Skip to main content

Configuration and Vulnerability Management

Configuration & Change Management

  • Helps in preventing incidents and outages.

Configuration Management

  • Aims to ensure similar system configurations.
  • Makes sure configurations are well-documented and known.

Baselining

  • Ensures systems start from a common baseline or reference point.
  • Methods: Imaging and reimaging.
  • Policy-Based Configuration: Ensures consistency in baselining.

Continuous scanning can help ensure system consistency and detect policy bypasses.

Change Management

  • Reduces risks of outages or weakened security from unauthorized changes.
  • Ensures changes are discussed, documented, and mutually agreed upon.
  • Change management also addresses the "deter" principle, ensuring unauthorized changes are discouraged.

Versioning

  • Uses labels or number systems to track software changes.
  • Requires changes to be requested, approved, tested, and documented.

Think of CAB (Change Advisory Board) in the ITIL methodology.

Patch Management

Ensures systems remain up-to-date with current security patches.

  • Large Companies: Formalized process.
  • Small to Medium Businesses: Less formal process.
  • Smallest Businesses: Often automatic updates, e.g., Windows.

Without patch management, organizations risk outages from known issues that could've been avoided through patching.

The patch management process is to:

  1. ⬇️ Evaluate patches
  2. ⬇️ Test Patches
  3. ⬇️ Approve the patches
  4. ⬇️ Deploy the patches
  5. ⬇️ Verify the patches are deployed

After verifying patch deployment, utilize vulnerability scans to identify any missing patches. A System Audit can verify the deployment of approved patches.

Intertwine patch management with change and configuration management to ensure documentation remains updated. 

Vulnerability Management

  • Involves routine vulnerability scans and periodic vulnerability assessments.
  • Often comes quoted with penetration tests.
  • Proactive organizations should conduct their own vulnerability scans regularly.

Vulnerability Scanners

  • Tools designed to detect known security vulnerabilities and weaknesses.
  • Examples include issues like missing patches or weak passwords.
  • Examples of companies offering vulnerability scanning: Qualys, Nessus (by Tenable), Rapid7, and OpenVAS.

Vulnerability Assessments

  • More comprehensive than mere technical scans.
  • Includes reviews, audits, and specialized analyses to understand and address vulnerabilities.
  • Vulnerability assessments dive deeper, using specialized knowledge to elevate vulnerability information.

Incident Management

  1. Detection

    • Tools: Monitoring tools, IPS, Firewalls
    • Who gets Notified: Management and/or help desk

  2. Response

    • Actions: Triage (Is this an incident?), Declare if true
    • Objective: Limit damage

  3. Mitigation

    • First Step: Contain the incident
    • Form a Team: For handling and scoping

  4. Reporting

    • Who to Report: Stakeholders (customers, vendors, law enforcement)
    • Decision Maker: Management

  5. Recovery

    • Objective: Return to normal operations
    • Decision Maker: Management

  6. Remediation

    • Focus: Address the root cause

  7. Lessons Learned

    • Benefits: Prevent recurrence, improve response process

DRMRRRL (Drumroll) is a helpful mnemonic for remembering the incident management steps. 

Blocking Malicious Code

Anti-Malware Software

  • Install on every system.
  • Ensure placement at network boundaries and on email servers.
  • Modern anti-malware solutions incorporate AI and ML techniques to detect unique, previously unseen threats.

Policies

  • Enforce security principles like the principle of least privilege.
  • Prevent users from potential risks like installing unauthorized software and browser extensions.

Beware of risks like local admin privileges.

Education

  • Security Awareness Training (SAT) about risks and methods to spread malware.
  • Regular short 30-minute presentations training sessions (e.g., quarterly) can minimize risky behaviors.

Penetration Tests

Discover vulnerabilities and mimic attacks to identify exploitable weaknesses.

Types of Pen tests include:

  1. Black Box Testing: Zero knowledge approach. Ideal starting point.
  2. Gray Box Testing: Partial knowledge. Transition here after mastering Black Box.
  3. White Box Testing: Full knowledge. Engage with vendors fully about the environment.

Damage is possible, so tests should explicitly consensual, on isolated systems or scheduled during low-activity periods.

Back to top