According Gartner, through 2020, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws. And IBM Security Services’ 2014 Cyber Security Intelligence Index, reported that misconfigurations are the most commonly recorded form of human error.
A misconfiguration can be as simple as typing ‘neq’ instead of ‘eq’ – or vice versa. The difference is tiny, but the two terms have opposite meanings – ‘not equal to’ and ‘equal to’. So, in the context of network configuration, ‘eq’ will allow access to a single, specified port, whereas ‘neq’ will allow access to any other service. Such services could include FTP, Active Directory, SSH and so on.
Other types of typos can include incorrect subnet masks, which may prevent access to particular devices on the network, or direct information to an incorrect destination. These are particularly difficult to single out and identify.
So while a misplaced ‘n’ might not sound like the most serious information security threat facing your organization, in the context of configuring devices on your network, it can actually be a serious problem.
Bad news travels fast
Misconfigurations may also be a significant business issue even if it is never taken advantage of by criminals. In July, a router misconfiguration at United Airlines grounded more than 90 aircraft for over two hours. And of course, in our highly dynamic and connected world, news of the outage rapidly spread across social media and international news outlets. United’s outage wasn’t just a problem on the day, but had repercussions in terms of revenue and reputation.
Avoiding the errors
So if it’s this easy to accidentally misconfigure a device, which cause huge network – and business – disruption, what can you do about it? To answer the question, we need to examine the process by which a device change takes place within your organization’s network.
There are six stages to consider in a change control process, and at each stage, principles of visibility, testing and verification must be balanced with speed and agility. But by designing and implementing an intelligent – and automated – process, you can mitigate the risk of misconfigurations, and make it easier to spot mistakes when they occur.
The crucial principle that should underline every stage in your change control process is automation. Every step in the workflow from change request, through design and implementation to close, should be automated as much as possible to eliminate guesswork and human error. As part of the process, security policy management solutions also self-document the entire change process to provide accountability, tracking and ensure compliance.
Here is what the individual stages in that change control process should look like:
By committing to implementing each stage of this change control process as part of a unified automated workflow, you will have begun to mitigate your device misconfiguration risk. But there is more to be done. In next week’s blog, we’ll be examining how you can better align your business and IT security functions.
Receive notifications of new posts by email.