Intrusion Defense: A Layered Plan

Protecting valuable data is a real concern for any business. Learn to create a layered defense plan to keep you safe from hackers, malware and other intrusions.

An effective configuration management program is a critical element in the protection of network-connected devices. Attacks against your network are opportunistic. In other words, criminals are looking for soft targets, the compromise of which requires the lowest possible work factor. Properly configuring your applications, databases, and operating systems can increase the work factor so much an attacker moves on.

Risks Associated with Poor Configuration Management

Poor, or nonexistent, configuration management practices result in network components that are easy targets. Some security risks include:

1. Known security flaws in operating systems, applications, and databases that are not patched. Potential attackers know about these vulnerabilities as soon as they're announced; often before. Failure to apply vendor-supplied patches to correct these flaws is an invitation to criminals looking for vulnerable company networks.
2. Unnecessary services running on workstations or servers.
3. Error messages providing too much information. With the right tools, an attacker can intentionally cause an error on a network device. If the device is running with a default configuration, it might provide information about the operating system, system patch levels, etc.
4. Weak default passwords assigned to applications or system services. Accounts are sometimes created as part of the installation process for an application or operating system. Often the default password is easy to guess or doesn't exist at all.
5. Old production files or sample files left on server or workstation drives. Unused applications or demo software may leave behind scripts, applications, data files, configuration files, or web pages that may be easily exploited. You might not even be aware of their presence.

The purpose of configuration management is to effectively address these and other configuration issues.

Building a Configuration Management Program

Building a configuration management program consists of the following steps:

1. Assign responsibility for managing and overseeing configuration management activities to a team or individual
2. Create secure system configuration standards and guidelines
3. Create and maintain an on-going configuration management process

Assign a responsible team or individual

Without assigning responsibility for creating and maintaining strong configuration management processes, your systems will most likely remain vulnerable to attack. Network engineers and software developers are usually very busy. Worrying about patches, unneeded services, and weak default passwords tend to fall low on the list of priorities. So who should be held accountable for proper device configuration?

In larger organizations, this responsibility often lies in Information Security. Information Security defines policies, standards, guidelines, and security baselines for enterprise systems, which are then used by engineering and development teams to design and implement business solutions. Information Security provides oversight by periodically testing installed for compliance.

In organizations without a dedicated Information Security team, I recommend assigning these tasks to the person or team responsible for managing the network. This separates vulnerability management from the person or team focused on implementing the organization's technology, and puts it into the hands of those individuals who perform day-to-day operational tasks. Day-to-day activities should be expanded to include not only definition of standards and guidelines, but also oversight activities.

Regardless of who's responsible, all members of your technical staff must work together to identify and remediate system weaknesses.

Create secure standards and guidelines

Probably the most important task in configuration management is the creation of a security baseline configuration. It should be generic enough to allow its deployment on all workstations and servers, regardless of their use. In many organizations, multiple baselines may be necessary. Workstations, application servers, and security servers may all require different configurations. Applying the baseline to a workstation or server should accomplish the following:

1. All services not required for general operation of the device are disabled
2. All default accounts are disabled or controlled, and strong passwords are applied
3. Logging and alerting is enabled for failed logins, successful logins, and changes to security
4. All critical security patches are applied

Once the baseline configurations are created and tested, special purpose configurations should be created to enable secure operation of specific types of systems. These include, but are not limited to, email, database, and web servers. The application of a type-specific configuration should result in:

1. Necessary services, that might have been disabled with the baseline configuration, turned back on
2. Critical security patches applied to the applications running on the system
3. All default application accounts using controlled, strong passwords

Upon completion of successful testing of the type-specific configurations, you're ready to deploy securely configured systems into your environment. Deployment consists of six steps.

1. Build a server or workstation using standard system build documentation
2. Apply your secure baseline configuration
3. Confirm proper configuration and operation of the system
4. Apply your type-specific configuration, if necessary
5. Confirm proper configuration and operation of the system
6. Move to production

Create and maintain an on-going configuration management process

It isn't enough to simply apply secure configurations and assume your network devices will remain secure. Configuration management is a continuous process that includes:

1. The creation and maintenance of a system inventory. It's impossible to develop an ongoing configuration management program unless you know, at a minimum, the operating systems and applications, with associated patch levels, that are running on your network.
2. Monitoring for the latest announced vulnerabilities related to the items in your inventory. The National Vulnerability Database (http://nvd.nist.gov/) and vendor sites are good sources for this information.
3. Prioritization of vulnerability remediation tasks. Not all vulnerabilities for which patches exist should be immediately patched. Managing the application of patches is a risk-based activity. A simple application of risk management principles can help determine where to apply your resources to maximize your vulnerability mitigation efforts.
4. Testing of all configuration changes. Change management is an important process in any configuration management program. Failure to properly test a change, and to assess the risks associated with that change, might result in the same or greater negative business impact you would experience due to an attack.
5. Update baseline configurations, standards, and guidelines. Threats and vulnerabilities change over time. It's important to maintain a set of system configurations and processes that work to defend against the changing nature of system risks.
6. Continuous vulnerability scanning. There's always some drift from the optimum computing environment as defined in your security program. Vulnerability scanning, for both internal systems and of your perimeter, can help identify deviations from written policy. This prevents a false sense of security based on incorrect assumptions about the level of hardware and software compliance. It also provides a means to determine how vulnerable your systems are to newly announced threats.

Challenges to Effective Configuration Management

It isn't always easy to convince company management to commit resources to configuration management activities. Let's face it. There's no immediate positive impact on your company's bottom line. Other obstacles to effective configuration management include:

1. Lack of standard system configurations for workstations and servers. The greater the number of differences among your systems, the lower the probability that you'll be able to cost effectively manage system configurations. Testing for every possible combination of workstation and server image present on your network might require a resource commitment large enough to convince management to simply accept a large number of vulnerabilities.
2. Poor software quality or poor vendor response when vulnerabilities are discovered. When purchasing new solutions for your business, research the overall quality of each component. Include in your research the level of customer satisfaction with the component vendor's response to discovered security problems in their products. What is the average time between vulnerability discovery and patch release?

The proper application of risk management principles can help justify the additional effort required to select the right solutions and to manage inherent vulnerabilities over time.