Categories Topics
Description
Configuration Management

Overview
Configuration Management standards for platforms (e.g. UNIX/Windows systems, network devices, databases) should be documented, implemented and maintained to ensure systems are configured securely and consistently to protect sensitive information.

Guidelines
Organizations should establish and document standards for each platform type by utilizing security industry guidelines (e.g. NIST) or "baselines" to help maximize confidentiality, integrity and availability of information. The baseline should include security settings that should be incorporated into each new platform prior to adding the system to the network. For example, a configuration baseline for a Windows or UNIX server can include disabling insecure protocols (such as Telnet, RSH), setting a time sync service, setting security log configurations, enforcing password requirements, and much more.

Typically, new platforms can be configured with a base image with all security requirements already baked in or can be deployed via a configuration management tool immediately after the image is deployed. It's very important to ensure secure baselines and critical patches are installed on systems and devices prior to a device being added to a production network. Especially before the device is available for internet or customer traffic. The likelihood of a system being compromised on a production network is higher if not configured securely.

Once a baseline is established, configuration management systems should use the baseline to measure systems on the network by scanning for deviations from the standard. Vulnerability scanners should also be used to detect vulnerabilities on all devices on the network. Unauthorized changes should be swiftly remediated using a risk-based approach.

Finally, a configuration management process would include, but not limited to:
  • Ensure systems are new systems or devices are built to meet a standard configuration prior to production implementation
  • Ensure systems are scanned periodically to detect vulnerabilities and deviations to the standard
  • Ensure vulnerabilities and standard deviations are remediated in a timely manner
  • Ensure changes are authorized and documented prior to making changes in production.
Also, see "Change Management" and "Integrity Checking" topics for more information of methods to help ensure systems are maintained to established standards.

Topic Category
Operations and Communications Management
 
News Articles
Comcast fixes another Xfinity website data leakwww.zdnet.com6/25/2018
Unprotected Server Exposes Weight Watchers Internal IT Infrastructurethreatpost.com6/11/2018
Ex-CEO on TalkTalk mega breach: It woz 'old shed' legacy tech wot done itwww.theregister.co.uk6/5/2018
ISP popped router ports, saving customers the trouble of making themselves hackablewww.theregister.co.uk5/29/2018
NameCheap to Notify Customers of Misconfiguration Issue that Allowed Subdomain Creation on Any Hosted Accountwww.tripwire.com2/7/2018
Monero Mining Software Found on Oil Transport Company’s Systemswww.tripwire.com12/18/2017
Synaptics to Remove "Keylogger" Functionality From Driverswww.securityweek.com12/15/2017
Synaptics Says Claims of a Keylogger in HP Laptops are Falsethreatpost.com12/14/2017
Data-slurping keyboard app makes Mongo mistake with user datawww.theregister.co.uk12/5/2017
Stupid, stupid MacOS security flaw grants admin access to anyonewww.zdnet.com11/28/2017
Massive US military social media spying archive left wide open in AWS S3 bucketswww.theregister.co.uk11/17/2017
Internal Accenture Data, Customer Information Exposed in Public Amazon S3 Bucketthreatpost.com10/11/2017
Verizon Engineer Exposes Internal System Datawww.securityweek.com9/25/2017
Manchester plod still running 1,500 XP machineswww.theregister.co.uk9/20/2017
Windows 10 Users to Get Improved Privacy Controlswww.securityweek.com9/18/2017
VMware adds whitelist security to the hypervisorwww.networkworld.com9/11/2017
Don't panic, Chicago, but an AWS S3 config blunder exposed 1.8 million voter recordswww.theregister.co.uk8/17/2017
Azure security boss tells sysadmins to harden up and properly harden Windows Serverwww.theregister.co.uk7/31/2017
An internet-connected fish tank let hackers into a casino’s networkwww.helpnetsecurity.com7/27/2017
Virgin Media tells 800,000 customers to change passwords after routers found vulnerable to hackerswww.zdnet.com6/23/2017
Millions and millions of computers still run Windows XP. And they’re all in big troublewww.wired.com5/14/2017
Windows zero-day affects 600,000 older servers, but likely won't be patchedwww.zdnet.com3/30/2017
If You Want to Stop Big Data Breaches, Start With Databaseswww.wired.com3/29/2017
‘Anonymous’ FTP Servers Leaving Healthcare Data Exposedthreatpost.com3/29/2017
APT29 Domain Fronting With TORwww.fireeye.com3/27/2017
Stuffed toys database left personal data exposed, says security expertwww.zdnet.com2/28/2017
Security lapse exposed New York airport's critical servers for a yearwww.zdnet.com2/24/2017
Removing admin rights mitigates most critical Microsoft vulnerabilitieswww.helpnetsecurity.com2/23/2017
Netflix treats security ills with Stethoscope: Open-source self-probing toolwww.theregister.co.uk2/22/2017
Researchers discover over 170 million exposed IoT devices in major US citieswww.zdnet.com2/15/2017
Report: some small cities have surprisingly high number of exposed deviceswww.csoonline.com2/15/2017
Windows 10 will soon have a very different security systemwww.networkworld.com2/13/2017
Thousands of Hadoop clusters still not being secured against attackswww.scmagazine.com2/10/2017
Hacker stackoverflowin pwning printers, forcing rogue botnet warning print jobswww.networkworld.com2/5/2017
Mozilla to scrap Firefox support on Windows XP and Vista in 2017www.computerworld.com12/26/2016
Apple's macOS file encryption can be bypassed without latest fixeswww.computerworld.com12/16/2016
Sony kills off secret backdoor in 80 internet-connected CCTV modelswww.theregister.co.uk12/6/2016
Hacker can backdoor your computer and router in 30 seconds with $5 PoisonTap devicewww.computerworld.com11/16/2016
NIST publishes massive report on IoT cybersecurity needswww.scmagazine.com11/15/2016
Microsoft adds macro blocker to Office 2013 to stymie old-school attackerswww.computerworld.com10/27/2016
Serious Dirty Cow Linux Vulnerability Under Attackthreatpost.com10/21/2016
Compromised Routers Used for Variety of Badnesswww.securityweek.com10/17/2016
Hacker grabs over 58 million customer records from data storage firmwww.tripwire.com10/13/2016
Smash and grab PoS pwners ready with pre-Xmas malware updatewww.theregister.co.uk10/7/2016
IoT botnet highlights the dangers of default passwordswww.computerworld.com10/3/2016
Internet of Sins: Million more devices sharing known private keys for HTTPS, SSH adminwww.theregister.co.uk9/7/2016
Network Management Systems are a 'treasure map' for hackerswww.theregister.co.uk9/7/2016
An unsecured database leaves off-the-grid energy customers exposedwww.zdnet.com8/30/2016
Google's Santa macOS malware sniffer goes open sourcewww.zdnet.com8/18/2016
Undocumented SNMP String Exposes Rockwell PLCs to Remote Attacksthreatpost.com8/12/2016
SWIFT threatens to give insecure banks a slap if they don't shape upwww.theregister.co.uk6/3/2016
Info on 93 million Mexican voters found on an Amazon cloud serverwww.helpnetsecurity.com4/25/2016
Facebook bug hunter finds a back door left by hackers on corporate serverwww.computerworld.com4/22/2016
Federal cyber team tells Windows users to quit QuickTimewww.computerworld.com4/18/2016
Microsoft: Windows 10, Edge so secure they don't need our EMET anti zero-day shieldwww.zdnet.com2/5/2016
Dell will protect the boot layer of PCs, tabletswww.computerworld.com2/4/2016
Microsoft: Windows 7 in 2017 is so outdated that patches can't keep it securewww.zdnet.com1/17/2016
Malware implants on Cisco routers revealed to be more widespreadwww.computerworld.com9/21/2015
Controlling Outbound DNS Accesswww.us-cert.gov8/28/2015
Dixons Carphone still has 7.5k Windows XP EPOS systemswww.channelregister.co.uk8/18/2015
Your SSH Server On Port 8080 Is No Longer "Hidden" Or "Safe"isc.sans.edu8/3/2015
US Navy pays millions to cling to Windows XPnakedsecurity.sophos.com6/24/2015
Fukushima nuke plant owner told to upgrade from Windows XPwww.theregister.co.uk4/23/2015
Update: Credit card terminals have used same password since 1990swww.computerworld.com4/23/2015
Linux kernel set to get live patching in release 3.20www.theregister.co.uk2/11/2015
ISC website compromised, possibly due to vulnerable WordPress pluginwww.scmagazine.com12/29/2014
WordPress 4.0.1 Security Releasewordpress.org11/20/2014
Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006www.drupal.org11/19/2014
Alert (TA14-310A) Microsoft Ending Support for Windows Server 2003 Operating Systemwww.us-cert.gov11/10/2014
NIST to hypervisor admins: secure your systemswww.theregister.co.uk10/23/2014
POODLE exploits SSL 3.0 fallbackwww.scmagazine.com10/15/2014
FBI’s Story of Finding Silk Road’s Server Sounds a Lot Like Hackingwww.wired.com9/8/2014
Stay up-to-date with Internet Explorerblogs.msdn.com8/8/2014
Backoff: New Point of Sale Malwarewww.us-cert.gov7/31/2014
Secondhand Point-o-Sale terminal was horrific security middenwww.theregister.co.uk7/21/2014
WordPress plugin vulnerabilities affect 20 million downloadswww.zdnet.com7/17/2014
Java Support ends for Windows XPisc.sans.edu7/5/2014
Critical flaw in WordPress newsletter plug-in endangers many blogswww.computerworld.com7/2/2014
Not big, not clever: Some businesses just can't let go of Windows XPwww.zdnet.com6/18/2014
Bank of Montreal ATM hacked with weak passwordwww.zdnet.com6/10/2014
Do you use NAS drives? For work? One just LEAKED secret cash-machine blueprintswww.theregister.co.uk5/13/2014
Hackers target ZOMBIE XP boxes: Get patching, Internet Explorer 8 userswww.theregister.co.uk5/2/2014
Windows XP stays strong despite end of supportwww.cnet.com5/1/2014
Red Hat plans unified security management for Fedora 21www.theregister.co.uk3/18/2014
Old JBoss vuln in the wild, needs patchingwww.theregister.co.uk11/19/2013
Hacking Your Way Through Airports and Hotelswww.tripwire.com11/14/2013
Power Plants and Other Vital Systems Are Totally Exposed on the Internetwww.wired.com11/8/2013
Microsoft security research paints bleak picture for XP userswww.zdnet.com10/29/2013
Researchers Uncover Holes That Open Power Stations to Hackingwww.wired.com10/16/2013
Configuration Compliance and Patch Management Processeswww.tripwire.com9/15/2013
Office 2003 soon to lose support toowww.zdnet.com8/28/2013
Remotely Exploitable Bug Affects Wide Range of Cisco TelePresence Systemsthreatpost.com8/7/2013
Virtualisation security: Where firms are falling downwww.zdnet.com6/21/2013
DHS warns of vulns in hospital medical equipmentwww.theregister.co.uk6/14/2013
Locking Down Desktops With McAfee’s Application Controlblogs.mcafee.com6/6/2013
Flurry of products pushing BYOD in Indiawww.zdnet.com5/17/2013
Windows 8 security for healthcare ITwww.zdnet.com5/1/2013
WordPress attack highlights 30 million targetswww.zdnet.com4/19/2013
Brute Force Attacks Build WordPress Botnetkrebsonsecurity.com4/12/2013
AMI PC firmware upgrade scare: The global security meltdown that wasn'twww.theregister.co.uk4/11/2013
XP migration easy pickings over, say expertswww.computerworld.com4/9/2013
Tick-tock! 40% of PCs start Windows XP malware meltdown countdownwww.theregister.co.uk4/8/2013
Watch out, office bods: A backdoor daemon lurks in HP LaserJetswww.theregister.co.uk3/15/2013
Tripwire buys nCirclewww.theregister.co.uk3/11/2013
cPanel: Reset your root passwords! Hackers broke into our systemwww.theregister.co.uk2/27/2013
Hacking victim Bit9 blames SQL injection flawwww.computerworld.com2/25/2013
Brace for MORE ZOMBIE ATTACK ALERT pranks, warns security bodwww.theregister.co.uk2/18/2013
6 threats facing BYODwww.zdnet.com2/14/2013
Security Firm Bit9 Hacked, Used to Spread Malwarekrebsonsecurity.com2/8/2013
Juniper’s Junos Could Open Routers to TCP Attacksthreatpost.com2/1/2013
Kaspersky Lab adds mobile and system management to its business security offeringwww.computerworld.com1/30/2013
Millions of PCs exposed through network bugs, security researchers findwww.zdnet.com1/29/2013
Whoops: Google indexes more than 86,000 HP 'public' printerswww.zdnet.com1/25/2013
Patient data revealed in medical device hackwww.scmagazine.com1/17/2013
Army Looking for Ways to Infiltrate Air-Gapped Systemsthreatpost.com1/17/2013
Shodan Search Engine Project Enumerates Internet-Facing Critical Infrastructure Devicesthreatpost.com1/9/2013
Romanian Hacker Gets 21-Month Sentence for Breaching Subway’s Point-of-Sale Systemwww.wired.com1/8/2013
US Dept for Homeland Security shafted by trivial web bugwww.theregister.co.uk1/7/2013
New WordPress vuln emergeswww.theregister.co.uk12/27/2012
FBI Memo Shows Hackers Accessed Commercial HVAC Systemsthreatpost.com12/13/2012
ExploitHub admits 'embarrassing oversight' led to hackwww.computerworld.com12/11/2012
Hardcoded Password Enables Remote Attacks on Samsung Printersthreatpost.com11/28/2012
Windows XP is a ticking time-bomb with only 500 days to gowww.zdnet.com11/23/2012
Apache Server-Status Publicly Viewable on Top Sitesthreatpost.com11/2/2012
Kaspersky Labs builds new OS to combat Stuxnet, major exploitswww.zdnet.com10/16/2012
Old Operating Systems Die Harderwww.darkreading.com9/11/2012
Anonymous hacker claims GoDaddy attack; outage hits millionswww.zdnet.com9/10/2012
NullCrew pillages Sony servers?www.zdnet.com9/3/2012
500K Credit Cards Stolen in Australian Point-of-Sale Hackwww.wired.com8/17/2012
Reuters was using old WordPress version when it was hackedwww.zdnet.com8/6/2012
Reuters' Twitter account hackedwww.zdnet.com8/5/2012
Reuters hacked, fake news postedwww.zdnet.com8/3/2012
Oil Companies Spring a Leak, Courtesy of Anonymouswww.wired.com7/16/2012
US-CERT warns of guest-to-host VM escape vulnerabilitywww.zdnet.com6/13/2012
IPv6 Arrives, But Not Everywherewww.darkreading.com6/7/2012
FTC Charges Businesses Exposed Sensitive Information on Peer-to-Peer File-Sharing Networks, Putting Thousands of Consumers at Riskwww.ftc.gov6/7/2012
Utah CIO Steve Fletcher Resigns, State Promises Security Reformswww.govtech.com5/15/2012
NSA's whitelisting approach economically blocks computer viruseswww.nextgov.com2/10/2012
Utilities Facing Brute-Force Attack Threatwww.darkreading.com2/6/2012
DHS, FBI Give SCADA System Vulnerability Warningwww.theregister.co.uk12/14/2011
Four charged with hacking point-of-sale computerswww.computerworld.com12/8/2011
Hackers 'hit' US water treatment systemswww.bbc.co.uk11/21/2011
Mac OS X Sandbox Security Hole Uncoveredthreatpost.com11/12/2011
Sony yet to fully secure its networks: expertwww.reuters.com5/13/2011
US credit card payment house (Heartland Payment Systems) breached by sniffing malwarewww.theregister.co.uk1/20/2009
White Papers
Endpoint Security Survival Guide: A Field Manual for Cyber Security Professionalswww.tripwire.com8/29/2016
Security Flaws in Universal Plug and Play: Unplug, Don't Playcommunity.rapid7.com1/29/2013
iOS Securityimages.apple.com5/1/2012
iOS Hardening Guidewww.dsd.gov.au6/1/2011
Copier Data Security: A Guide for Businessesbusiness.ftc.gov11/1/2010
Standards
DISA Network / Perimeter / Wireless STIGDISA-STIG7/28/2017
DISA MAC OS XDISA-STIG7/28/2017
DISA STIG for UNIX / Linux ProductsDISA-STIG7/28/2017
DISA STIG for Virtualization ProductsDISA-STIG7/28/2017
DISA STIG for Windows Operating SystemsDISA-STIG7/28/2017
NIST Guidelines on Firewalls and Firewall PolicyNIST9/1/2009
NIST Guidelines on Securing Public Web ServersNIST9/1/2007
NIST National Checklist Program for IT Products: Guidelines for Checklist Users and DevelopersNIST12/10/2015
NIST Guide to General Server SecurityNIST7/1/2008
NIST Guide to Security for Full Virtualization TechnologiesNIST1/1/2011
NIST SP 800-125B Secure Virtual Network Configuration for Virtual Machine (VM) ProtectionNIST3/7/2016
NIST Guide for Security-Focused Configuration Management of Information SystemsNIST8/1/2011
NIST SP 800-147 Basic Input/Output System (BIOS) Protection GuidelinesNIST4/1/2011
NIST SP 800-179 Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration ChecklistNIST12/12/2016
NIST SP 800-190 Application Container Security GuideNIST9/25/2017
The United States Government Configuration Baseline (USGCB) - Microsoft ContentUSGCB4/20/2015