Using Change Management and Configuration Controls to Mitigate Security Risks Have you ever seen a picture of a nuclear control room? If not, you might be amazed at the number of dials and switches—each set to a precise value that keeps the reactors running at optimum efficiency. Given that these dials and switches control the reactors, any changes made to their values must be made cautiously. Therefore, engineers and technicians manage the change and configuration of these dials and switches really carefully. Like the engineers and technicians, you must manage change and configuration in your company’s IT infrastructure carefully. You will need to know what configurations provide optimal security. You also will need to have explicit written policies that dictate under what circumstances change is permitted. If you fail to manage change properly, your company’s systems could be vulnerable. To prepare for this Discussion, read the Unit 2 Notes and the Unit 2 Case Study, both located in this unit’s Learning Resources, for Pixelated Pony Corporation (PPC). Unit 2 Case Study Pixelated Pony Corporation (PPC) has achieved tremendous growth over the past decade. The company, a leading provider of online education, now serves over a million students worldwide. What started as a side business by the company’s founders quickly grew to achieve a leading position in the online education market. However, PPC’s rapid growth also has been marred by a series of missteps in which key servers were down several times during the past year, and for nearly 10,000 students, their personal information and grades accidently were posted to a public-facing server for six months. At the request of PPC’s Board of Directors, an investigation was launched that revealed the cause to be poor IT management. The investigation recommended that PPC implement new policies and procedures to help prevent and mitigate future incidents. The controls recommended included implementing a change management process for the entire organization and a configuration control process for all IT services. Availability Issues: The investigation pointed out that at several times during the past year, PPC IT failed to provide the required level of availability for key company servers. In one instance, the company’s new surfing policy was activated before management had a chance to fully test its impact and to notify faculty and staff. The chaos resulting from hundreds of users complaining about Internet access issues cost the company several days of disruption and many frustrated faculty members whose courses “broke overnight.” In another case, an administrator pushed an OS update onto some key servers. However, this particular update resulted in degraded server performance and ultimately had to be rolled back after days of complaints from employees and customers alike. Student Data Exposed: As a result of a data breach involving the grades and personal information of nearly 10,000 students, PPC had to spend nearly half a million dollars in post-data-breach investigation and notification costs. While it is unknown whether the data was accessed for malicious purposes, PPC did offer each student a complimentary subscription to an identity protection service. The root cause analysis of the breach was determined to be the configuration of a backup server that allowed unrestricted access to anyone. Because this server also was indexed by major search engines, it was relatively easy to find. Unit 2 Notes Discussion notes: In small organizations, IT changes often can be made quickly and carefully without any formal planning. However, for more mature organizations, the situation is much more complex because of the sheer number of IT assets across departments. Therefore, IT departments must proceed cautiously and systematically before making any major changes. To properly effect change, large organizations typically employ change management. This methodology requires a well-documented process that clearly defines the roles, responsibilities, and procedures related to any changes. Before any changes can be effected, they must be reviewed, approved, scheduled, and ultimately communicated to impacted users. Furthermore, roll-back capabilities must be determined ahead of time to avoid service disruptions. Configuration controls (also called configuration management) are concerned with how devices’ baseline settings (or configurations) are setup and managed. Because these settings are tuned to corporate security policy requirements, any changes to existing systems or any introduction of new systems can generate risks. Therefore, configuration controls often are put in place to ensure that systems comply with stated policies and standards. Any changes to the configuration controls also must go through the change management process. Assignment 2 notes: In cases where physical security controls cannot be bypassed, attackers still may be able to steal data by convincing employees (or computer systems) that they are legitimate users. Authentication is the process of validating someone’s identity. The most common form of authentication is the username-password mechanism, which assumes that the username and password are difficult to guess (and crack). Yet, the conformity with which users are provisioned often translates into highly predictable usernames (e.g., first six letters of the last name followed by first initial). If the username is known or can be guessed easily, the strength on the authentication system now depends on the strength of a user’s password. A 2012 report (Cowley, 2012) found that one of the most commonly used passwords on business systems is Password1 (three character classes: uppercase, lowercase, and numeric). Obviously the use of single-factor authentication (to which username-password belongs) is too weak for cases where sensitive data must be protected. Besides the government, classified, and military sectors, more businesses and even some banks are adopting two-factor (or more) authentication. The ubiquity of mobile devices has led many to adopt soft-token authentication mechanisms where a token is generated and sent to your mobile devices as a text message. You then log in with three pieces of information: username, password, and token. Yet, even two-factor authentication is proving vulnerable to attacks, especially when the endpoints cannot be trusted.