Configuration Management

• Purpose: When new systems are received or built, they are often completely open. Before introducing them to the environment, they are hardened.
• Steps: Develop a long list of ports to close, services to disable, accounts to delete, missing patches, and many other things.
• Vulnerability Scanning: Pre-introduction into the production environment, run vulnerability scans against the system to ensure nothing is missed (rarely done on workstations, should be done on servers/network equipment).
• Harden New Systems: A new server is received and configured to close unnecessary ports, disable unused services, delete unnecessary accounts, and apply all missing patches.

Patch Management

• Purpose: To keep the network secure, patches need to be applied regularly.
• Process: Whenever a vulnerability is discovered, the software producer should release a patch to fix it.
• Automation: Use software to push patches to all appropriate systems, ensuring all systems get patched and receive the same parts of the patch, while excluding parts that may have an adverse effect on the network.

Change Management

• Purpose: Formalized process for handling changes to the environment.
• Process: A change is proposed to the change board, which researches to understand the full impact of the change.
• Monitoring and Auditing: Closely monitor and audit changes to ensure they are implemented correctly and do not introduce new risks.
• Residual Risk: Remember that changes can hold residual risk, which must be mitigated.

Generalized Flow

1. Identifying the Change: Identify the need for a change.
2. Propose the Change: Submit the change proposal to the change board.
3. Assessing Risks: Assess the risks associated with the change.