You may know "Drift Away" is a song by Mentor Williams written in 1970 and originally recorded by John Henry Kurtz on his 1972 album Reunion. Mentor Williams was a country songwriter, and John Henry Kurtz was an actor and swamp rock singer. Dobie Gray then recorded/performed that famous song in 1973.
However, that’s not the lesson here, although who doesn’t like useless information? We’re talking configuration drift here folks. Configuration drift refers to the gradual and unintentional deviation of a system's configuration from its desired or baseline state. It occurs when changes are made to a system's configuration over time without proper documentation, tracking, or control. These changes can result from various factors, such as manual modifications, software updates, system failures, or unauthorized alterations.
Configuration drift can have significant implications for system stability, security, and performance. As the configuration of a system deviates from its intended state, it becomes challenging to maintain consistency and predictability. This can lead to operational issues, increased vulnerability to security threats, and difficulties in troubleshooting and maintaining the system.
Being able to assess, visualize, and remediate the configuration of your network infrastructure is imperative. CIS offers their SecureSuite Membership, which is a reasonably priced suite of tools and content that allow you to assess, visualize, and remediate the posture of a system against the industry standard CIS Benchmarks at scale.
The security objective aligned with this safeguard is to protect, similar to my previous blog on safeguard 4.1. Just as with safeguard 4.1, the benchmarks and tools mentioned in that blog can be customized and adapted to suit the specific requirements of network devices. CIS Safeguard 4.2 focuses on the establishment and maintenance of a secure configuration process for network infrastructure, encompassing routers, switches, firewalls, and other critical devices that facilitate the smooth flow of data within an organization. CIS acknowledges the criticality of these components and underscores the importance of robust security configurations to prevent unauthorized access and data breaches.
The Significance of Secure Configuration
Default configurations of network infrastructure devices often harbor security vulnerabilities that can be exploited by attackers to gain unauthorized access, disrupt network operations, and compromise sensitive information. By implementing secure configurations of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software, organizations can significantly mitigate the risks associated with such incidents and enhance their overall security posture.
Let’s talk about the benefits:
By implementing and maintaining a secure configuration process for your network infrastructure, you can achieve several significant benefits:
- Reduced Risk: Secure configurations significantly reduce the risk of unauthorized access, data breaches, and network disruptions, safeguarding our critical assets and sensitive information.
- Compliance: Adhering to industry best practices and standards ensures our organization remains compliant with relevant regulations and frameworks, enhancing trust and credibility with customers and stakeholders.
- Enhanced Resilience: Robust security configurations improve our network's resilience against cyber threats, minimizing the potential impact of attacks and facilitating a swift recovery.
Here’s a link to a Secure Configuration Management Policy Template provided free of charge from the fine folks at the Center for Internet Security.
Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 4 – Secure Configuration of Enterprise Assets & Software
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Implementation Group 1
CIS Safeguard 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.