WEBVTT 00:00:00.820 --> 00:00:04.870 Just because the system was designed to be secure and 00:00:04.870 --> 00:00:08.820 maybe even initially installed in a secure way doesn't 00:00:08.820 --> 00:00:11.100 mean that it will remain secure. 00:00:11.560 --> 00:00:17.240 This is why we need to have configuration management. We set out the 00:00:17.240 --> 00:00:22.120 correct configuration for a system, a baseline configuration you can 00:00:22.120 --> 00:00:25.640 say. That is the standard configuration, 00:00:25.640 --> 00:00:29.040 whether or not it's for an application or a desktop, 00:00:29.050 --> 00:00:29.830 for example. 00:00:31.350 --> 00:00:35.910 And we want all of our devices to be configured in that way so we know 00:00:35.910 --> 00:00:39.840 they're meeting that security baseline that we've set out. 00:00:41.080 --> 00:00:44.180 We can put this into, for example, hardware, 00:00:44.560 --> 00:00:45.460 software, 00:00:46.060 --> 00:00:51.120 security tools, such as how often will we update our antivirus, 00:00:51.120 --> 00:00:54.600 and, of course, the configuration of a firewall. 00:00:55.600 --> 00:01:02.090 The idea is that this standard configuration ensures consistency between 00:01:02.100 --> 00:01:08.400 different systems, and we can use this as the baseline for audit. 00:01:08.870 --> 00:01:11.370 We can go and check to see whether or not, 00:01:11.380 --> 00:01:15.720 say, for example on a desktop, all of the patches are up to date. 00:01:15.870 --> 00:01:19.240 Has the operating system been patched properly? 00:01:19.360 --> 00:01:23.370 Has the antivirus been updated properly? 00:01:23.750 --> 00:01:28.890 So these are things that we check, and we can do an audit to ensure that 00:01:28.890 --> 00:01:32.330 we are compliant with that required configuration. 00:01:33.010 --> 00:01:37.390 But there are always going to be times we have to change the configuration. 00:01:37.970 --> 00:01:40.650 There's fixes and upgrades to software, 00:01:40.650 --> 00:01:45.090 for example. A patch comes out, well, we are going to change 00:01:45.090 --> 00:01:48.990 that software, and we don't want to have a situation where we 00:01:48.990 --> 00:01:51.130 catch the business by surprise. 00:01:51.130 --> 00:01:54.960 We make a change, and they're looking around, and this isn't working. 00:01:54.960 --> 00:01:56.890 It's not doing what it's supposed to do. 00:01:57.190 --> 00:02:01.420 You've taken things out of operation at a critical time of the day. 00:02:02.080 --> 00:02:07.980 So when we are going to make changes to configuration, we must have a process. 00:02:08.419 --> 00:02:12.700 And whether or not this is a change to our network configuration, 00:02:12.880 --> 00:02:18.150 a change to a project, or change to hardware, we want to make sure that 00:02:18.150 --> 00:02:22.470 change control processes prevent things like scope creep. 00:02:22.760 --> 00:02:26.050 You take a project where we add this, then we add that. 00:02:26.060 --> 00:02:31.440 And before we know it, we have a totally unmanageable project. 00:02:31.560 --> 00:02:35.040 We can't even do all of the things that need to be done. 00:02:35.040 --> 00:02:37.630 And when patches have to be applied, 00:02:37.630 --> 00:02:40.580 you don't want to do it on the busiest day of the year. 00:02:41.490 --> 00:02:46.490 So this is why we have change control, and change control is a very 00:02:46.490 --> 00:02:50.820 important principle in security operations and administration. 00:02:51.380 --> 00:02:54.850 We want to make sure that any change we're going to make, 00:02:54.860 --> 00:02:58.880 whether it's to software, hardware, a project, 00:02:58.890 --> 00:03:04.610 network, firewall configuration, that change should be documented. 00:03:05.970 --> 00:03:10.770 There should be a formal process to record who asked for this change 00:03:10.780 --> 00:03:14.230 and why, and then that change would be reviewed. 00:03:14.480 --> 00:03:19.270 Would it have an impact on risk. If I make this change, 00:03:19.280 --> 00:03:21.980 would that maybe open a new attack vector? 00:03:23.350 --> 00:03:26.360 And of course, a lot of what we're trying to do through the 00:03:26.360 --> 00:03:31.700 documentation is keep a good record so that if we go back later, 00:03:31.700 --> 00:03:35.100 we can see well why was this change made and who asked for it? 00:03:35.970 --> 00:03:41.870 Then, the change should be tested. Make sure that we did not 00:03:41.880 --> 00:03:46.170 introduce new problems or open new vulnerabilities and that we did 00:03:46.170 --> 00:03:48.840 not overwrite previous changes. 00:03:49.050 --> 00:03:53.880 This is something we often hear called regression where I go and I 00:03:53.880 --> 00:03:58.110 make a change today that actually overwrites a change that was made 00:03:58.110 --> 00:04:02.620 2 weeks ago. And the result of that is we actually have gone to a 00:04:02.620 --> 00:04:04.210 less secure state again. 00:04:04.710 --> 00:04:09.670 So we test thoroughly, including the regression testing, and then the 00:04:09.670 --> 00:04:14.060 change is authorized. The change is authorized to be put in place, and we 00:04:14.060 --> 00:04:19.060 have things like, of course, senior management support. We advise the 00:04:19.060 --> 00:04:20.860 business when this is going to happen. 00:04:21.120 --> 00:04:23.800 This is part of what we call change planning. 00:04:24.510 --> 00:04:26.630 We communicate the change. 00:04:26.800 --> 00:04:31.620 We then take images of the systems before because if something 00:04:31.620 --> 00:04:34.760 goes wrong, we want to be able to roll back, 00:04:34.840 --> 00:04:41.030 go back to that former configuration so that our systems can continue to work. 00:04:42.110 --> 00:04:43.390 The key points review. 00:04:44.250 --> 00:04:49.360 Configuration management ensures that all systems are deployed, or we could say 00:04:49.360 --> 00:04:57.010 configured, in an approved secure manner and that we control changes because 00:04:57.010 --> 00:05:02.570 change is a time of risk, and making a change to the configuration baseline 00:05:02.670 --> 00:05:05.660 should be a very much controlled process.