Closing the Security Gaps: Baseline Configuration Management WHITEPAPER



Similar documents
AT&T Global Network Client for Windows Product Support Matrix January 29, 2015

Continuous compliance through good governance

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

COMPARISON OF FIXED & VARIABLE RATES (25 YEARS) CHARTERED BANK ADMINISTERED INTEREST RATES - PRIME BUSINESS*

Case 2:08-cv ABC-E Document 1-4 Filed 04/15/2008 Page 1 of 138. Exhibit 8

Management (CSM) Capability

Patch and Vulnerability Management Program

Analysis One Code Desc. Transaction Amount. Fiscal Period

THE TOP 4 CONTROLS.

Enhanced Vessel Traffic Management System Booking Slots Available and Vessels Booked per Day From 12-JAN-2016 To 30-JUN-2017

Critical Controls for Cyber Security.

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

NICE and Framework Overview

Ashley Institute of Training Schedule of VET Tuition Fees 2015

Certification Programs

Looking at the SANS 20 Critical Security Controls

Incident Response. Proactive Incident Management. Sean Curran Director

Deep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison

NERC CIP Compliance Gaining Oversight with ConsoleWorks

Accenture Cyber Security Transformation. October 2015

SANS Top 20 Critical Controls for Effective Cyber Defense

Standard CIP Cyber Security Systems Security Management

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Attachment A. Identification of Risks/Cybersecurity Governance

Deep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison

A!Team!Cymru!EIS!Report:!Growing!Exploitation!of!Small! OfCice!Routers!Creating!Serious!Risks!

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

HIPAA Security Alert

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Standard CIP 007 3a Cyber Security Systems Security Management

NERC CIP VERSION 5 COMPLIANCE

CDM Vulnerability Management (VUL) Capability

Office of Inspector General

Secure Software Update Service (SSUS ) White Paper

Retention & Destruction

OCIE CYBERSECURITY INITIATIVE

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Cisco & Big Data Security

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Deep Security Vulnerability Protection Summary

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

Verve Security Center

Cyber Security RFP Template

Intro to Firewalls. Summary

Creating Added Value for the IT Service Management Practice. How ConsoleWorks Creates Value for ITSM Best Practices

Security Incident Response Process. Category: Information Security and Privacy. The Commonwealth of Pennsylvania

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Obtaining Enterprise Cybersituational

Managing Open Source Code Best Practices

Patch Management Policy

THE SECURITY EXPOSURE

Consumer ID Theft Total Costs

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Feedback Ferret. Security Incident Response Plan

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

INFORMATION ASSURANCE DIRECTORATE

Symphony Plus Cyber security for the power and water industries

Cisco Advanced Services for Network Security

Implementing ITIL with Kaseya Tools

Protect Yourself in the Cloud Age

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

State of Oregon. State of Oregon 1

Risk Management Guide for Information Technology Systems. NIST SP Overview

March

Privileged Access Management with ConsoleWorks. A unified in-band and out-of-band solution. Solution Brief

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

P/T 2B: 2 nd Half of Term (8 weeks) Start: 25-AUG-2014 End: 19-OCT-2014 Start: 20-OCT-2014 End: 14-DEC-2014

P/T 2B: 2 nd Half of Term (8 weeks) Start: 26-AUG-2013 End: 20-OCT-2013 Start: 21-OCT-2013 End: 15-DEC-2013

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

IMS-ISA Incident Response Guideline

P/T 2B: 2 nd Half of Term (8 weeks) Start: 24-AUG-2015 End: 18-OCT-2015 Start: 19-OCT-2015 End: 13-DEC-2015

DIVISION OF INFORMATION SECURITY (DIS)

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

CENTERPOINT ENERGY TEXARKANA SERVICE AREA GAS SUPPLY RATE (GSR) JULY Small Commercial Service (SCS-1) GSR

IPLocks Vulnerability Assessment: A Database Assessment Solution

Thanks to an extension of the scope of

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

The Protection Mission a constant endeavor

LeSueur, Jeff. Marketing Automation: Practical Steps to More Effective Direct Marketing. Copyright 2007, SAS Institute Inc., Cary, North Carolina,

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

Title: Security Patch Management

Zscaler Cloud Web Gateway Test

Lessons Learned CIP Reliability Standards

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

The Value of Vulnerability Management*

IT Security Incident Management Policies and Practices

Transcription:

Closing the Security Gaps: Baseline Configuration Management WHITEPAPER

Closing the Security Gaps: Baseline Configuration Management Introduction Baseline configuration management as a way to reduce or eliminate security gaps resulting from cyber assets that are not properly configured. These gaps occur when baseline changes are not documented, when required changes (such as security patches) are not implemented, and when configuration change mandates are not implemented on one or more cyber assets. The security gaps are clearly cyber security vulnerabilities that can be exploited. This paper discusses different approaches to this challenge and how best practices can be employed to eliminate this security gap. What is Baseline Configuration Management? Each cyber asset stores electronic configuration files and/or records. This configuration information includes: Functional settings that determine how the asset operates Versions of software currently installed (includes BIOS, firmware, operating system, applications, etc.) Patches (including security patches) that are installed Ports that are active and how they are configured Services that are enabled While configuration information is not limited to this list, these are the primary information categories because they are an important part of determining the security of each asset. Baseline configuration is a snapshot of the configuration at a specific time. For example, if we retrieved the configuration for a server or router that information is a snapshot of how the device was configured at the time we retrieved it. This is what is meant by baseline configuration. Producing an actual baseline requires that the configuration information come from the asset itself as this is the only definitive source of this information. Baseline configuration management involves periodically retrieving the configuration of the asset and comparing it to the baseline. If no changes have occurred, no action is required. If one or more changes have occurred, the change(s) must be assessed, verified, and documented or rolled-back to the baseline configuration. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 2

Practical Application of Baseline Configuration Management The practical application of baseline configuration management involves a process to systematically control assets to a defined configuration state known to be the most secure configuration. The overriding purpose is to maintain cyber asset configurations at a known state that has the highest level of security. Any configuration elements that can impact or impose a security issue should be included in the overall practice. The process behind baseline configuration management has these elements: 1) Establish a known secure baseline for each asset 2) Periodically collect the current configuration and compare it to the baseline 3) If available verify that the volatile and permanent configurations are the same 4) Identify any changes between the two configurations 5) Create a change request for any changes that are not rolled-back 6) Assess cyber security controls that could potentially be impacted by the change 7) Review and Authorize the change (Change Advisory Board) 8) Update the baseline configuration per authorized changes Baseline Configuration Management External Triggers The following diagram provides an overview of the process for controlling assets to a defined, most secure configuration. The process depicted here deals with triggers that will require a change to be made in configuration of one or more IT assets. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 3

In this process, potential changes are identified and then reviewed prior to being implemented. An important point is the need to determine the list of assets affected by the change. For example, in the case of a security patch the list of assets is likely to be all assets of a certain brand, model number or product family. Assessing the security impact is an entire sub-process performed when assessing the security impact of a proposed change to ensure there are no knock on security impacts (any application or other asset that depends on the device, operating system, application being patched). This could result in additional configuration changes which must also go through the baseline management process. Conflicting security patches or changes must all be considered in this assessment. This process assumes that all changes, and their impact to the overall IT Infrastructure, will be assessed and approved before they are implemented. However, one of the most important capabilities of baseline configuration management is identifying when changes occur that have NOT gone through the above process, or that have not been implemented as planned. This requires a different process to be followed. Baseline Configuration Management Issue Detection Changes should always be authorized and documented prior to actually changing the configuration of a cyber asset. Any changes not properly authorized and documented should be detected and alerted on. This makes sense because those unauthorized and undocumented changes remove an asset from the known most secure state, introducing vulnerabilities that can be exploited by malicious attackers. In essence, any unauthorized or undocumented configuration change is considered an IT Infrastructure cyber security modification. This includes authorized changes that are not implemented and those implemented but that fail to successfully complete. For example, a security patch could be installed on an asset that fails to properly complete its installation. This would leave the asset in a compromised state. The following diagram provides an overview of the process for detecting and resolving unauthorized changes and for validating authorized changes: 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 4

This process requires the comparison of the current configuration of an asset to its approved baseline in order to determine if any unauthorized changes have been made or any authorized changes have not been made (or completed successfully). When the configuration comparison does not match, the difference(s) must be evaluated by the change review and approval process (just like in the external triggers process). If the changes are valid, we accept the configuration and it becomes the new baseline configuration. If the changes are not valid, we know what has changed so that we can take the actions necessary to configure the asset properly by rolling the device back to the approved baseline configuration. It is also important to understand who changed the asset outside the approved configuration management process. Identifying the privileged actor that made a change outside of the approved process provides the opportunity for training to ensure the process is followed in the future or to take corrective actions if such is deemed necessary and appropriate. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 5

Severity of the Cyber Security Threat The best way to understand the cyber security threat imposed by not managing the baseline configuration of cyber assets is to recognize that any cyber asset that does not have the proper configuration has a security vulnerability that can be exploited. Considering that security patches are a primary trigger for updating a baseline, this becomes even more onerous as information about security patches typically resides in the public domain making them a prime area for exploit. Risk The risk that baseline configuration management addresses is characterized by opportunity and impact. The impact is severe due to the fact that a cyber asset could be compromised, with significant probability that doing so would provide an exploit path into many areas of the IT Infrastructure. This is easy to understand. What is often missed in assessing this risk is the opportunity for exploit represented by this issue. That is influenced by two factors: 1) The number of assets (i.e. all cyber assets) 2) The length of the risk window Obviously the first factor, the number of cyber assets, cannot be controlled. Whatever cyber assets are in place determines this portion of the risk opportunity. What we can control is the risk window. The risk window is the elapsed time from the point where a cyber asset does not have the proper configuration until such time as it once again does have the proper configuration. In simpler terms, the risk window is the length of time the asset is at risk. This can vary quite dramatically. For example, let s compare an annual baseline configuration management practice to a monthly practice. In this example we assume (for simplicity) that one (1) unauthorized change occurs each month. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 6

12 Risk Exposure: Baseline Frequency Annual vs Monthly 10 8 6 4 Total Unsecure Assets (annual baseline) Total Unsecure Assets (monthly baseline) 2 0 FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC Unsecure Assets by Month* * example based on one unauthorized change per month This example demonstrates how risk exposure is affected by the baseline frequency. The gap between baseline cycles is risk occurs. In the gap, risk accumulates to include all unauthorized changes until the next baseline cycle is run. For an annual cycle the length of the risk window is one year. For a monthly cycle, it is one month. For a daily cycle it is 24 hours. The important point is that the risk to the IT Infrastructure can be controlled, and it is controlled by the frequency in which we perform baseline configuration management. Best Practice Guidance The best practice guidance for baseline configuration management is that the security vulnerabilities should be proactively managed through technology with direct support for the two processes outlined in this paper. Without supporting technology, these processes are manpower intensive and subject to human error. The best practice for effectively controlling the risk window definitely requires automation. Manually collecting, recording, and assessing all of the configuration data on cyber assets is very expensive. In most cases, running a monthly or weekly baseline would be prohibitively expensive. With automation the baseline frequency can easily be supported on a monthly, weekly, or even daily basis without incurring large manpower expenses. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 7

The other best practice recommendations are: 1) Capture, document and secure baseline data programmatically (eliminate human error) 2) Perform comparisons programmatically and determine where differences exist (eliminate human error) 3) Provide a change control portal for implementing configuration changes, logging who, what and how an asset was patched. A complete change session log 4) Generate alerts when mismatches are found and review with the privileged actor that made the change (process improvement) 5) Document the approval process 6) Run comparisons frequently even daily (shut down the window of opportunity) 7) Force rerun immediately after approved changes are made (validation) 8) Produce reports that detail all changes (and their dispositions) 9) Review reports for patterns that can improve the practice A valuable reference on Baseline Configuration Management is the Guide for Security-Focused Configuration Management of Information Systems from the National Institute of Standards and Technology (NIST Special Publication 800-128): http://csrc.nist.gov/publications/nistpubs/800-128/sp800-128.pdf Various hardware and software solutions exist that can help meet these challenges. These solutions should be evaluated against organizational context and specific requirements for the different asset types in place in order to cover the broadest asset footprint possible keeping in mind exceptions will require manual baseline configuration management. About This Whitepaper This whitepaper was written to help address a security vulnerability that is often overlooked and misunderstood. The recommendations provided are believed to be accurate in their applicability and support for this issue. Full Disclosure This whitepaper was written and produced by TDi Technologies, a software vendor that provides IT Infrastructure software solutions. The information presented here represents our best understanding of the security issues associated with configuration ports, which is a problem area our company focuses on. The whitepaper is intended to provide useful and educational content that can assist companies in maintaining a secure and reliable IT Infrastructure. 2011 TDi Technologies, Inc. www.tditechnologies.com P a g e 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information