A secure baseline with regard to an IT system comprises “the minimum security controls required for safeguarding the system, based on its identified needs for confidentiality, integrity and/or availability protection.”
NIST SP 800-16
Baseline management is a vital component of an effective cybersecurity program, because misconfigured IT assets can easily introduce security vulnerabilities in enterprise IT environments.
Defining and implementing secure baseline system configurations enhances IT systems’ security and lowers the risk of unauthorized access.
Default system settings may not be security-focused
The default configuration settings that software products and systems are shipped with are often geared towards facilitating quick deployment, usability and convenience rather than security. “The presence of default accounts or passwords, excessive access, or unnecessary services are common in default configurations.” Many of these settings can expose systems to the risk of intrusion by cybercriminals.
To make systems more secure, organizations must define a baseline for secure configurations that aligns with their risk tolerance and specific needs.
A baseline built on security frameworks such as the Center for Internet Security’s (CIS) Benchmarks or DISA’s Security Technical Implementation Guides (STIGs) gives IT professionals an established and industry-vetted standard to compare system configuration against. Automating this process makes it easier to detect changes and security gaps that can impact an IT system’s stability or expose it to malware and other threats.
Ongoing monitoring to prevent drift
Applying baseline settings, however, is not a one-time activity. Even after secure configuration settings have been implemented, organizations must continue to monitor and manage these settings on an ongoing basis to prevent security degradation as configurations are adjusted to accommodate new operational needs (configuration drift), or as new security vulnerabilities are identified and patched.
The workflow must also incorporate a process for tracking and recording configuration updates – information that can be reviewed for compliance and audit purposes, or used during incident response investigations.
What is Configuration Drift?
Configuration drift is the gradual divergence of a system’s configuration from its desired state. This can happen for a variety of reasons, such as changes being made to the system over time, or the system not being properly maintained.
To prevent configuration drift, organizations must monitor their IT systems’ security configuration over time using baseline management tools designed for this purpose. These tools allow IT teams to define a desired state for the organization’s systems, and then automatically detect and track any changes that occur over time. This makes it easy to identify when drift has occurred and take steps to correct it.
If configuration drift remains undetected for a long time, it can:
- Lead to decreased system performance
- Introduce security vulnerabilities
- Cause systems to become unstable
Secure Baseline Scanning vs Secure Configuration Scanning
Secure baseline scanning and secure configuration scanning are similar in that they both involve checking a system for security vulnerabilities or misconfigurations. The terms are often used interchangeably. The main difference is in when they are performed.
- Secure baseline scanning is typically done when a system is first set up to establish a known good configuration that can be used as a reference point.
- Secure configuration scanning is done on an ongoing basis to check for changes or drift from the baseline configuration and bring it back to a secure state.
CYRISMA’s Secure Baseline Scans
CYRISMA’s secure baseline scans are designed to find configuration gaps and security weaknesses in operating systems (Windows, Linux, Mac) by comparing their existing state against the CIS Benchmarks or DISA STIGs.
The systems being scanned are put through hundreds of tests under different policy categories and assigned performance grades based on the test results. Scan results include detailed recommendations to fix misconfigurations and close security gaps, and the functionality to create mitigation plans from within the CYRISMA platform.