Time
7 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:01
Hey, guys, Welcome to another video in the s s C P exam series.
00:05
I'm your host, Peter Sibilant.
00:08
This is the eighth lesson in the second domain
00:11
so far in the second domain looked at the code of ethics, which is the required behavior for an Asset CP practitioner. We've looked at the C I A Triad, which is the fundamental aspect of soccer security. We've looked at security architecture, howto build frameworks for security systems
00:29
as well as how to control them. Using
00:31
managerial, operational and technical controls.
00:35
We've looked at system security plans and how to securely develop systems and how that when we securely developed systems, it reduces system vulnerabilities.
00:46
We've looked at data and how to prevent it from being leaked.
00:50
And we started to look at management,
00:53
different types of management and how to manage different aspects of a system. Now, in today's lesson, we'll continue to look at management. Specifically, configuration management, which manages the changes of features within systems and patch management had a handle on our buildings. Also in this lesson,
01:11
look at security awareness and training
01:14
and why it is imperative to make sure everyone in the organization is on the same page. When it comes to security, let's get started.
01:25
Configuration management configuration management is a discipline that seeks to manage configuration changes so that they are appropriately approved and documented, so the integrity of the security state is maintained. The whole point of configuration management
01:42
is to maintain the integrity of hardware and software across
01:46
releases inversion.
01:47
Now this sounds like a lot would change management, but there are actually two different concepts, although they are very similar.
01:55
Change management focuses on changes to project processes or project baselines, so things such as
02:04
changes in the budget changed in the schedule et cetera.
02:08
Configuration management, on the other hand,
02:12
focuses on projects specifications. So this is things like extra features, which may be added or subtracted
02:21
to a particular project.
02:23
Configuration management system consists off automated tools,
02:28
so tools that will handle version checking any type of conflict
02:35
or anything like that.
02:37
Documentation,
02:38
which is a hardware list which would include information about all of the different pieces of hardware and software. So it would include information such as the Make model Mac address software, name,
02:53
a number of licenses, the expiration date of those licenses and things like that.
02:58
Consider figuration Management also consists of procedures, a step by step process for properly configuring the hardware and software so that the number of conflicts is reduced.
03:12
There are four main operational aspects for configuration man. They are identification,
03:17
control,
03:20
accounting and auditing.
03:22
Inventories are also kept for integrity and validation.
03:27
Certain voices, especially things like computers or software. There could be hundreds of configuration possibilities, so it's a pro in to document all of them to make sure that all the hardware and software is operating at the same
03:46
base line that they're supposed to be operating at
03:49
and that they saw successful. We solved the problems and do what they are supposed to do.
03:54
This is how the configuration management process works. It starts out by identifying the device,
04:01
and then controls are applied to this device.
04:04
The controls are then tracked through accounting to make sure they're operating as they are supposed to. And finally, the auditing takes place to determine if the control and the configuration inventories are being properly documented.
04:23
Let's look at these steps a little bit closer.
04:26
Identification captures and maintains information about the structure of the system.
04:30
This is usually stored in a configuration management database. Awesome and as a C M D P
04:38
configuration changes are controlled through about the life cycle. The controls implemented are four governing change requests, approvals, impact analysis, bug tracking on DTH e, systematic propagation of changes,
04:54
accounting tracks and reports on the status of the configuration. History. Auditing is the process of looking through the configuration items to ensure that they are solving the problems that they were intended to solve, if not
05:13
in the process. Circles back to control
05:15
and the cycle is repeated. Patch Management
05:19
Patch Management is the process of applying system changes to correct software and firmware vulnerabilities. No system is 100% safe or 100% secure.
05:32
After a while, vulnerabilities are discovered. Bugs Air found new technology is invented, which puts the security of the systems at D, in which case a patch must be implemented. A patch is not a whole new system. It is a very small piece off
05:50
code or portion off the system
05:54
which is installed to the system and integrated so that it handles whatever vulnerability has come about.
06:01
Process of patch management includes acquisition, said the patches are supplied usually from the vendor's Web site and then download the patches are tested to make sure they work is expected on the integration is seamless
06:16
the approval process. Once the patches have been tested, they need to be approved by upper management.
06:25
Once this is done, they're packaged up, and they are sent out for the distribution and installation of the patch.
06:32
During the deployment, the patches applied toothy target system, and then it is monitored and track to make sure if the patch will a successful or if it failed or what The outcome of applying the patch was
06:49
a couple of terms you will run into when talking about configuration management or patch management or any really, any of the four management's that we have spoke of
07:00
on the first is the security impact assessment.
07:03
This is the analysis conducted with an organization to determine the extent of the changes to the information system and how they impact the security posture. So any time there is a change or new release or patches of replied
07:20
is important to do the security impact assessment
07:25
to see if the security impact from this change that differs any from the baseline
07:31
Another term you'll see, is the interoperability of a system.
07:35
So this is the extent to which systems and the voices can exchange, then receive interpret any data between them. So if the system has a lot of interoperability, it is known as an open system
07:53
where a lot of data can be passed back and forth between systems.
07:56
If there is very little interoperability,
08:00
it is known as a closed system where the information that is inside the system has to stay inside the system.
08:07
Security awareness and training
08:09
Security awareness
08:11
seeks to reduce human air by educating people about cyber secured. This is very, very important. Is actually one of the pillars in the code of ethics switches advanced the profession so is very important for the S S c P practitioner. To educate
08:30
people buy cybersecurity
08:31
security is only as strong as its weakest link. That's why a lot of defense is in depth are implemented and there is a very big push to help people be aware to different cyber situations. A lot hinges on um
08:50
critical success factor, said these things like a senior management
08:54
culture, awareness, communication
08:56
and taking a solid change management approach but also measuring the changes to actually know if
09:03
a change is successful or if security awareness is going up within a network or organization.
09:11
In today's lecture,
09:11
we discussed
09:13
configuration and patch management, and we've also talked about security awareness and training and how it is very important for an organization
09:24
quiz Time
09:24
documenting and recording all of the hardware and software components of a system is an action of
09:31
a configuration management.
09:33
Be patch management,
09:35
see released management or D change management.
09:43
If you said a configuration management, then you are correct. Remember, all many, many hardware and software components have hundreds or even possibly thousands, off different configuration possibilities. And it's very important to keep all of these different configurations
10:01
managed in a safe and control way
10:05
to maintain the integrity of the system.
10:09
Thanks for washing guys. I really hope you learned a lot in this video, and I'll see you next time

Up Next

Systems Security Certified Professional (SSCP)

Obtaining your SSCP certification signifies that you possess the ability to tackle the operational demands and responsibilities of security practitioners, including authentication, security testing, intrusion detection/prevention, incident response and recovery, attacks and countermeasures, cryptography, malicious code countermeasures, and more.

Instructed By

Instructor Profile Image
Pete Cipolone
Cyber Security Analyst and Programmer
Instructor