The Importance of Security Control Baselines
The Role Of Baselines In Effective Security Management
The expression “you can’t manage what you can’t measure” has been around for decades and although it might seem like common sense, it is easy (even for the most experienced professionals) to get overloaded or distracted, and eventually lose track of the crucial indicators of their organization’s security.
For cybersecurity professionals, baseline management is vital because any asset not properly configured can become a security vulnerability. To look at this in reverse, a patch fixes a vulnerability, but patches are released into the wild, giving threat actors visibility into the very weaknesses that must be patched. It becomes a race against time: the patch versus the exploit.
A baseline is a snapshot of “where things are right now.” It gives security professionals something to compare against as things progress, including implementing patches and making configuration changes. By comparing current status against the baseline, it becomes easier to detect changes and hidden gaps that either support the system’s stability, or become places for malware and other threats to take root.
Baseline Configuration Management
Every asset in a cyber system will have records describing how the asset operates, the software and firmware installed, patches, active ports for normal and emergency operation, other enabled services, how these are configured, and their history. Key attributes of baseline configuration management include:
- Information about the asset must come from the asset itself
- A schedule must dictate when information is retrieved
- Information retrieved must be directly comparable to the baseline
- When changes are noted between current information and the baseline, they must be assessed, verified, and documented
- The goal is to ensure the safety of the asset, which entails systematically controlling the asset to a defined configuration state known to be the “most secure” configuration
It is good practice to archive previous copies of the baseline, rather than overwrite the sole copy, as they may prove useful during a forensic analysis of an incident, and as rollback points. Names and contact information of people participating in the change and in the baseline analysis should be attached. Everything should be linked to a person who is familiar with the process and accountable for it.
Baselines Are About Watching What Changes
All changes must be reviewed in the larger context of how they might affect other systems. In a software system, nothing exists in a vacuum. Changes should be reviewed to ensure they have been applied correctly and have been deployed completely and in the manner expected. Careful attention must be given to any changes that did not pass through a vetting and approval process, since changes that fail to meet the above requirements might place an organization in violation of a policy or law.
Creating And Selecting The Most Appropriate Approach To Baselining
A baseline is only as effective as its frequency and ease of use. The more frequently an organization reviews changes against a baseline, the more able it becomes to detect changes and anomalies and run the appropriate responses. Given that most organizations face numerous threats per day, a risk window of even 24 hours may be too wide, since threat elements may multiply once they discover a vulnerability, leading to an exponential problem.
Automated tools are highly recommended for baseline management since manual practices inevitably invite errors and consume time and resources. Tools are available from a range of enterprise software solution providers, or by searching for “baseline configuration management tool” online. Many of these are open source. It is also possible to create management tools using word processing and spreadsheet applications with Boolean logic formulas, but it is worth exploring and testing the options before reinventing the wheel.
A baseline configuration management tool should be:
- Relevant and applicable
- Intuitive in its design and use
- Easy to learn
- Easy to teach
- Trusted, and proven reliable
The Role Of A CAP Certified Cybersecurity Professional In Securing The Organization
Specialized experts like the Certified Authorization Professional (CAP) bridge the gap between cybersecurity specialists who work hands-on with designing and deploying the security controls, and the executives and employees who determine an organization’s future through their decisions and actions. The holder of a CAP designation demonstrates the advanced technical skills and knowledge needed to ensure a baseline configuration management tool is identified, deployed, and managed in a way that best secures the organization. A CAP can also authorize and maintain information systems, using risk management best practices, policies, and procedures.
How The CAP Certification Can Help You To Succeed
The CAP Certification represents and supports a specific skill set that is central to any organization’s future, since it blends skills such as communication and strategizing with software engineering.
To find out more about CAP and implementing controls, download our guide, Mitigating Evolving Risk with the Right Security Framework.