Configuration and Change Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now our next section focuses on
00:00
configuration and change management.
00:00
What we're trying to do is
00:00
promote security through stability.
00:00
We start off with configuration management.
00:00
ISC square defines this as
00:00
a process of identifying
00:00
and documenting hardware components,
00:00
software, and the associated settings.
00:00
Basically, with configuration management,
00:00
we have a focus on documenting
00:00
the existing environment and
00:00
as change happens through the process of change control,
00:00
we make sure that we have a process in
00:00
place that updates our documentation.
00:00
What we want to do is as
00:00
the systems may become in or move from department
00:00
to department is we want to
00:00
step beyond the original configuration,
00:00
the default settings to
00:00
a hardened operationally sound configuration.
00:00
We want a system that's
00:00
configured to our baseline settings.
00:00
We have to make sure that as those changes
00:00
are made that we have documentation,
00:00
any changes to the baseline have to be documented.
00:00
That's also going to happen through
00:00
the process of change management as well.
00:00
Really, we tend to think of
00:00
configuration management more about configuring settings
00:00
whereas change management is
00:00
adding and removing elements or items.
00:00
When we talk about configuration management,
00:00
some of the typical documentation,
00:00
documenting the make and model of our systems.
00:00
Any addressing information unique
00:00
to that system, MAC address,
00:00
but it could also be an IP address could be
00:00
a globally unique identifier.
00:00
Any information unique to
00:00
that system logically or physically.
00:00
So serial numbers being more of a physical assignment,
00:00
operating system up to
00:00
the version of the operating system,
00:00
firmware as well,
00:00
what is the system bios,
00:00
what version is it,
00:00
making sure that any passwords
00:00
that would go with that bios are documented.
00:00
Ideally what we want to do is we
00:00
want to configure a system to be
00:00
protected and we want to ensure that we can
00:00
trace any changes from start to finish.
00:00
Now, along with that,
00:00
we want to make sure that changes don't happen
00:00
haphazardly that we don't just
00:00
make changes on the fly or arbitrarily.
00:00
With change management,
00:00
we have a formal review process
00:00
for changes to be submitted, tested,
00:00
and approved so that again,
00:00
the goal is not to prevent changes,
00:00
but to prevent unauthorized changes.
00:00
Make sure that vendors don't come in
00:00
and install applications on our settings.
00:00
Make sure that users don't delete files
00:00
or folders or elements
00:00
of their system that are necessary,
00:00
just to make sure that
00:00
new malicious code isn't brought in.
00:00
What we're looking to do is create
00:00
a stable environment and keep it that way.
00:00
A change management plan is going to have
00:00
a process that outlines how
00:00
proposed changes go about being approved.
00:00
We start by submitting the change request.
00:00
Now a lot of organizations will have
00:00
a change control board or a CCB and they
00:00
submit the changes to the CCB and
00:00
the CCB looks at it from a risk perspective.
00:00
What are the pros and the cons?
00:00
What are the unknown elements that
00:00
could have a negative impact if we make this change?
00:00
Think about it from a cost-benefit analysis standpoint.
00:00
Now the CCB is either going to
00:00
approve or reject the change at this point.
00:00
If they approve it,
00:00
then the change is rolled out in a testing environment.
00:00
Remember when the CCB approves,
00:00
they're not approving it technically speaking,
00:00
they're approving the decision
00:00
to move forward with the change.
00:00
So the next step is going to be testing.
00:00
As part of testing,
00:00
there's a vulnerability assessment,
00:00
penetration testing depending on the change,
00:00
but a technical evaluation
00:00
of the change in a test environment.
00:00
If it passes at that point in time,
00:00
we're going to move forward and we're going to
00:00
schedule this change to be rolled out to the masses.
00:00
We're going to notify our users this is happening,
00:00
we're going to make training available,
00:00
and then we're going to implement the change.
00:00
Now, once we implement the change,
00:00
we're now out in production.
00:00
We're going to continue to monitor the change,
00:00
we're going to review any logs or files
00:00
or any information that's pertinent
00:00
so that we can evaluate and make sure the change has
00:00
a positive impact and
00:00
not a negative one in our environment.
00:00
Once again, what we're looking to do here is
00:00
promote security through stability.
00:00
We've got a safe environment,
00:00
we're going to limit the possibility for
00:00
introducing harm into that environment.
Up Next