The Need for Configuration Standards
Configuration management is an often-overlooked aspect of protecting IT infrastructure – especially by smaller businesses. That does not mean that it is not important or critical. For example, by now, most people have heard of if not set up multifactor authentication for at least one personal account. Quite often the same can be done for one or more corporate systems. Usually this is a configuration setting. Sometimes this can be set globally, but other times this can be set up based on role or on other factors. For most people, the value of multifactor authentication is obvious. But, depending on the technology and the configuration standard, there can be hundreds of configurations required to ensure that your systems are secure. For those familiar with the vulnerability management space, some configurations are literally vulnerabilities (a common vulnerability exposure) the same way a programming defect is a vulnerability. These vulnerabilities can be remediated by changing a setting within a system, in other words, a configuration. In some many cases, these configurations can be the difference between a system being compromised and a system not being compromised. In fact, many cloud compromises are the result of a configuration defect.
Some organizations desire to do a minimal amount of work because there is other more important work that needs to be done. Doing configuration security and getting systems configured properly is hard work. Some organizations believe that configurations should solely be based on vulnerabilities as identified by a vulnerability management tool and no more. This approach can lead to organizations being highly vulnerable to many kinds of attacks.
What organizations should do is start with a standard configuration framework. For example, the Center for Internet Security (CIS) has configuration baselines. Some CIS baselines have more than one level, but they are great start towards properly securing systems from a configuration perspective. Some compliance frameworks even call out CIS baselines specifically to harden systems. This is how much of an impact CIS baselines on the IT/Security industry. Of course, this is not appropriate for all organizations. There are other standards that are better for other environments.
As good as the CIS baselines are, they are often not enough for many organizations. CIS does not cover every software on the planet. No organization could do so, and it is just not reasonable to have an perfect expectation. Instead, what the more mature organizations do is take the lessons learned from implementing CIS Baselines (or whatever standard they choose) and then apply them to other systems. They get creative about the approach they take as they review the systems on a case-by-case basis creating their own applicable standards.
Often compliance or best practices may have stronger requirements than what is in the baseline. As compliance frameworks often change more slowly than the threat landscape, sometimes organizations need to adapt more quickly than those frameworks to best protect themselves. Password length is a good example of this. Some compliance frameworks advocate for 8-character passwords, while the industry is saying that password length should be 12 to 16 characters – with some technologies seeking to do away with passwords altogether in favor of more detailed controls. While this is only one example, and there are many others, it does show that dated compliance frameworks can create additional challenges for configuration requirements.
While this is far from a definitive guide on configuration management, it does show that a mature configuration management program that emphasizes using a secure configuration framework is important to not only pass compliance, but also to keeping systems as secure. If your organization is looking to see that the configuration oversight is performed or that your systems are up to speed Cybergence can help you build a configuration management program that is going to make sense for your organization.
~Matthew Webster
