Happy 2018, everyone!
With the start of a new year, everyone makes resolutions that they may or may not be able to keep. One of the most common New Year’s resolutions (and arguably the most difficult to keep) is to exercise, get healthy, and/or lose weight.
This is a common thread in businesses, as well, as we see many organizations make the resolution to trim the fat, cut budgets, and do more with less. Well, this year, this is something we can actually do. The best way to do this is not to reinvent the wheel.
Rather, let’s look at an industry best practice that can provide great return on our investment!
The Center for Internet Security maintains their Top 20 Critical Security Controls. You likely have heard me (and many others) talk about these controls. They are a great way to organize a security team’s time and budget in the most effective way with the most amount of return.
The top four focus on asset discovery, vulnerability management, and configuration management. The key areas I want to focus on in this blog are CSC#5 - Secure Configurations for Hardware and Software and CSC#11 – Secure Configurations for Network Devices. These two controls say that an organization should focus on configuring securely and maintain those configurations on their applications, servers, workstations, and network devices.
Why are secure configurations so important?
Imagine wanting to secretly enter a building without using the front door. What would you do?
If you saw some of the holiday spy movies, one of the first things on your list would be to get the blueprints of the building. Having the blueprints gives you the opportunity to find the weakest points of entry into the building as well as how to get from that point of entry to any specific room in that building.
A key difference between a physical building and a network is that once a building a built, there isn’t much you can do to move rooms around. The best thing one can do is put the organization's secrets in the most fortified room, get the best security guards and cameras money can buy, and hope for the best.
In a network, routes can be modified, server settings can be changed, and ACLs can be implemented along with a vast variety of other security techniques. Monitoring is a key part of information security. Most organizations I have seen deploy a wealth of IDS systems, SIEMs, EDR, etc. But very few organizations actually look at how to best fortify the rooms.
When a new system is deployed, they get configured to a hardened state, but unlike a physical building, those configurations can be changed very easily. (Detecting that change is a separate story. Click here for more details.) The longer a system is deployed, the more likely those systems are going to be upgraded, changed, and eventually modified to (knowingly or unknowingly) decrease the security of the system.
Most commonly, businesses invest in the minimal amount of security required to be compliant with a standard.
For the purposes of this example, we’ll use the Payment Card Industry (PCI) standard. Among the requirements of PCI is to ensure that systems are configured to a hardened state. So some organizations will try to reduce the scope of their PCI assets to the fewest possible systems so they only need to secure those few systems. Many of these organizations will still deploy assets with the same secure configurations regardless of if they are in the PCI zone or not; they will maintain the configurations only of the assets in that compliance zone because those are the ones that they will be audited against.
A key challenge when maintaining these configurations is configuration drift (see diagram below). Change is inevitable and could result in a system becoming vulnerable to attack.
Now the key question is this: as configuration drift occurs, what if one of those systems outside the PCI zone gets compromised? Should we care?
Speaking with a variety of penetration testers, one of the common threads they see is that organizations who focus heavily on securing their compliance zone almost always forget to maintain the security posture of their assets outside that zone. This allows the penetration testers to easily leverage information from those non-compliance systems to attack and compromise systems within the compliance zone.
I get it, security monitoring can be expensive and tedious. So how can we maximize our return on investment?
“About 80 to 85 percent of the incidents we respond to would be mitigated if these controls were implemented as well as monitored on a regular basis.” - Ann Barron-DiCamillo, the Director of US-CERT.
Now pardon my math here, but if I have a limited security budget and limited resources, I would want to spend my time and money on an area that gives me the most return.
Ensuring that my systems are hardened securely and maintaining that secure state would be something I want to focus on. So even if I cannot afford the best security guards and cameras in the world, I can be sure that the doors, windows, ventilation systems, loading docks, and others are consistently configured securely.
You can learn more about how Tripwire can help configure and harden your systems here.