A baseline is a good place to start. It ensures that the systems are in compliance with security requirements when they are deployed. However, it’s still important to verify that the systems stay in compliance. An obvious question is to ask how the systems may have been changed so they aren’t in compliance. Administrators or technicians may change a setting to resolve a problem; for example, an application may not work unless security is relaxed. These changes may weaken security so that the application works. Malicious software (malware) such as a virus may also change a security setting.
It doesn’t matter how or why the setting was changed. The important point is that if it was an unauthorized change, you want to know about it. You can verify compliance using one or more of several different methods. These methods simply check the settings on the systems to verify they haven’t been changed. Several common methods include:
Automated systems can regularly query systems to verify compliance. For example, the security policy may dictate that specific protocols be removed or specific services be disabled. For instance, the policy may require password-protected screen savers. An automated system can query the systems to determine if these settings are enabled and match the gold master.
Many automated tools include scheduling abilities. You can schedule the tool to run on a regular basis. Advanced tools can also reconfigure systems that aren’t in compliance. All you have to do is review the resulting report to verify systems are in compliance. For example, assume your company has 100 computers. You could schedule the tool to run every Saturday night. It would query each of the systems to determine their configuration and verify compliance. When the scans are complete, the tool would provide a report showing all of the systems that are out of compliance, including the specific issues. If your organization is very large, you could configure the scans to run on different computers every night.
Microsoft provides several automated tools you can use to manage Microsoft products. Although Microsoft isn’t the only tool developer to choose from, it does have a large installed base of computers in organizations. It’s worthwhile knowing which tools are available. These include:
In addition to the Microsoft products, there is a wide assortment of other automated tools. These can run on other operating systems and scan both Microsoft and other operating systems such as UNIX and UNIX derivatives. Many scanner types and versions are available. The following are several that are on the market today:
It’s also possible to use logon scripts to check for a few key settings. For example, a script can check to see if antimalware software is installed and up to date, or if the system has current patches. The script runs each time a user logs on.
Some organizations quarantine systems that are out of compliance. In other words, if a scan or a script shows the system is not in compliance, a script modifies settings to restrict the computer’s access on the network. The user must contact an administrator to return the system to normal.
Although vulnerability scanners continue to be important tools, they do have their limitations. First, they are only as good as their testing scripts and approach. No scanner can find all vulnerabilities. The way to deal with this is to use multiple vulnerability scanners, rather than rely on a single vendor.
You can also perform random audits to determine compliance. This is often useful when IT tasks have been delegated to different elements in the organization. For example, a large organization could have a decentralized IT model. A central IT department manages some core services such as network access and email, and individual departments manage their own IT services. The organization still has an overall security policy; however, the individual departments are responsible for implementing them. In this case, the central IT department could randomly audit the departments to ensure compliance. Some larger organizations employ specialized security teams. These teams have a wide variety of responsibilities in the organization such as incident response and boundary protection. They could also regularly scan systems in the network and randomly target specific department resources.
It’s important to realize the goal of these scans. It isn’t to point fingers at individual departments for noncompliance. Instead, it’s to help the organization raise its overall security posture. Of course, when departments realize their systems could be scanned at any time, this provides increased motivation to ensure the systems are in compliance.
Many organizations use a report card format to evaluate policy compliance. These report cards can be generated from multiple sources such as a quality assurance program. Organizations can create their own grading criteria; just as in school, a grade of A is excellent whereas a grade of F is failing. The included criteria depend on the organization’s requirements. For example, the following elements can be included in the calculation of the grade:
One approach for deciding whether a patch is critical is to determine its risk score. You can look at the likelihood and impact to the organization if an attack were to happen without the patch having been applied. This approach applies numerical values to likelihood and impact (say from 0 to 9), with the higher number indicating an attack is very likely and, if successful, would have significant impact to the organization. With these values assigned, risk can be scored as Risk = Likelihood × Impact. The higher the risk score, the more critical the patch. This system is referred to as the OWASP Risk Rating Methodology. More information is available at www.owasp.org.
Once you identify the rules or standards, you could use a spreadsheet to calculate the grades. An administrator could pull the numbers from the scans and enter them into the spreadsheet monthly. You could use individual grade reports for each department that manages IT resources and combine them into a single grade report for the entire organization.