How secure are the systems your customers take for granted? Every day, your customers use systems that store and process their personal data. However, breaches are still occurring – some on a very large scale. So, how secure do you think your systems are today, and do they really protect your customers’ information?
Why weren’t we prepared for this attack?
Earlier this summer, the world was hit with another ransomware attack called WannaCry. This global malware outbreak revealed that a number of large organisations had not instituted proper security safeguards on their systems. Basic security hygiene would have helped prevent the spread of the worm that contains the malicious code. Why were the critical security patches not applied to these systems?
Of course, it’s not as simple as turning on Auto-Update on all desktops and servers within a company. To apply patches and security updates, companies have to test the patches first to ensure they do not conflict with application and services installed on the systems.
Secondly, most security updates require a reboot, something which is not practical on a critical system. Scheduled patching and downtime need to be considered. As such, many organisations fall behind on patching their systems.
Let’s not forget that an attack occurred back in November 2008, known to the world as Conficker, that in some ways used a similar exploit. That begs the question: why haven’t organisations learned from these lessons?
How can security software solutions help with my security posture?
Knowing what is happening within your infrastructure, is an important step in your security posture. Ask yourself:
- Do you know about every asset connected to your network?
- Does every system have an owner, and is it maintained and patched?
- How good is your change management process? Do all changes follow this process?
- Are your critical systems compliant with a hardening standard?
- Do you have logs enabled that are being collated in a central system?
Having visibility into what is on your network will help determine systems that have not been maintained or patched. These would be ideal hunting grounds for worms and viruses that would seek out vulnerable systems and use them as a host to attack other systems.
Using technology to identify changes in your environment, such as File Integrity Monitoring (FIM) solutions, can help monitor critical files, registry keys and other critical components on the endpoint in real time, thereby driving workflows to alert the relevant teams that there are changes.
Having the solution integrate into other platforms, such as Active Directory, Databases and network devices, would further assist in identifying unauthorised changes.
How can Security Configuration Management assist?
Security, or Secure, Configuration Management (SCM) has become a ‘must-have’ solution in recent years. As attacks on our systems become more sophisticated, it’s the endpoints on the network that are our last line of defence.
A good SCM solution should be enforcing strong Security Frameworks, such as ISO27001, CIS Critical Security Controls and, where applicable, regulatory standards like PCI DSS. It should also help you become compliant in these policies and standards. Once compliant, through continuous monitoring, it will detect any deviations from the compliant state and enable the user to respond quickly to bring the system back into compliance.
In addition, the computer systems remain in a more compliant state during the gaps between audits, and less effort is required to get the system compliant prior to the audit.
Another area that SCM solutions focus on is File Integrity Monitoring (FIM). FIM is the process of validating the integrity of the operating system and application software files by comparing the current state of the files with their ‘known-good’ baselines. Having a FIM solution in place will help identify abnormalities in the configuration of the system.
What if a system’s OS or critical configuration has been weakened either by accident or maliciously? How would you know? Through integration with change management solutions, the SCM solution would be able to validate changes made on the endpoints with change requests in the service management solution, thereby helping to reducing false positives.
Providing context around a change is equally important. Some FIM solutions will state that this file changed at a certain date and time but without context, extra effort would be required to investigate the change. Invest in a solution that will identify who made the change and what changed in the configuration, comparing the change with the captured baseline and that tells you the filename and the time when the changed occurred.
Finally, it’s down to training the users on how to use the system to ensure the benefits of your investment. Sometimes, this is often an afterthought, so consider including this when you budget for a SCM solution. Most vendors offer excellent training.
Tripwire Enterprise is an award-winning leading Security Configuration Management and Integrity Monitoring solution that helps IT security teams:
- Instantly assess the strength of their system and network configurations
- Harden systems to organisational security policies, standards, and guidelines
- Provide on-demand technical and executive-level reports and dashboards
- Communicate the overall security posture in ways the business understands