In my last post, I talked about how ensuring devices on your network is a great way to minimize the attack surface of your infrastructure. Organizations like the Center for Internet Security (CIS) provide guidelines on how to best configure operating systems to minimize the attack surface. The CIS calls these “benchmarks.”

Many security policies state that all deployed systems should be securely configured. Some security policies go further to state that these secure configurations should be continuously monitored and the systems should be maintained such that they stay in a hardened configuration. From a policy perspective, this is a great start. The reality of the matter is that while it is easy to deploy a system securely with something like a CIS hardened image, maintaining that configuration can be a challenge.

As time goes on, application owners need to make modifications to their applications and the underlying infrastructure to continuously improve the product they provide to their customers. These customers can be internal to the business or external. As those modifications and changes happen, the configuration of the applications and infrastructure changes. These changes might be benign, or they might take the systems out of a hardened state. This is known as “configuration drift.”

Depending on the severity of the drift, there could be significant risk to the organization. Let us examine a couple of examples of configuration drift to see what the risk would be to the organization.

Example 1: A New Port

Our company has decided to add this great new innovative section to our application that will enable our customers to use our services in a much more streamlined manner than our competition. To accomplish this, we need to open a new communication port for our proprietary protocol. The business team created (Read more...)