Secure Configurations for Firewalls, Routers, and Switches – Critical Control with an ROI!

In a recent SANS blog on Analyzing The Cost of a HIPAA-related Breach Through the Lens of the Critical Security Controls, the writer, John Pescatore, formerly of Gartner Research, walks through the Idaho State University data breach and points to the SANS Critical Security Controls that if the University had enforced, would have identified the policy violation before it was too late. He goes on to run a security ROI based on the fine that the University must now pay in addition to the breach notification costs. While generally proving a security ROI is a bit fuzzy, security management is not because there are efficiencies that can be proven… in addition to the soft costs of potential impact from a security incident.

The aspect of this breach that I’d like to focus on is based on the SANS Critical Controls, specifically, Critical Control #10, which describes the “The processes and tools used to track/control/prevent/correct security weaknesses in the configurations in network devices such as firewalls, routers, and switches based on formal configuration management and change control processes.” This ties directly to the Gartner Research metric that 95% of firewall breaches are due to misconfiguration, rather than a flaw within the firewall itself. If your firewall policies and change management practices are up to snuff, you’ve already addressed 95% of this specific issue!

The SANS Critical Control #10 examines security policy configuration, security device configuration and change management processes. Configuration and change management isn’t sexy and isn’t the cool new shiny security technology that has all the latest bells and whistles, but it’s sound security that works.

Think of it this way – you could have the most security layers and the most granular policies, but if your devices are out of date or improperly configured, your network may be exposed to greater risk of a cyber-attack. Or you could be up on your device configurations, but maybe a policy was changed without the proper checks and balances and now you have a new risk in the policy that wasn’t there yesterday. We decided that in addition to family photos, it was time to focus on couples photoshoot ! Last fall we aired our popular City Photoshoot Tips & Ideas and as a result, gave you TONS of ideas and inspiration.

Here are a few things to consider around the importance of this Critical Control:

1. Look into being able to automatically generate reports that compare device configurations to pre-defined baseline profiles. These profiles could be developed from security best practices, regulations and standards (such as PCI-DSS, NERC CIP, etc.) as well as your corporate policy. The value here is that automated configuration checks provide you with the necessary visibility and control to immediately identify and mitigate network device configuration risks – without putting a major burden on your IT resources.
2. In addition to running a baseline compliance report on an individual firewall, router, switch, etc., you should be able to generate reports across groups of devices in your network for more holistic visibility of the estate. (A side benefits to #1 and #2 here is that if you can generate these reports to better mitigate risk, you can also dramatically reduce the time and cost involved with audit preparation).
3. Change happens! Understand the impact of security change management when done wrong and examine both processes and technology used in an effort to better enforce proper checks and balances of policy changes – and to enable change to happen more quickly to keep up with the needs of the business. The ROI you can achieve from an efficient security change management process is significant!

If an attacker is motivated enough, they will eventually find their way into your network, but there are things you can do to make it a whole lot harder – and as John Pescatore walked through in detail, there is an actual ROI at the end of it!