Time
1 hour 27 minutes
Difficulty
Intermediate
CEU/CPE
2

Video Description

This lesson covers Domain 6 which is configuration management and discusses basic security requirements 3.4.1. and 3.4.2. Participants also learn about derived security requirements: • 3.4.3 • 3.4.4 • 3.4.5 • 3.4.6 • 3.4.7 • 3.4.8 • 3.4.9

Video Transcription

00:04
All right, let's move on to domain six, which is configuration management. And, of course, configuration management is so very essential to protecting the stability of the system and an environment. So we look at the basic security requirements here, and the first basic requirement essentially says,
00:22
establish and maintain a baseline configuration.
00:26
So the first piece of that essentially saying Look, we've gotta have security baselines, thes minimum acceptable configurations, and we've gotta maintain them. We've got to control changes to them.
00:40
Ah, we've got to make sure that the stability of the environment is not affected by any sort of unauthorized
00:47
mechanism or installation or whatever that might be. We also got to keep track of the inventory of our information systems. Of course, you know that helps us figure out what we have. What we need are things intact. Have they been modified?
01:02
And that's include hardware, software firmware as well as any of the documents
01:07
that would indicate processes. And this is gonna be that we have to keep them throughout the entire system. Development Life's like,
01:14
Ah, we're going to establish in four security configuration settings for our tea products. So it's it's enoughto have it's not enough just to have a baseline configuration. We're gonna make sure that that's well documented and that it's enforced. We can't leave these decisions up to the user and hope they make good decisions.
01:33
So we're gonna lock down those systems
01:34
and restrict their ability to make changes as well.
01:38
Now, for the derived security requirements here, we're gonna the very first bullet point track review, approve, disapprove and audit changes that is change control, right? That is change management. And that's, you know, not too bad a definition for configuration management
01:55
in change management course, apart of configuration management.
01:59
But basically nothing happens on the fly. We don't install a quick fix or a patch or this or the other. We follow the process always, and in second Bullet Point analyzed the security impact of a change prior to implementation. Absolutely.
02:16
And you know, that really comes from the point in time when we look at
02:20
hey, will this change work? Oh, is it secure? Well, we can't think that way anymore. Does it work securely or does not work at all? All right, define document approved and enforce physical and technical or logical access.
02:37
Any sort of restrictions that are associated with that system.
02:40
To find them, document approved them, so make sure it's formalized. But then, most importantly, enforcing a policy is only as good as its enforcement.
02:51
Employ the principle of least functionality. So we're gonna configure that system to provide Onley essential capabilities. If you've ever been in a computer that's at a kiosk or maybe young Ah, hotel lobby and you go and you try to access this function or another and it's not available because the admin has removed
03:10
a certain piece of functionality.
03:12
That's what we have to do to make sure that files that shouldn't be accessed our access to our functions turned on our all for disabled. We're gonna lock down that system and, along with that, the next bullet point. Restrict disabled, prevent use of nonessential programs. That's hardening system
03:31
for everything
03:32
that's added to that system, whether it's hardware or software or firm lier. Any service is protocols, whatever that adds, and ads and ants to what we call the attack surface. So the more of these functions you add, you want having a huge attack surface.
03:49
Well, when you're not using those functions, disabled them turn them off, removed them,
03:54
and that will lessen your tax surface to the smallest area. It could be
03:59
all right. The next bullet points 2nd 1 from the bottom. We're gonna either use blacklisting or white listing, Blacklisting says. Allow everything except what's on the blacklist. White listing says block everything except what's allowed on the white list.
04:15
So basically, use a combination of those
04:18
to deny access to your resource is and then the last bullet point control and monitor user and spelt software.
04:27
You know, it really depends on in your environment whether or not you're even gonna allow users to install software. But environments that do you need an accurate log and an auditing mechanism to make sure that our users are installing only business related software and also software
04:45
that wouldn't have any short of negatives.
04:46
Impact on the on the system.
04:48
All right, so that's configuration management. Extremely important to keep a system operating per its baseline settings and create a stable, reliable system

Up Next

NIST 800-171 Controlled Unclassified Information Course

The Cybrary NIST 800-171 course covers the 14 domains of safeguarding controlled unclassified information in non-federal agencies. Basic and derived requirements are presented for each security domain as defined in the NIST 800-171 special publication.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor