System Hardening • • • • Security Configuration Management • • • • NIST says SCM is: “The management and control of configurations for an information system with the goal of enabling security and managing risk” The ability to create, edit and manage IT security hardening policies in a way that fits real-world business processes and continually balances risk and productivity On Many Short-term Buying Lists © 451 Group 2013 1 the #1 priority 2 2nd most effective 3rd most important 3 (& 10) GCHQ’s New Cyber Security Guidance GCHQ released new “10 Steps to Cyber Security” in Fall 2012 Focused on executive and board responsibility Names Secure Configurations as one of the most critical steps to achieving an objective measure of cybersecurity “Configuration drift is a natural condition in every data center environment due to the sheer number of ongoing hardware and software changes.” – Continuity Software blog “In less than a week, all the configuration controls, permissions and entitlements that IT spends time testing are useless.” – ITPCG blog Monitors and assess critical configurations in: • File systems • Databases like MS-SQL, Oracle, IBM DB2 and Sybase • Directory services and network devices When?: • Immediate detection of changes to critical, defense-dependant configurations • Efficient, change-triggered configuration assessment • Shorten time of system risk Demonstrating Compliance: • Document any waivers • Document when tests went from failing to passing • Alerted to tests going from passing to failng – within minutes or at least hours Continually assess and remediate insecure configurations, insuring always-hardened, always-ready information systems and network devices Time www.tripwire.com