In IT security, obvious weaknesses like weak configurations often get overlooked. Yet for hackers, they’re an open door into networks and systems. Learn how security configuration management (SCM), a critical security control, hardens configurations to prevent breaches, and immediately detects and corrects any subsequent changes that weaken them.

1. WhITe PaPer
SCM: The “Blocking and
Tackling” of IT Security
When it comes to today’s Cloud computing. Virtualization. Social networking. IT
consumerization. What do these trends all have in common? Besides
threats, it’s back to basics. promising to radically change the face of corporate technology today, they
Security configuration create threat vectors that can leave companies vulnerable to a whole new
world of attacks, expanding the potential for data breaches. Despite these
management means rising threats, uncertain economic times are resulting in shrinking IT budgets.
getting serious about
Fewer dollars and less IT staff devoted to securing infrastructures have secu-
fundamentals, like rity professionals struggling to keep up. The IT security market is overflowing
hardening ever-changing with options designed to protect corporate infrastructure from unauthorized
access; some essential, some not, but all marketed as critical. As vendors
IT configurations and work up a fever pitch over the latest threats and the products that protect
keeping them that way. against them, it’s easy for security professionals to forget the basics. Yet, as
with any discipline, the basics must be addressed in order for strategies to
succeed.
Getting back to basics means repeatedly taking a hard look at one’s security
environment, crossing all the T’s and dotting all the I’s. And then doing it
again. After all, if a basic level of security isn’t maintained and a breach
occurs, the blame falls squarely on the shoulders of the security profes-
sional. Still, in the realm of security basics, hardening security configurations
across corporate IT assets may seem like reverting back to Security 101.
But when attackers troll for the least-defended environments, such security
measures are exactly what it takes to force attackers on to greener pas-
tures. Think about it — it’s why a burglar looks for an open window or door
Custom Solutions Group before he breaks one.

2. 2 WhITe PaPer | SCM: The “Blocking and Tackling” of IT Security
to avoid one or more cyber attacks in
the next 12 months. If these companies
haven’t focused on laying a sturdy foun-
dation for their company’s security, they
have good reason to worry.
An Ounce of Prevention
Perhaps most disturbing, however, is
the simple fact that the vast majority of
breaches that occur could have been
prevented. Verizon’s report says that
92 percent of last year’s attacks were
not considered ‘highly difficult,’ and
96 percent could have been avoided
through simple or intermediate control.
Attackers in the House Blander, CEO & Co-Owner of InfoSecu- What’s more, 50 percent of the breaches
Data breaches continue to rank as a rityLab, which builds worldwide infor- involved hacking and 49 percent
top threat to corporate environments, mation security and risk management involved malware (with some overlap
as more and more attackers success- programs for businesses. that involved both) and both of these
fully find their way into networks. vectors prey primarily on weakly config-
According to Verizon’s 2011 Data Breach And while the theft of customer or ured or loosely monitored systems.
Investigation Report, data loss through employee personal data and corpo-
cyber attacks decreased significantly in rate financial data is still concerning, While there’s no such thing as an IT
2010, but the total number of breaches companies today are most worried that environment that is 100 percent secure,
was higher than ever. The number of their intellectual property (IP) could taking fundamental steps to assess and
compromised records involved in data be stolen as a result of unauthorized harden IT systems is the basic “blocking
breaches dropped to 4 million in 2010, network access. “IP is getting higher and and tackling” of IT security that removes
down from 144 million in 2009. Yet higher on executives’ lists of worries. the root cause of the vast majority of
there were approximately 760 breaches Companies really care about competi- breaches. These steps include:
last year, the largest number since the tors finding out their project ideas and 4 Assess and inventory configura-
report’s inception. having them show up somewhere else tions on all servers and devices, and
in the world with some other company’s compare the results to some under-
This means that while attackers don’t name on it,” says Blander. stood, recognized security standard
always steal data, their ability to gain (like CIS, NIST, or ISO-27001)
unauthorized access continues to grow. In fact, in its June report entitled 4 Gain immediate, real-time insight into
Considering that many attacks today “Perceptions About Network Security,” any changes to the files, configura-
aren’t isolated incidents — attackers the Ponemon Institute found that 80 tions items and states that define
often work to break down a network’s percent of the 583 IT security practi- this security standard
security over time — breaches that tioners in the U.S. who responded to
don’t result in immediate data theft a survey said they had experienced at “Blocking and tackling” for security
may still be dangerous as they lay the least one data breach. Of those who professionals means going back to
groundwork for future harm. In 2010 were able to calculate the cost of secu- basics and eliminating the “easy ins”
outsiders were responsible for more rity breach — including cash outlays, preyed on by attackers in the Verizon
data breaches than in the past, totaling internal labor, overhead, revenue report, like open ports and unused
92 percent, which Verizon attributes losses, and other related expenses — services, the use of default or easily
to the significant increase in smaller 41 percent said the breach cost them guessed administrator passwords,
external attacks. $500,000 or more. or improperly configured firewalls.
“Blocking and tackling” for IT security
“Right now, the threat of breaches What’s more, 53 percent of respondents teams also means keeping continuous
from external parties is the No. 1 issue to the Ponemon survey said they have watch on these systems, to detect the
my clients worry about,” says Daniel little confidence that they would be able clues that indicate attacks in prog-

3. 3 WhITe PaPer | SCM: The “Blocking and Tackling” of IT Security
ress, like security controls disabled by
anti-forensic activities, oddly elevated
permissions, or unexpected changes
to critical files. 80% of the IT security practitioners in the U.S. who
responded to a survey said they had experienced at
Security configuration management
solutions are built to make these issues least one data breach.
visible to IT security professionals, and
to give them the information and tools
they need to manage them in the most 41% of those who were able to calculate the cost
automated way possible.
of security breach said the breach cost them $500,000
Hardening Systems is Job #1 or more. Including cash outlays, internal labor, over-
Yet in complex corporate IT settings,
it’s easy to understand how these head, revenue losses, and other related expenses.
basic steps to security are overlooked.
SOURCE: Ponemon Institute report Perceptions About Network Security
Software deployments, upgrades BASE: 583 IT security practitioners
and patches are constantly changing
the computing environment, and so
maintaining standard configurations
becomes difficult. Even the smallest 4 It provides a base level of assurance By leveraging SCM, companies can
changes can affect how permissions by defining hardening and security increase the overall level of difficulty
are set or which ports are to be used. guidelines that establish a company’s that attackers are met with upon
Security professionals need help; they basic known and trusted state, attempting to gain access, while also
need an end-to-end view of the entire building the foundation of security; reducing the attack surface. These tools
IT infrastructure so they can be kept 4 It takes an end-to-end approach and also allow companies to measure their
informed of configurations, detect offers the best value for a company’s level of security and reduce the amount
changes to standard configurations, and security dollars because it can exist of work required by other security tools,
correct as needed. in every piece of the infrastructure. such as SIEM products.
Security professionals can harden
Security Configuration Management their servers, desktops, firewalls, With SCM “you’re creating a baseline
(SCM) tools play an essential role in switches, virtual systems, applica- of security and you have the opportu-
securing today’s networks by providing tions, databases, and more with nity in doing that to eliminate a very
security professionals with that ongoing, one solution; large percentage of weaknesses,” says
base level of assurance from which they 4 Done correctly, it provides integrated InfoSecurityLabs’ Blander. Commercial
can build their security strategies. monitoring capabilities that detect software is always shipped with vulner-
and act when configurations change abilities, and that’s something compa-
“Most attacks are targets of opportunity; unexpectedly; nies must deal with. “We must build
the attacker is bouncing around until he 4 It leverages third-party security our systems with a level of security to
finds a weakly defended system, and benchmarks, and therefore doesn’t eliminate weakness, to a level that is
then uses that to wriggle into a network require the lengthy, involved better than the settings software manu-
of connected machines. Because of creation of custom rules in order facturers provide, to raise the expected
that reality, hardening systems is Job to be effective; level of security. If we don’t pay atten-
#1,” says Michael Thelander, director of 4 It’s an automated solution that can tion to those, we allow for weaknesses.”
product marketing with Tripwire. “If it’s in many cases re-test configuration
too hard for the passing hacker, worm, states when a change is detected; A Realistic View of Security
or malware, the attacker may just pass 4 When used in conjunction with Secu- Beyond technology, many IT profes-
on to less defended targets.” rity Information and Event Manage- sionals must work to change the
ment (SIEM) tools, it helps narrow the corporate mindset regarding security.
SCM helps security experts cover field so security professionals can Companies today prefer to believe that
the basics: more quickly pinpoint the problem. a data breach won’t happen to them

4. 4 WhITe PaPer | SCM: The “Blocking and Tackling” of IT Security
— they think they’re too small, too far
off the radar, or don’t deal in enough
sensitive information to be a fruitful “From a sales and marketing perspective, SCM
target. The security professional’s job
is to re-educate the organization for lets us demonstrate to the customer that if
its own good. High profile, brand-name
cases like the Sony breach garner most they go with us, we’re thinking about their data
of the news attention, but the Verizon
report showed a 230 percent increase and protecting their data — it helps us put a
in attacks against small companies of
100 or fewer employees. Clearly, there’s
little wedge between us and the competition.”
no such thing as “too small” or “too — Art Taylor, president and CEO, Benefit Allocation Systems
mundane.”
Given the high likelihood that a data
breach will occur, security professionals “From a sales and marketing perspec- configurations to prevent vulnerabili-
must shift the conversation from “What tive, SCM lets us demonstrate to the ties from the onset;
will happen if we suffer a breach” to customer that if they go with us, we’re
“We are highly likely to suffer a breach, thinking about their data and protecting 4 DeTeCT: The right tools should be
let’s talk about strategies for rapid their data — it helps us put a little able to detect changes to configu-
detection and minimal loss.” It isn’t easy wedge between us and the competi- ration states and files in real time,
for security professionals to draw atten- tion,” says Art Taylor, president and CEO including changes that occur at the
tion to their companies’ security weak- of Benefit Allocation Systems, which server, database, directory server,
nesses, but being able to face the reality provides a web-based employee bene- and network device level. They
of a potential breach means they can be fits administration service. “For me, SCM should also feed real-time informa-
more proactive about dealing with the lets me put my head on the pillow each tion to policy management tools to
consequences. night; it gives me a level of insurance.” provide truly continuous monitoring
of files and configurations;
“The likelihood of a breach is so high, it’s Taylor went to back to security basics,
incumbent on them to explain to others and he can sleep at night. 4 CorreCT: SCM tools should also
that this is the state of the world,” says provide an automated way to repair
Tripwire’s Thelander. Building the Right SCM Toolkit broken or misaligned security config-
When getting back to those security urations using role-based workflows,
This is another area where SCM can basics, an effective SCM toolkit is about detailed reporting, and fully execut-
help, by closing the gap between the as fundamental as it gets. But remember able scripts that speed remediation
time of breach and detection, thus all tools are not created equal. So secu- time, reduce risk, and save time
ensuring that when a breach does rity professionals should fill their toolkits and money.
happen it will be detected as soon as with solutions that are purpose-built
possible to minimize impact. Imple- to provide end-to-end protection and When all three of these SCM capabilities
menting this technology raises the facilitate the mandates to prevent, are rolled into one complete solution,
confidence of a company’s executives detect, and correct. getting back to those security basics
regarding overall security, and also gets a little easier. That’s certainly a
sends a message to customers that a 4 PreVenT: SCM tools must be able best practice to strive for — especially
company is taking the necessary steps to assess IT configurations against when the devastating march of security
to protect their data. a wide range of policy and platform breaches goes on and on and on. n
For more information on Tripwire’s SCM suite,
please visit Tripwire.
Custom Solutions Group