Part 4 of CampusGuard’s series covering each of the critical controls from NIST SP 800-171 rev.1
“Consumer Data Breach Due to Misconfigured Server” “Incorrectly Configured Device Leads to Possible Exposure of Data” We have all read about these breaches and seen these headlines in the news. Failing to properly configure servers, computers, or network devices, will often lead to potential security compromises.
The fourth family of controls within the NIST SP 800-171, Configuration Management, defines how appropriate levels of security are to be maintained as various system changes are made. Wikipedia defines configuration management as “a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.”
Networks and servers have to be continuously reconfigured to accommodate new business and operational tasks. Employees might change a firewall setting to open a port for one new application and inadvertently allow traffic in that should have otherwise been blocked. Incorrect file permissions that are granted following one user request might now expose data to dozens of other unauthorized users. Changes, updates, and patches in hardware and software almost always result in some adjustment to system configurations. Rather than hoping that updates are improving security and not damaging it, mature IT professionals ensure that adjustments are not introducing new risks by having a defined configuration management process. Implementing an effective configuration management process or tool will help you ensure that the new configuration is acceptable and that you can easily revert to a back-up configuration if needed.
The recent Cisco vulnerability which was attacked in the wild the day after it was discovered is a reminder that as part of your configuration management processes, you should verify no management interfaces are facing the internet (cisco, weblogic, rdp, juniper, etc.). An exposure like this can create a high risk for your institution as it opens the device’s configuration to untrusted and malicious parties, and attackers can obtain internal network configuration information, VPN or IPsec secrets, as well as password hashes for the router’s user accounts. Once they have access to this data, they can log into the router’s web interface and further compromise the device itself or gain access to attached networks.
Requirement 3.4.1 states that organizations must “establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.” Requirement 3.4.2 goes on to include the need to “establish and enforce security configuration settings for information technology products employed in organizational systems.”
The derived security requirements from 3.4 include steps for organizations to:
- 3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
- 3.4.4 Analyze the security impact of changes prior to implementation.
- 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
- 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
- 3.4.9 Control and monitor user-installed software.
Efficient change management, knowing your baseline configuration while effectively tracking changes to all systems, helps organizations reduce the risk of unplanned outages and security breaches. In the event of a disruption, you will be able to more rapidly detect and correct improper configurations, limit the downtime, and minimize impact on your response team which will lead to overall reduced costs.
The standard, baseline configuration should allow only essential capabilities, and any additional functionality allowed on a system must be fully documented. Rather than just relying on individual IT staff members to keep track of and remember how systems are configured, a mature configuration management process will require that staff analyze the potential impact a change might have prior to implementation and then document all system changes as they are put in. A robust change management process allows you to quickly identify recent changes in the event there is an issue with the application or system following an update, determine the potential cause, and roll back to a known and stable configuration.
Another benefit of a configuration management process is the ability to quickly configure and deploy new servers. Using the standard build definition, a configuration management tool can efficiently run the necessary installation for the new server – more accurately and more quickly than any human could. Automated configuration management tools will also help to avoid situations where individual servers become non-standard. Manually applying patches and/or hot-fixes takes time and can cause you to have servers of varying configurations over time. Using a tool with the standard configuration setup allows you to rollout the updates is a consistent and timely manner.
Some additional guidance from the CampusGuard Offensive Security team:
[Sullivan]: Having a solid baseline of what is running on your network gives you the first step toward creating a viable configuration management program. Knowing what ports, services, and protocols you have running on your systems, and where those services are accessible from, helps even more to determine where you need to focus your monitoring and defensive efforts.
A good change management program helps to mitigate any unknown changes to the attack surface of your organization, ultimately leading to quicker response times. However, even a good configuration management program should be coupled with regular testing, monitoring, and scanning to ensure that no unauthorized changes have occurred.
