Skip to content

Page311

Asset Management

A holistic approach to operational information security requires organizations to focus on systems as well as the people, data, and media. Systems security is another vital component to operational security, and there are specific controls that can greatly help system security throughout the system’s lifecycle.

Configuration Management

One of the most important components of any systems security work is the development of a consistent system security configuration that can be leveraged throughout the organization. The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. One of the best ways to protect an environment against future zero-day attacks (attacks against vulnerabilities with no patch or fix) is to have a hardened system that only provides the functionality strictly required by the organization.

Development of a security-oriented baseline configuration is a time-consuming process due to the significant amount of research and testing involved. However, once an organizational security baseline is adopted, then the benefits of having a known, hardened, consistent configuration will greatly increase system security for an extended period of time. Further, organizations do not need to start from scratch with their security baseline development, as different entities provide guidance on baseline security. These predefined baseline security configurations might come from the vendor who created the device or software, government agencies, or also the non-profit Center for Internet Security (see https://www.cisecurity.org/). Basic configuration management practices associated with system security will involve tasks such as: disabling unnecessary services, removing extraneous programs, enabling security capabilities like firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs.

Baselining

Standardizing on a security configuration is certainly important, but there is an additional consideration with respect to security baselines. Security baselining is the process of capturing a point in time understanding of the current system security configuration. Establishing an easy means for capturing the current system security configuration can be extremely helpful in responding to a potential security incident. Assuming that the system or device in question was built from a standardized security baseline, and also that strong change control measures are adhered to, then there would be little need to capture the current security configuration. However, in the real world, unauthorized changes can and will occur in even the most strictly controlled environment, which necessitates the monitoring of a system’s security configuration over time. Further, even authorized system modifications that adhere to the change management procedures need to be understood and easily captured. Another reason to emphasize continual baselining is because there may be systems that were not originally built to an initial security baseline. A common mistake that organizations make regarding system security is focusing on establishing a strong system security configuration, but failing to quickly and easily appreciate the changes to a system’s security configuration over time.

Automation

Secure configuration management seeks to ensure organizational baselines for hardware and software represent what the organization deems an acceptably secure and vetted configuration. The primary focus of security configuration management historically has been during the provisioning or deployment of an asset. Periodic comparisons, perhaps annually, to the initial baseline might have also been employed. Unfortunately, unless locked down and controlled with tremendous vigilance much can and will change on assets between provisioning and reassessment. Automating the reassessment can decrease the time to detect security relevant configuration changes. Even better though, would be employing automation to proactively address any deviation from the approved configuration baseline.