Skip to main content

Configuration and Vulnerability Management

Configuration & Change Management

  • Helps in preventing incidents and outages.

Configuration Management

  • Aims to ensure similar system configurations.
  • Makes sure configurations are well-documented and known.

Baselining

  • Ensures systems start from a common baseline or reference point.
  • Methods: Imaging and reimaging.
  • Policy-Based Configuration: Ensures consistency in baselining.

Continuous scanning can help ensure system consistency and detect policy bypasses.

Change Management

  • Reduces risks of outages or weakened security from unauthorized changes.
  • Ensures changes are discussed, documented, and mutually agreed upon.
  • Change management also addresses the "deter" principle, ensuring unauthorized changes are discouraged.

Versioning

  • Uses labels or number systems to track software changes.
  • Requires changes to be requested, approved, tested, and documented.

Think of CAB (Change Advisory Board) in the ITIL methodology.

Patch Management

Ensures systems remain up-to-date with current security patches.

  • Large Companies: Formalized process.
  • Small to Medium Businesses: Less formal process.
  • Smallest Businesses: Often automatic updates, e.g., Windows.

Without patch management, organizations risk outages from known issues that could've been avoided through patching.

The patch management process is to:

1.
  • ⬇️ Evaluate patches
    		•
  • ⬇️
    • 2. Test Patches
  • ⬇️
    • 3. Approve the patches
  • ⬇️
    • 4. Deploy the patches
  • ⬇️
    • 5. Verify the patches are deployed ⬇️

    After verifying patch deployment, utilize vulnerability scans to identify any missing patches. A System Audit can verify the deployment of approved patches.

    Intertwine patch management with change and configuration management to ensure documentation remains updated. 

    Vulnerability Management

    • Involves routine vulnerability scans and periodic vulnerability assessments.
    • Often comes quoted with penetration tests.
    • Proactive organizations should conduct their own vulnerability scans regularly.

    Vulnerability Scanners

    • Tools designed to detect known security vulnerabilities and weaknesses.
    • Examples include issues like missing patches or weak passwords.
    • Examples of companies offering vulnerability scanning: Qualys, Nessus (by Tenable), Rapid7, and OpenVAS.

    Vulnerability Assessments

    • More comprehensive than mere technical scans.
    • Includes reviews, audits, and specialized analyses to understand and address vulnerabilities.
    • Vulnerability assessments dive deeper, using specialized knowledge to elevate vulnerability information.

    Incident Management

    1. Detection

      • Tools: Monitoring tools, IPS, Firewalls
      • Who gets Notified: Management and/or help desk

    2. Response

      • Actions: Triage (Is this an incident?), Declare if true
      • Objective: Limit damage

    3. Mitigation

      • First Step: Contain the incident
      • Form a Team: For handling and scoping

    4. Reporting

      • Who to Report: Stakeholders (customers, vendors, law enforcement)
      • Decision Maker: Management

    5. Recovery

      • Objective: Return to normal operations
      • Decision Maker: Management

    6. Remediation

      • Focus: Address the root cause

    7. Lessons Learned

      • Benefits: Prevent recurrence, improve response process

    DRMRRRL (Drumroll) is a helpful mnemonic for remembering the incident management steps. 

    Blocking Malicious Code

    Anti-Malware Software

    • Install on every system.
    • Ensure placement at network boundaries and on email servers.
    • Modern anti-malware solutions incorporate AI and ML techniques to detect unique, previously unseen threats.

    Policies

    • Enforce security principles like the principle of least privilege.
    • Prevent users from potential risks like installing unauthorized software and browser extensions.

    Beware of risks like local admin privileges.

    Education

    • Security Awareness Training (SAT) about risks and methods to spread malware.
    • Regular short 30-minute presentations training sessions (e.g., quarterly) can minimize risky behaviors.

    Penetration Tests

    Discover vulnerabilities and mimic attacks to identify exploitable weaknesses.

    Types of Pen tests include:

    1. Black Box Testing: Zero knowledge approach. Ideal starting point.
    2. Gray Box Testing: Partial knowledge. Transition here after mastering Black Box.
    3. White Box Testing: Full knowledge. Engage with vendors fully about the environment.

    Damage is possible, so tests should explicitly consensual, on isolated systems or scheduled during low-activity periods.

    Back to top