Securing the HumanWe know that organizations that have strong security processes minimize the impact of a security incident. Those who have a mature security posture, conduct regular vulnerability scans and asset discovery to ensure that backend systems are not susceptible to the latest software vulnerability. But all organisations face a common enemy. No matter how secure your systems are, how tight those controls are implemented, there is always that “insider threat” – that employee who may be disgruntled and who has privileged access to customer record management, as well as to systems that contain personally identifiable information. It doesn’t necessarily have to be a disgruntled employee that causes an incident. What about that employee who is responsible for implementing an approved change request on the firewall? What if they didn’t have enough coffee the night before and made a change to the firewall that inadvertently left the environment insecure? It does happen. One technology that can help organisations in that case is a good security configuration management (SCM) solution that can help detect changes in the environment. Within that SCM solution, there should be a File Integrity Monitoring (FIM) component that helps detect changes in key files. FIM is the process of validating the integrity of operating system (OS) and application software files by comparing the current state of the files with their “known-good” baselines. In addition to files, SCM should be able to monitor changes to Directory Services, such as Active Directory, to spot those being added to restricted groups; monitor changes in databases by looking at permissions, ACL’s and content changes; monitor changes on network devices, such as firewalls, routers and switches; and show the differences in the file before and after the change. According to the 2015 Verizon Data Breach Investigation Report (DBIR), in 60 percent of cases, attackers were able to compromise an organisation within minutes. Verizon also states that one of the primary challenges in the security industry is the growing “detection deficit” between attackers and defenders. Having a good SCM solution in place that encompasses FIM can help detect deviations from the baseline and help identify abnormalities in the configuration of the system in question. FIM is an important component of SCM. What if a system’s OS or critical configuration has already been weakened, either by accident or maliciously? How would you know? SCM helps prevent attacks by creating a known and trusted state for your endpoints, or ‘nodes.’ FIM will automatically detect changes in this state and alert you to a potential threat. Furthermore, a good SCM solution will allow you to import a number of policies and create your own based on those policies. Each policy will have the following four component:
- Tests – a check into the state of a specific configuration setting
- Scores – a measurement of the overall conformance of a system or device
- Weights – indicating the relative importance of a test
- Thresholds – setting the colour and score ranging from the lowest to the highest to separate low-severity failures from critical ones.