When systems are properly configured hacking attacks on such systems are less likely to be successful.

This premise underlies the importance of a good configuration management practice which is based on effective configuration management governance that includes well defined configuration management metrics. Inherently, it is critically important for security management professionals to approach configuration management as an assurance process meant to ensure system integrity is maintained over time.  There is an imperative to define and establish the integrity of the different devices and technologies in use, with the concept of “configuration management” as “configuration assurance.”

Why is Effective Configuration Management Necessary?

Configuration management is very important to establish system configuration baselines, to track changes and monitor system behavior throughout their entire lifecycle. The lack of this creates several problems including introducing vulnerabilities to systems that can be successfully exploited to compromise them. 

A good case for illustration are firewalls deployed on enterprise network systems to monitor traffic per defined rulesets. If configuration management is lacking or not effective traffic monitoring will be reduced to nothing as there will be no near real-time capability to identify and validate changes made on the firewall or monitor them against a secure baseline.  As the firewall represents a single line of defense, the possibility of a network compromise being undetected is increased risk when combined with lack of IPS/IDS near real-time correlation.  The risk is reduced by weekly firewall configuration reviews and the simplicity of the firewall rules.  This observation is very significant by itself but, when combined with other system mis-configurations (e.g. permissive protocols and gaps in vulnerability management) and no real time event analysis, it becomes a part of a “chain of risk

Therefore, with no documented configuration management process, there is the risk that systems configuration changes or updates can be improperly implemented resulting to the inadvertent introduction of bugs to the system and or systems mis-configuration.

How Can Organizations Establish Effective Configuration Management Practice?

Establishing a good configuration management practice is a key requirement.  Here are the essential recipes.

1. Configuration management procedures must be documented. A well-defined and documented Configuration Management Plan (CMP) or process document is essential for tracking hardware and software changes made to organizations production systems.  The lack of which present significant risks.

2. A formal IT change management process requires Cyber security risk to be evaluated during the analysis, approval, testing, and reporting of changes.

3. Changes are formally approved by an individual or committee with appropriate authority and with separation of duties.

4. A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools.

5. System builds and functions including software code are actively scanned by automated tools in the development environment so that security weaknesses can be resolved immediately during the design phase.

6. Reviews (such as testing and audits) occurs at all post-design phases of the SDLC for all system/function builds including mobile applications.

7. Ensuring that independent code reviews are completed on internally developed or vendor-provided custom applications to ensure there are no security gaps.

8. Formal requirements for initial system/function build and deployment are established.

9. Baseline configurations cannot be altered without a formal change request, documented approval, and an assessment of security implications.

10. Processes are in place to mitigate vulnerabilities identified as part of the secure development of systems and functions

11. Ensure proposed changes/updates to the “system” configuration is tested to ensure that the security of the “system” is not degraded by the proposed update and a report submitted to the “system” configuration approval committee as part of the approval process. 

12. Established metrics that are used to evaluate the effectiveness of the organization's configuration management.

13. Configuration changes across all environments are prioritized and tracked.

These are some of the basic elements of a good configuration management practice that an organization should institute.