Page 14 - Cyber Defense eMagazine - July 2018
P. 14
There are many different potential answers to these questions. Configurations can change
due to users modifying them, settings being misconfigured initially, or machines being
turned off when group policies are entered. When configuration changes go unnoticed,
organizations are left facing easily exploitable vulnerabilities. This is the reason security
frameworks recommend security teams utilize a form of configuration management
automation providing consistent security metrics rather than a manual process.
SETTING A STANDARD
Most of today’s security frameworks include configuration management requirements.
Frameworks such as NIST 800-53 implemented specific guidelines for configuration
management following the results of Operation Eligible Receiver 97. These guidelines
suggest practices such as setting a configuration baseline and limiting systems to only provide
essential capabilities in a control known as “least functionality.” NIST 800-53 and other
frameworks are great outlines for general requirements but do not provide details on how
configurations should be set.
For specifics of how configurations should be set, security teams utilize validated standards
such as Security Technical Implementation Guides (STIGs) from the Defense Information
Systems Agency (DISA). STIGs are required configuration standards for all Department of
Defense devices and systems. These standards have provided a guideline to secure areas of
2
networks at risk since 1998. Following an established standard such as STIGs provides
security teams with clear direction in their configuration management process while
ensuring compliance with frameworks and improving the security posture of their
organization.
MONITORING CONFIGURATION DRIFT
Even when organizations follow a configuration guideline such as STIGs, there is still a risk
for configuration drift without a proper monitoring solution. Drift occurs as devices,
software, or users are added to a network and can be almost impossible to track manually. An
example of drift affecting an organization’s security posture can be seen when looking at user
rights assignments, specifically the ability to debug a program. Debug rights are typically
Security Technical Implementation Guides (STIGs). Retrieved from: https://iase.disa.mil/stigs/Pages/index.aspx
2
14 Cyber Defense eMagazine – July 2018 Edition
Copyright © 2018, Cyber Defense Magazine, All rights reserved worldwide.