Skip to main content

Configuration and Vulnerability Management

Configuration & Change Management

  • Helps in preventing incidents and outages.

Configuration Management

  • Aims to ensure similar system configurations.
  • Makes sure configurations are well-documented and known.

Baselining

  • Ensures systems start from a common baseline or reference point.
  • Methods: Imaging and reimaging.
  • Policy-Based Configuration: Ensures consistency in baselining.

Continuous scanning can help ensure system consistency and detect policy bypasses.

Change Management

When making a change we must follow the four steps in the change management framework: 

  1. Request the change
  2. Review the change
  3. Approve/reject the change
  4. Schedule and implement the change
  5. Document the change

Following the change management Framework:

  • Reduces risks of outages or weakened security from unauthorized changes.
  • Ensures changes are discussed, documented, and mutually agreed upon.
  • Change management also addresses the "deter" principle, ensuring unauthorized changes are discouraged.

Versioning

  • Uses labels or number systems to track software changes.
  • Requires changes to be requested, approved, tested, and documented.

Think of CAB (Change Advisory Board) in the ITIL methodology.

Patch Management

Ensures systems remain up-to-date with current security patches.

  • Large Companies: Formalized process.
  • Small to Medium Businesses: Less formal process.
  • Smallest Businesses: Often automatic updates, e.g., Windows.

Without patch management, organizations risk outages from known issues that could've been avoided through patching.

The patch management process is to:

  1. ⬇️ Evaluate patches
  2. ⬇️ Test Patches
  3. ⬇️ Approve the patches
  4. ⬇️ Deploy the patches
  5. ⬇️ Verify the patches are deployed

After verifying patch deployment, utilize vulnerability scans to identify any missing patches. A System Audit can verify the deployment of approved patches.

Intertwine patch management with change and configuration management to ensure documentation remains updated. 

Vulnerability Management

  • Involves routine vulnerability scans and periodic vulnerability assessments.
  • Often comes quoted with penetration tests.
  • Proactive organizations should conduct their own vulnerability scans regularly.

Vulnerability Scanners

  • Tools designed to detect known security vulnerabilities and weaknesses.
  • Examples include issues like missing patches or weak passwords.
  • Examples of companies offering vulnerability scanning: Qualys, Nessus (by Tenable), Rapid7, and OpenVAS.

Vulnerability Assessments

  • More comprehensive than mere technical scans.
  • Includes reviews, audits, and specialized analyses to understand and address vulnerabilities.
  • Vulnerability assessments dive deeper, using specialized knowledge to elevate vulnerability information.

Incident Response - NIST 800-61

The primary incident response framework in CISSP: Computer Security Incident Handling Guide.

  1. Detection ⚠️

    • Tools: Monitoring tools, IPS, Firewalls
    • Who gets Notified: Management and/or help desk

  2. Response ⏱️

    • Actions: Triage (Is this an incident?), Declare if true
    • Objective: Limit damage

  3. Mitigation 🛡️

    • First Step: Contain the incident
    • Form a Team: For handling and scoping

  4. Reporting 📄🧑‍💼

    • Who to Report: Stakeholders (customers, vendors, law enforcement)
    • Decision Maker: Management

  5. Recovery ⚙️🔄📄

    • Objective: Return to normal operations
    • Decision Maker: Management

  6. Remediation 📊

    • Focus: Address the root cause

  7. Lessons Learned 💡

    • Benefits: Prevent recurrence, improve incident response process

DRMRRRL (Drumroll) is a helpful mnemonic for remembering the incident management steps. 

Blocking Malicious Code

Anti-Malware Software

  • Install on every system.
  • Ensure placement at network boundaries and on email servers.
  • Modern anti-malware solutions incorporate AI and ML techniques to detect unique, previously unseen threats.

Policies

  • Enforce security principles like the principle of least privilege.
  • Prevent users from potential risks like installing unauthorized software and browser extensions.

Beware of risks like local admin privileges.

Education

  • Security Awareness Training (SAT) about risks and methods to spread malware.
  • Regular short 30-minute presentations training sessions (e.g., quarterly) can minimize risky behaviors.

Penetration Tests

Discover vulnerabilities and mimic attacks to identify exploitable weaknesses.

Types

testsinclude:

  1. Black
    2. Zeroapproach. Transition Fullwith
    TypeLevel of PenKnowledge Description
    White-Box Testing:Test Full knowledgeKnowledge - IdealAttackers startinghave point.extensive
  2. Grayinfo on the target system, this takes time. 
    - Reduces reconnaissance time, increasing the likelihood of finding flaws.
    3. Gray-Box Testing:Test Partial knowledge.Knowledge - hereBalances afterbetween masteringwhite- Blackand Box.black-box
  3. Whitetests.
    - Good transition when black-box is performing well. 
    4. Black-Box Testing:Test No knowledge.Prior EngageKnowledge - vendorsAttackers fullystart without any information.
    - Simulates an external attacker trying to learn about the environment.system first.
    BAS (Automated Testing)Varies- Much faster and cheaper than a full penetration test. 
    - Automates some penetration testing aspects.
    - Injects threat indicators to trigger security controls.
    - Doesn't wage real attacks but tests security controls.

    Damage is possible, so tests should explicitly consensual, on isolated systems or scheduled during low-activity periods.

    Back to top