How important is security configuration management? Very important. Without robust security configuration management, you’ll suffer gaps in your information security system that you could drive an eighteen-wheeler through. And this means a higher risk of a data breach in all the flavors and colors. No one wants that for you. No one.
So, let’s explore the murky world of security configuration management and why grown-up businesses should take it seriously.
What’s Security Configuration Management?
Security configurations are parameters that govern how your IT ecosystem is managed in order to reduce risk. Security configuration management is the fine art of creating and deploying these security configurations. It’s a process that implements a combination of policies, controls, and settings that:
- Prevent the bad stuff like unauthorized access to files or infiltration by ransomware.
- Support the good stuff like compliance with security frameworks such as SOC 2.
The point of security configuration management is to reduce the number and bigness of attack vectors, which is fancy talk for ways that an attacker, such as a hacker or virus, can access your computer and have its wicked way with it. Your IT ecosystem is fitted with a range of attack vectors – such as ancient hardware, outdated software, and people’s lax or unknowing behavior – and is faced with ever-morphing types of cyber attacks every day, so security configuration management is important. In fact, security configuration management is so integral to information security that it even has its own ISO 27002 (ISO 27001’s friend) control: Control 8.9, take a bow.
Why Is Security Configuration Management So Important?
The consequences of poor/non-existent security configuration management (feat. security misconfiguration) can look like this:
- A misconfigured database server that gives an attacker sensitive administrator data through a simple web search.
- A lack of a strong password policy – or a policy exists but is routinely ignored. Hackers love lax password policies.
- An outdated operating system that allows a baddie to inject some malicious code into the system.
- Leaving a whole ton of unnecessary features enabled on an app that makes that app super-vulnerable.
- Leaving an unpublished URL unblocked: sometimes you don’t want random peeps visiting your just-for-staff site.
What Does Security Configuration Management Cover?
Everything, baby, everything. You’re looking at:
Security Configuration Management Policies
Good policies make everything better, and in security configuration, you’ll need a macro policy. This’ll probably be a part of your IT strategy, and it articulates your expectations and decisions about security configurations, such as:
- Identifying and categorizing all your potential attack vectors, e.g., outdated OS.
- Deciding the parameters you’ll use to minimize your attack vectors.
- Identifying what actions you’ll take to minimize the size of these attack vectors, e.g., your IT lead will enforce OS updates, you’ll enforce a default logoff period, or you’ll make sure your software is fully licensed up.
- Identifying the roles and responsibilities for robust configuration, e.g., are you assigning responsibility by asset, by device, by app, or by something else? Will the entire workforce be responsible for accepting OS updates immediately? Will your IT lead be responsible for the timely pushing of said updates?
- Identifying how you’ll document, monitor, and review security configurations across your organization.
Buckle up, because there’s more.
Security Configuration Templates
In the real world, templates save time and decision-making, and make systems consistent. Same in the information security world. Security configuration is usually approached using a collection of security configuration templates. Each template contains a collection of configurations that you consistently apply to an aspect of your IT infrastructure.
- A configuration template for user accounts might configure how you treat passwords, e.g., you’ll always change a default password issued by a software vendor.
- A configuration template for a server might include an audit log to monitor and record who’s trying to access it and when.
You can create templates that can apply across multiple areas, e.g., all your mobile devices, or templates for single areas, e.g., your domain controller. And, if you’re a pro, you’ll have a security configuration template checklist to make sure that each template covers everything it needs to cover.
IT Things That Need Configuring
All of it. But here are some examples to get you in the mood:
- Computers and network devices should be configured to remove unnecessary accounts and software, disable auto-run, change default passwords, and authenticate users.
- Domains should be configured to prevent the bad guys from grabbing pukka email addresses for a spot of whaling.
- Firewalls should be configured to block inbound unauthenticated connections and tighten up administrative access from the internet.
- Patch management should be configured to push software and OS updates ASAP, ensure licenses are updated, and remove redundant devices.
- Security software should be configured to be unblockable, prevent access to malicious websites, blacklist or whitelist sites appropriately, and scan files for yucky stuff like malware.
I’m Scared Now. How Can I Make Sure My Security Configurations Are Correct?
Calm yourself, because you don’t have to reinvent the bagel. Cast your mind back to ISO 27002 Control 8.9, because wisdom is contained therein. Security configuration management is a super-vital part of data security, and near the top of every compliance framework auditor’s Do They Got This? list. But you don’t have to worry about that, because one of our embarrassing specialties is sweeping through your IT ecosystem, possibly like a bat, to get it all configured correctly. Call us and we’ll tell you how.
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us today–chatting about IT support and cybersecurity is our favorite thing to do!