How secure are the systems your customers take for granted? Every day, your customers use systems that store and process their personal data. However, breaches are still occurring, some on a very large scale. So how secure do you think your systems are today, and do they really protect your customers’ information?
Why weren’t we prepared for this attack?
Earlier in the summer of 2017, the world was hit with another ransomware attack called WannaCry. This global malware outbreak revealed that a number of large organisations had not instituted proper security safeguards on their systems. Basic security hygiene would have helped prevent the spread of the worm that contains the malicious code. Why were the critical security patches not applied to these systems, fixes which would have helped protect systems from being infected?
Of course, it’s not as simple as turning on Auto-Update on all desktops and servers within a company. To apply patches and security updates, companies have to test the patches first to ensure they do not conflict with application and services installed on the systems. Secondly, most security updates require a reboot, something which is not practical on a critical system. Scheduled patching and down time therefore needs to be considered. As such, many organisations fall behind on patching their systems.
Let’s not forget that an attack occurred back in November 2008, known to the world as Conficker, that in some ways used a similar exploit. That begs the question: why haven’t organisations learned from these lessons?
How can security software solutions help with my security posture?
Knowing what is happening within your infrastructure, is an important step in your security posture. Ask yourself,
- Do you know about every asset connected to your network?
- Does every system have an owner, and is it maintained and patched?
- How good is your change management process? Do all changes follow this process?
- Are your critical systems compliant with a hardening standard?
- Do you have logs enabled and being collated in a central system?
Having visibility of what is on your network will help determine systems that have not been maintained and patched. These would be ideal hunting grounds for worms and viruses that would seek out vulnerable systems and use them as a host to attack other systems.
Using technology to identify changes within your environment, such as File Integrity Monitoring (FIM) solutions, can help monitor critical files, registry keys, and other critical components on the endpoint in real time, thereby driving workflows to alert the relevant teams that there are changes. Having the solution integrate in to other platforms such as Active Directory, Databases, and network devices would further assist in identifying unauthorised changes.
How can Security Configuration Management assist?
Security, or Secure, Configuration Management (SCM) has become a ‘must have’ solution in recent years. As attacks on our systems become more sophisticated, it’s the endpoints on the network that are our last line of defence.
A good SCM solution should be enforcing a strong Security Frameworks such as ISO27001, CIS Critical Security Controls and, where applicable, regulatory standards such as PCI DSS. Not only that, but it should help you become compliant in these policies and standards. Once compliant, through continuous monitoring, it will detect any deviations from the compliant state and enable the user to respond quickly to bring the system back in to compliance.
In addition, the computer systems remain in a more compliant state during the gaps between audits, and less effort is required to get the system compliant prior to the audit.
Another area that SCM solutions focus on is File Integrity Monitoring (FIM). FIM is the process of validating the integrity of the operating system and application software files by comparing the current state of the files with their ‘known-good’ baselines. Having a FIM solution in place will help identify abnormalities in the configuration of the system.
What if a system’s OS or critical configuration has been weakened either by accident or maliciously? How would you know? Through integration with change management solutions, the SCM solution would be able to validate changes made on the endpoints with change requests in the service management solution, thereby helping to reducing false positives.
Providing context around a change is equally important. Some FIM solutions will state that this file changed at this date and time, but without context, extra effort would be required to investigate the change. Invest in a solution that will identify who made the change and what changed in the configuration, comparing the change with the captured baseline and that tells you the filename and the time when the changed occurred.
Finally, it’s down to training the users on how to use the system in order to ensure the benefits of your investment. Sometimes, this is often an afterthought, so consider including this when you budget for a SCM solution. Most vendors offer excellent training.
- Instantly assess the strength of their system and network configurations
- Harden systems to organisational security policies, standards, and guidelines
- Provide on-demand technical and executive-level reports and dashboards
- Communicate the overall security posture in ways the business understands