(Configuration) Drift Away ft. Bryon Singh, RailWorks Corporation

(Configuration) Drift Away ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On July 11, 2023

Steve’s Thoughts

You may know "Drift Away" is a song by Mentor Williams written in 1970 and originally recorded by John Henry Kurtz on his 1972 album Reunion. Mentor Williams was a country songwriter, and John Henry Kurtz was an actor and swamp rock singer. Dobie Gray then recorded/performed that famous song in 1973.

However, that’s not the lesson here, although who doesn’t like useless information? We’re talking configuration drift here folks. Configuration drift refers to the gradual and unintentional deviation of a system's configuration from its desired or baseline state. It occurs when changes are made to a system's configuration over time without proper documentation, tracking, or control. These changes can result from various factors, such as manual modifications, software updates, system failures, or unauthorized alterations.

Configuration drift can have significant implications for system stability, security, and performance. As the configuration of a system deviates from its intended state, it becomes challenging to maintain consistency and predictability. This can lead to operational issues, increased vulnerability to security threats, and difficulties in troubleshooting and maintaining the system.

Being able to assess, visualize, and remediate the configuration of your network infrastructure is imperative. CIS offers their SecureSuite Membership, which is a reasonably priced suite of tools and content that allow you to assess, visualize, and remediate the posture of a system against the industry standard CIS Benchmarks at scale.

Bryon’s Thoughts

The security objective aligned with this safeguard is to protect, similar to my previous blog on safeguard 4.1. Just as with safeguard 4.1, the benchmarks and tools mentioned in that blog can be customized and adapted to suit the specific requirements of network devices. CIS Safeguard 4.2 focuses on the establishment and maintenance of a secure configuration process for network infrastructure, encompassing routers, switches, firewalls, and other critical devices that facilitate the smooth flow of data within an organization. CIS acknowledges the criticality of these components and underscores the importance of robust security configurations to prevent unauthorized access and data breaches.

The Significance of Secure Configuration

Default configurations of network infrastructure devices often harbor security vulnerabilities that can be exploited by attackers to gain unauthorized access, disrupt network operations, and compromise sensitive information. By implementing secure configurations of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software, organizations can significantly mitigate the risks associated with such incidents and enhance their overall security posture.

Let’s talk about the benefits:

By implementing and maintaining a secure configuration process for your network infrastructure, you can achieve several significant benefits:

  1. Reduced Risk: Secure configurations significantly reduce the risk of unauthorized access, data breaches, and network disruptions, safeguarding our critical assets and sensitive information.
  2. Compliance: Adhering to industry best practices and standards ensures our organization remains compliant with relevant regulations and frameworks, enhancing trust and credibility with customers and stakeholders.
  3. Enhanced Resilience: Robust security configurations improve our network's resilience against cyber threats, minimizing the potential impact of attacks and facilitating a swift recovery.

Here’s a link to a Secure Configuration Management Policy Template provided free of charge from the fine folks at the Center for Internet Security.

Here’s some details on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 4 – Secure Configuration of Enterprise Assets & Software

Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

Implementation Group 1

CIS Safeguard 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure

Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.