internal and external security requirements. Existing industry standards and vendor recommendations also help in the evaluation.
Evaluate, develop and adapt
Are existing IT systems configured to meet the specifications of internal and external recommendations and requirements? What differences exist? Which systems deviate – regularly, if necessary – from the specifications?
On the basis of stringent reporting, it is possible to develop and also implement a standardized, proprietary (hardening) configuration.
During the lifetime of IT systems, which can be several years, continuous – ideally automated – monitoring is necessary. This enables deviations in the configuration to be detected.
Questions to be asked here could be the following:
- Does monitoring of all IT systems take place after implementation?
- Are configuration deviations visualized transparently so that a rapid response is possible?
- Does “automated self-healing” take place under certain circumstances?
If deviations are detected, appropriate measures must be taken as quickly as possible. While this usually works on demand in small companies, larger companies with a strong separation of responsibilities need established and tested processes!
For example, these things need to be clarified:
- How can a configuration deviation be detected?
- How quickly is the configuration deviation corrected?
- To which person or persons do you report the deviations?
- What do the regular reports look like?
From Security Configuration Management to System Hardening
SCM is not an end in itself, but an important IT measure. One that ensures that a stringent and standardized hardening of IT systems is performed and controlled.
System hardening is known to configure operating systems, applications, cloud solutions and more to better protect them. Data espionage, ransomware attempts and other cyber attacks can be averted in this way or, optimally, fizzle out because the typical attack surfaces have been reduced in size.
In order to carry out a system hardening efficiently, a check is required first. This determines the status quo of the system hardening. The free AuditTAP can be used for this purpose. Among other things, it checks many different browsers, office applications, Windows and, more recently, Linux systems.
If you have any questions about using AuditTAP or implementing a system hardening strategy, please feel free to contact us. Our experts will be happy to assist you.
Image Sources: Freepik, TUM