How to Prevent Dangerous Misconfigurations of Information Security Technology - By Cybersecurity Expert Joseph Steinberg
Nearly all major cyber-breaches today are the result, at least in part, of human error. That error often takes the form of a human falling prey to a social engineering scam, or of a person misconfiguring a computer, networking, or security system.
While in earlier eras, programmatic errors accounted for a significant percentage of the flaws in security systems, today – after decades of technical improvements in security products – human error far more frequently exhibits itself in the form of misconfigurations.
Since it is humans – not machines – who normally configure security technologies, it is people who make the configuration mistakes. Such misconfigurations often occur at a time when changes are being made; as such, when it comes to security, the process of change management to security configurations becomes critical, and understanding the change management process can help reduce exposure to misconfigurations.
The steps below represent an example of one such process; they are meant to provoke thoughts and serve as a guide, not serve as a biblical mandate for mandatory steps and processes.
Step 1 – An authorized party determines that a change needs to be made – After careful analysis, a party who has the authorization to do so determines that a change must be made. This change might be the implementation of a new technology, a change made to existing technology, the removal of some technology, or something else – but, in the context of this article we are discussing to changes made to the configuration of existing technology.
Step 2 – An authorized party requests that the change be made - It is important to make sure that any party requesting a change is actually authorized to make such a request. Information security change requests should be made through formal systems with proper authentication, authorization, and auditing capabilities. Secured, signed emails can serve such a purpose.
Step 3 – Proper analysis and planning is done before making the change – All parties that will be impacted by the change must clearly understand what is going to happen, and what impact the change will have on them and upon any informational resources for which they are responsible. If a party believes that the change will create risk it should communicate its concerns; sometimes a change will be cancelled or changed (no pun intended) in such situations.
Step 4 – Final approval is issued for making the change – After all risks have been discussed and all stakeholders informed, the person authorized to issue final approval should determine if he or she will issue such approval, and, if so, issue the formal go ahead.
At times this person may reject the change – if this is done, however, he or she should explain in detail why, and what steps can be taken so that he or she will reconsider, or what other actions can be taken to accommodate the business needs of the change-requesters without actually having to make the requested change.
Step 5 - Test the change. If possible, test the change in a testing and/ or staging environment. Make sure there are no adverse unintended consequences.
Step 6 - Implement the change – The change should be implemented exactly as agreed upon.
Step 7 – Document the change – Everything related to the change that was just made should be documented. What was done, who requested it, who approved it, why it was done, and so on.
Step 8 – Test the change – Immediately after making the change and documenting it, verify that the change was made exactly as requested and that everything works as expected. Look for any errors that may lead to security vulnerabilities or other problems.
Step 9 – Notify all stakeholders – They need to know when the change is live.
Step 10 – Obtain sign off on the change request. – Have the authorized requestor sign off that the change was made as requested, works as expected, and that there are no known problems.
Step 11 – Document everything related to the change that has been made.
Of course the aforementioned steps oversimplify; there are entire books written on change management. But, understanding the concepts behind the steps can help prevent costly errors.
Loved the article? Can’t wait to take on the world of Information Security? Get a professional certification to position yourself at the front of the pack – and we’ve got special rates for our readers!
About the On-Demand Webinar
About the Webinar