06/30/2022 | News release | Distributed by Public on 06/30/2022 03:53
Proper management of the configuration of your infrastructure components is vital to security, compliance and business continuity. Unfortunately, configuration drift in systems and applications is common, which leaves the organization vulnerable to attack. Indeed, about 1 in 8 breaches result from errors such as misconfigured cloud environments, and security misconfiguration ranks #5 on the OWASP list of the top 10 web application security risks.
In this post, you'll learn what configuration drift is and how you can prevent it.
A practical configuration drift definition is that any system configuration will, over time, diverge from its established known-good baseline or industry-standard benchmark. While minor drift might not cause issues, the reality is that even one misconfigured setting can expose the organization to data breaches and downtime, so the more severe configuration drift, the higher the risk.
More often than not, drift is the result of administrative users making changes to the system. Causes behind configuration drift include:
Here are some configuration drift examples:
It's the end of the work week, and the system engineer is about to leave. One of his colleagues informs him that a critical application is having an issue. He cannot leave the problem to be resolved on Monday but, at the same time, he wants to fix it quickly so he can head home. He makes some changes to the application configuration to fix the problem. However, he also modifies a critical setting that blocked unprotected public access to the system - causing configuration drift that leaves the infrastructure exploitable. Since he's in a hurry, he doesn't document his changes, so this drift could go unnoticed until it's exploited.
A company upgrades a business application to gain new features. The upgrade process makes some crucial configuration changes to allow connections through previously blocked ports. A few months later, during a security audit, auditors discover this misconfiguration. Even if the open port hasn't caused any harm yet, it still jeopardizes the company's compliance status.
Configuration drift increases the organization's risk of the following consequences:
NIST Special Publication 800-128 offers guidance for avoiding configuration drift. Here are some of the key recommendations:
Auditing the configuration of your systems on a regular basis is a good start. But even if you review them once a week, that's still more than enough time for a misconfiguration to lead to a breach, downtime or a compliance violation.
Therefore, it's imperative not only hold regular audits but to monitor configuration changes continuously. That way, improper modifications can be corrected immediately. In addition, be sure to hold audits when new devices are added or ad-hoc changes are made.
Manual review of system configurations is slow and error-prone, so misconfigurations may not be detected promptly, or at all. With attackers ready to exploit the slightest misstep in security, manual processes just won't cut it.
Consider investing in a configuration management tool that automates the process of finding configuration gaps. It should be able to scan all network devices and applications, spot any configuration changes, and notify the security team. Some automated tools can even be set up to revert the changes and restore a known-good configuration.
Establishing baseline configurations can save time and avoid confusion. Your teams can quickly determine whether configuration drift has occurred and restore your systems to their intended state.
Consider using benchmarks from industry leaders like CIS or NIST to build your baselines. Some configuration management tools provide templates to simplify this process. Be sure to review and update them regularly, especially when there are changes to your IT environment or applicable regulatory mandates.
Implementing rigorous change management, tracking and analysis is vital to IT security and availability, and configuration changes should be included. Controlling configuration changes as they happen helps prevent configuration drift and the associated risks. Documentation is vital to change management. Any configuration change should be documented and communicated using standard protocols set by the enterprise.
When it comes to the security of your enterprise assets and software, you can't afford to leave anything to chance. Netwrix Change Tracker scans your network for devices and helps you harden their configuration with CIS-certified build templates. Then it monitors all changes to system configuration in real time and immediately alerts you to any unplanned modifications.
With Netwrix Change Tracker, you can:
A configuration management plan defines a process for establishing baseline configurations, monitoring systems for configuration changes, and remediating improper or authorized modifications.
Configuration drift is a common problem that can be managed with better security configuration management. In particular, you should: