Read the title again. As a very impactful mentor of mine, Rampaul Hollington, once told me: “Cybersecurity starts, is sustained, and ends with Configuration Management.” We often say Cybersecurity is Risk Management, which it is, but the Risk Management rubber meets the road via Configuration Management. Nothing illustrates this concept more powerfully than the fact that the top five Critical Security controls from the SANS Institute—the world’s leading cybersecurity training and resource center—are all associated with Configuration Management (CM):
- Inventory of Authorized & Unauthorized Devices
- Inventory of Authorized & Unauthorized Software
- Secure Configurations for Hardware & Software
- Continuous Vulnerability Assessment & Remediation
- Controlled Use of Administrative Privileges
In layman’s terms, these top five controls, or requirements, for a cybersecure IT system read:
- Know what tangible stuff you have connected to your network, including anything that is prohibited.
- Know what operating systems and applications that tangible stuff is running, especially if it’s prohibited.
- “Harden” or “shield” the stuff that is allowed on your network for robustness and to be able to withstand deliberate or accidental misuse.
- Always be on the lookout for weaknesses in your network’s stuff and applications, and be prepared to quickly fix those weaknesses in a controlled manner.
- Only provide elevated access—whether physical or virtual—to those members of your organization that absolutely need it, and then only give them enough privilege to conduct their tasks.
If you can put processes in place to meet these five requirements, your organization will be more than 85% of the way to an excellent bill of “cyber health”. Any process that is used to meet these five requirements falls under the banner of CM.
What is Configuration Management?
Common definitions of Configuration Management include phrases like a “process for establishing and maintaining consistency” of performance, physical and virtual characteristics, function, output, or a “detailed recording and updating of information that describes” hardware and software. These are fine definitions, albeit a little vague. Alternatively, we like to describe Cybersecurity/CM through two questions:
- If you don’t know what’s on your network, how do you know where your weaknesses are?
- If you don’t know what’s changed on your network, how do you know where to start troubleshooting?
You can bet your adversaries know where your network weaknesses are, weaknesses like old or misconfigured hardware, buggy versions of software, or which accounts have elevated privileges. They even have a good idea—sometimes better than you—of the most vulnerable aspect of your organization: your users, who are imminently susceptible to social engineering attacks like phishing. To stay ahead of your adversaries you must have a better grasp than they do of the stuff and people on your network; you’ll need to tightly manage the configuration of your network design, hardware, software, user accounts, and processes. You’ll also need to be able to restore to a known good configuration—this means backups.
Even the savviest adversary has his own weakness: he can’t compromise your network—by, say, stealing valuable information or knocking your network offline—without making some changes or leaving behind trace evidence of his work. You’ll need to have processes in place—CM Change Management processes—to make sure you can spot any change quickly and begin working to defeat the adversary.
Where to start with Configuration Management?
If you fear your organization has gaps with its Configuration Management process, here are some good places to start:
- Ask your IT department or shop what tools and processes they have in place for Configuration and Change Management—if they can’t provide you with quick and coherent answers, you need to press deeper.
- Download the Critical Security controls from SANS Institute and the Center for Internet Security (CIS), read the control descriptions for the first five controls, and ask the IT department how they plan on implementing the tools/processes described there.
- Of course, it will all come down to money (Risk Management!). Ask yourself how much your organization would be willing to ante up to an adversary to unlock critical data during a ransomware attack. A good start would be to dedicate a portion of that amount to developing a healthy CM process.
 You need to be able to spot any change: often the changes made by the adversary appear benign, or the adversary attempts to cover his tracks with seemingly routine actions.