Reviewing Configurations and Implementations

Managing the configuration of information systems is traditionally a function of IT operations. Configuration management, however, has a direct impact on information security and compliance. As a result, security configuration management (SCM) pertains more specifically to the configuration items that are directly related to controls or settings that represent significant risk if not managed properly. This includes the controllable parameters for hardware and software. Configuration management as a program is made up of several pieces, such as the following:

• Configuration change control board—A group of personnel responsible for governing configurations and configuration changes

• Baseline configuration management—The plan for establishing the basic standard of system configurations and the management of configuration items

• Configuration change control—A process for managing changes to the configuration standards defined for information systems

• Configuration monitoring and auditing—A process for identifying current configurations and testing configurations against established baselines

The configuration includes the specifics on a system’s settings. Auditors can review the implementation of configuration items to ensure that prescriptive controls are put in place. The configuration can then be compared with standards and procedures. This task is difficult, however, in the absence of the previously mentioned components of a configuration management program. Even with a change control process in place, systems undergo unauthorized and untracked changes. These changes can directly affect the security of the systems. In addition to unauthorized changes, monitoring helps identify the following:

• Misconfigurations—This ensures that authorized changes are correctly put in place and remain in place.

• Vulnerabilities—These include missing system patches as well as configuration items related to a missing patch to determine and prioritize risk.

• Unauthorized systems and software—These include systems not managed by a configuration monitoring solution as well as software not authorized for use on the managed system.

What makes configuration management especially useful for auditors is that most of the data about the systems is contained in a configuration management database (CMDB). The CMDB provides a central repository from which reports can be run. Thus, everything about all the systems at a particular point in time is stored in a database. Examples of configuration items include the following:

• Operating system type

• Service pack level

• Security patches

• Software installed

• Users

• Device drivers

• Hardware configuration

• Service and port status

• Access permissions

• Authentication controls

• Audit settings

• Protocols

Many configuration monitoring and auditing solutions are capable of providing predefined templates from which the configuration items can be assessed. Many of these templates are based on industry-recommended practices such as those from NIST. In addition, organizations can configure auditing templates to align with their own internal policies and standards. The following are sample templates that can be programmatically run to assess parameters specific to the template:

• Operating system—This includes audit templates for each version of the operating system across UNIX, Linux, Mac OS, and Windows, for example.

• Database—This includes audit templates for different types of databases that verify the database security and configuration parameters.

• Application—This includes audit templates to assess applications for expected configurations.

• Network device—This includes templates to verify appropriate settings across the network infrastructure, such as routers, switches, and firewalls.

• Best practice documents—This includes templates to be run across different parts of the infrastructure to test for compliance based on recommended practices from organizations such as NIST and the Center for Internet Security (CIS).

• Regulations and standards—This includes templates specifically targeted to assess against regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or industry standards like PCI DSS.

When systems aren’t compared against acceptable baselines, the systems could be configured inconsistently in a number of different ways. Configuration management and the use of monitoring tools ensure that systems stay configured as originally intended. This makes systems easier to troubleshoot and maintain and makes them more secure.