SANS Control 5—”Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers”
The Core Principle
Let’s sum it up in three words: Secure by default.
The more systems that are secure by default, the less twiddling your IT team has to do for each deployment. Less twiddling means fewer chances to make errors that lead to security breaches.
Transcending the Control
I’ll come out and say it: configuration management and baselining is the hardest, most time-consuming responsibility of the CISO. It’s exhaustingly detail oriented, so finding people who do it well is really, really hard.
I’ve seen many failed attempts to satisfy this control by creating baseline images: you have an image for Windows 10, OS X, Windows Server 2012, Windows Server 2019, oh yeah, and then images for each flavor of *nix your company’s adopted over the years…you get the picture. Difficult but doable.
Why doesn’t this work? Well it does, for the first few months, maybe even the first year. The real challenge is keeping up with configurations post-deployment. This is because frequent patching, version changes, and one-off cases will quickly make any baseline template obsolete. Not even large, well-staffed security teams can keep up with these changes manually.
If baseline images doesn’t work, what does work?
Usually I’ll go with a combination of clearly defined “trusted sources” for each baseline: could be a reputable Docker repo for servers. Then build a simple deployment checklist for each of these that cover your basic use cases (ex. your “non-technical” checklist, your R&D checklist, your finance checklist, etc.) that defines key security things you want to configure. Don’t go crazy here. It’s really tempting when you see the CIS benchmarks to think “that’s awesome! So hardened, nothing can hack me now!” You want to be really careful: every hardened setting you turn on (or off) is a potential help desk ticket or 300 down the road. You have to ask yourself: will this really improve the security of this device? Most of the time it won’t unless your staff are CIA operatives getting targeted by both Mossad and the FSB on the daily.
So what’s the solution? You have got to automate the process of configuration management: or rather configuration validation. Define your universal axioms of configuration (for example, “No missing security updates”. “Bitlocker/Filevault are always on”, etc) and automate detection of when your systems violate this.
You may have noticed that this sounds very similar to vulnerability assessment and remediation, which is the next topic, so I won’t spoil all the interesting bits yet. Stay tuned!
The next article will talk about the sixth and final core principle: Maintenance, Monitoring and Analysis of Audit Logs