Over the previous couple of years, the concept of patching programs to right flaws has graduated from an annoying enterprise disruption to a high precedence. With all the infamous vulnerabilities that may wreak whole havoc, the time it takes to patch turns into a minor inconvenience when weighed in opposition to each the technical challenges and attainable regulatory penalties of not patching. 

Whereas patching is a important element of a complete safety program, one space that is tougher is configuration administration. Irrespective of how often a system is patched, it could actually all be undone by a misconfiguration or an missed configuration. That is very true when working with safety configurations. These hidden flaws in a system stay even with probably the most present and rigorous patching course of.

Attending to Know NIST SP 800-128

Thankfully, there’s some steerage for configuration administration particularly focused in direction of safety. NIST Particular Publication 800-128, titled “Information for Safety-Targeted Configuration Administration of Data Techniques,” presents recommendation that works in tandem with its guardian steerage, the well-known SP 800-53 (now at Revision 5) “Safety and Privateness Controls for Data Techniques and Organizations.”

SP 800-128 was initially revealed in 2011, and it now incorporates updates from 2019. The comparisons between the 2 paperwork could be discovered within the eight-page Errata assertion at the start of the publication; nonetheless, most of that could be a assortment of up to date index references for different referenced paperwork. The principle content material begins after that and continues up till the appendices, which start at web page 46. (A notice concerning the NIST appendices: Anybody who has ever learn a NIST doc is aware of that the appendices are equally as necessary because the physique of the doc and shouldn’t be missed. There are some actually spectacular circulate charts in Appendix G that add visible readability to the textual content of the complete publication.)

The authors state very early within the publication how this steerage is totally different from normal configuration administration:

Safety-Targeted Configuration Administration (SecCM) is the administration and management of safe configurations for a system to allow safety and facilitate the administration of danger. SecCM builds on the final ideas, processes, and actions of configuration administration by consideration on the implementation and upkeep of the established safety necessities of the group and programs.

Some key factors throughout the doc embrace the phases of safety targeted configuration administration, controlling adjustments to safety configurations and monitoring for adjustments. The phases of safety configuration administration resemble these of all mature safety applications, working in a cycle that specifies planning, figuring out, change management, monitoring and fixed reevaluation of safety configurations.

A significant bulk of the doc is spent describing steps that have to be achieved through the planning part. That is normally the half that makes most of the tech-focused infosec people roll their eyes and grunt about how it’s extra necessary to “get the work finished.” Nonetheless, that is additionally the inspiration which, if missed, couldn’t solely trigger missteps in a sturdy SecCM implementation but additionally be the playbook {that a} eager auditor will use to point out weaknesses in a safety follow. Comparable weaknesses in total safety have confirmed pricey when examined by regulatory authorities. Can penalties for safety misconfigurations be far behind?

The whole thing of SP 800-128 is about course of, not prescriptive technical recommendation. The authors are well-aware that there are too many attainable combos to make any particular suggestions. The truth is, they clearly and eloquently restate the mantra that there is no such thing as a “One Measurement Matches All” method to safety configuration administration:

Implementing safe configurations for IT merchandise is not any easy activity. There are various IT merchandise, and every has a myriad of attainable parameters that may be configured. As well as, organizations have mission and enterprise course of wants which can require that IT merchandise be configured in a selected method. To additional complicate issues, for some merchandise, the configuration settings of the underlying platform could have to be modified to permit for the performance required for mission accomplishment such that they deviate from the authorized widespread safe configurations.

If you’re a technical wizard who’s tasked with making certain the safety of your group’s programs, it will be smart to spend some high quality time with SP 800-128. Not solely will it make you higher ready, however it can additionally enable you to to work together with the challenge managers, auditors and safety managers to maintain all of the necessary elements of SecCM so as.

To study extra about the advantages of SCM, obtain Tripwire’s newest eBook “Mastering Configuration Administration Throughout the Trendy Enterprise: An Explorer’s Information to SCM.”

Editor’s Observe: The opinions expressed on this visitor writer article are solely these of the contributor, and don’t essentially mirror these of Tripwire, Inc.