| Listen on Google Podcasts | Listen on Mave | Listen on Yandex Music |
Ruslan Rakhmetov, Security Visio
It is no secret that in today's cyberspace one of the causes of destructive incidents is vulnerabilities that are researched, identified and then exploited by attackers In a previous post, we looked at NIST SP 800-40, which deals with Patch Management, which is the process of managing software updates to address vulnerabilities However, the process of installing updates is also part of a more general process of making changes to the configuration of information systems - the so-called Configuration Management (hereinafter - CM), i.e. management of changes to the configuration of systems It should also be noted that vulnerabilities in software or hardware components can be of different natures - in particular, configuration errors or uncoordinated changes to the state of information systems can lead to a successful cyberattack The subject of this article is NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, which provides a structured approach to IT configuration management with a focus on security and monitoring to mitigate cyber risks and ensure required levels of service functionality
NIST Publication SP 800-128 focuses on the security of CM processes and uses the term Security-focused Configuration Management (SecCM), which refers to the management and control of information system configurations for cybersecurity and cyber risk management The use of SecCM methodology enables deep control over IT assets, which increases the quality of IT/IS process management, improves response to cyber incidents, helps in software development and implementation, automates IT/IS processes, and ensures transparency of compliance procedures Classical Configuration Management (CM) consists of a set of activities focused on implementing and maintaining the process of verifying the integrity and functionality of products and systems by controlling the processes of initialisation, modification and monitoring of their configurations Configuration Item (CI) is a specific part of a system (e.g., a piece of software or hardware, documentation, firmware) that is the target of a configuration control process A Baseline Configuration is a set of system specifications or Configuration Items (CIs) that have been tested and approved as of a specific date; changes to this Baseline Configuration can only be made by going through the configuration change control process, and the Baseline Configuration itself is used as the basis for subsequent builds, releases, and/or changes
NIST SP 800-128 also uses the concept of a Configuration Management Plan (CM Plan), which details the roles, responsibilities, policies, and procedures used in managing product and system configurations The Configuration Management Plan includes the following elements
1 Configuration Control Board (CCB) - An approved and empowered group of qualified individuals responsible for the process of controlling and negotiating changes throughout product and system lifecycles
2. Configuration Unit Identification - A methodology for selecting and defining the configuration units used in the configuration management process
3 Configuration Change Control - the process of managing baseline configuration updates to configuration units
4 Configuration monitoring - the process of assessing or testing the level of conformance of configuration units to established baseline configurations, including the use of configuration status reporting mechanisms
Configuration management in accordance with the SecCM approach includes processes such as
1. identifying and documenting configurations that affect the cyber security posture of information systems and the organisation as a whole
2 Considering cyber risks when agreeing on configurations
3. analysing the cybersecurity implications of changes to system configurations
4 Documenting agreed and implemented changes
The implementation of the SecCM methodology can be broken down into the following phases
1 Planning
1.1 Planning at the organisational level
1.1.1 Develop and implement a company-wide SecCM programme, with the appointment of a SecCM programme manager (from among the company's senior management)
1.1.2 Develop a SecCM policy that includes objectives, boundaries, roles, responsibilities, actions to be taken, commonly used secure configurations, and requirements for documenting changes made to system configurations
1.1.3 Develop SecCM procedures, including document templates (for completion by system owners), description of component inventory rules, description of rules for creating basic system configurations, description of standardised secure configurations, description of the patch management process and its integration into SecCM procedures, description of procedures for accepting change requests from technical support and users, description of procedures for monitoring and reporting on system security to identify inconsistent changes, description of change control procedures, description of procedures for monitoring and reporting on system security, and description of procedures for monitoring and reporting on system security.
1.1.4 Develop a SecCM monitoring strategy to verify the ongoing effectiveness of SecCM processes to support the organisation's security posture, compliance with baseline configurations, and compliance with SecCM policies; verification may be performed on a pre-agreed schedule and may include reporting of verification results
1.1.5 Identify types of changes that do not require configuration change control: pre-agreed changes may include installation of anti-virus database updates, installation of official security updates from vendors, replacement of certain hardware components In addition, some types of changes may not be included in the applicability boundaries of SecCM procedures at all, e.g., updating database content, creating accounts, creating user files
1.1.6 Develop training sessions on SecCM procedures for responsible employees
1.1.7 Identify a list of agreed upon IT products (software and hardware) that can be purchased and used without additional approvals
1.1.8 Use automation tools for configuration management and inventory of systems and products components in use, their configurations and settings, identification of inconsistencies with the corporate configuration management policy
1.1.9 Create a test environment to validate new products and planned changes
1.2 Planning at the level of information systems
1.2.1. Create a SecCM plan for information systems, including a system description, list of inventoried system components, list of configuration units, level of criticality for managing changes to configuration units, list of roles and responsibilities, description of configuration change control procedures, controls implemented for configuration changes made, SecCM tools used, description of generally accepted applicable secure configurations and list of acceptable deviations from them, criteria for agreeing to baseline configurations
1.2.2 Create or update a system component inventory list, which consists of a set of discrete identifiable IT assets When using IT asset inventory tools, it is recommended to use solutions that support SCAP (Security Content Automation Protocol) and CPE (Common Platform Enumeration, a common method of listing software components) notation
1.2.3 Identify the configuration units that make up the information system
1.2.4 The relationship between the information system and its configuration units and software components
1.2.5 Establishment of an information system configuration control group whose responsibilities include evaluation and approval of configuration changes in the information system
2 Define and implement configurations
2.1 Develop secure configurations for the information system and its configuration units Secure configurations may include setting secure values (OS and application parameters, services, protocols, security measures, accounts, audit parameters, cryptographic parameters), applying security updates, using agreed-upon secure software, implementing information security features, applying network security measures, locating the component at a secure point on the network, maintaining and updating documentation
2.2 Implement secure configurations, including steps such as
2.2.1 Prioritising configurations to apply security settings primarily to high priority systems, taking into account the level of system criticality, risk assessment, vulnerability scanning results, the level of integration of a particular system/programme into the organisation's infrastructure
2.2.2 Testing configurations in a dedicated environment to identify the mutual influence of security settings on the functioning of the target system
2.2.3 Resolution of identified problems and documentation of deviations as a result of testing
2.2.4 Documentation and agreement of the basic configuration, including secure configurations of all constituent configuration units, for subsequent control of all deviations from it
2.2.5 Implementation of the basic configuration - centrally, if possible with the use of automation means
3 Control of configuration changes
3.1 Implementation of access restriction for making changes, with definition of types of configuration changes (at the level of network, operating systems, applications), creation of the list of employees with privileged rights for making changes, implementation of technical protection measures (access rights to directories/files, role model of access differentiation, etc.) to provide access for making changes only to authorised employees
3.2 Implement a configuration change control process that includes a change request, documenting the request, determining whether configuration control is required for the change, analysing the proposed change to assess the potential impact on system security, testing the change, approving the change, implementing the change in the configuration, verifying that the change is correct, and closing the change request
3.3 Conducting Security Impact Analysis at various phases, including change initiation phase, development/acquisition and implementation/evaluation phases, and post-change operation and support phases The cybersecurity impact analysis process consists of the following steps: analysing the proposed change, identifying vulnerabilities, assessing risks, assessing the impact on existing protective measures, and planning protective measures and countermeasures
3.4 Documenting the changes made, updating the relevant documentation, archiving old versions of documents
4 SecCM monitoring
4.1 Evaluate and report on the status of SecCM, including scanning the IT infrastructure for unrecorded assets, searching for deviations from baseline configurations, implementing automation tools to monitor changes made, querying logs and audit data to identify inconsistent changes, running integrity checks to detect deviations from baseline configurations, auditing change records to verify compliance with SecCM procedures
4.2 Implement and manage tools to monitor SecCM procedures; if automated tools are not possible, document such systems/components and develop a process for conducting non-automated verification
