Patch management focuses on applying the latest security patches for newly discovered vulnerability while configuration management focuses on defining the baseline and applying it to different assets.
Patches are simply updated codes that determine how a system should behave and most of the time it is applied to improve features or secure newly discovered vulnerabilities. There are numerous systems in an organization and it’s critical to keep up with what is compliant and not compliant to ensure vulnerabilities are kept at minimum. Good practices for patch management is identify systems, prioritize patches, test patches, and patch often. Usually, patch management policy can be automated for simple tasks by using automation tool like GNU patch tool.
Configuration management requires discovering all assets, defining acceptable secure configurations as baselines, monitoring the said devices and remediating any configuration deviation. Auditors will use security configuration management to monitor an organization’s compliance and mandated policies. Most of these compliance and mandated policies will be pulled for ISO 27000 series and similar. Both patches and configuration should be tested constantly because IT is always evolving and when implemented, has to be constantly monitored. Administrators should always have a rollback ready just in case new patches and configuration doesn’t react properly in the live network.
HansITAcademy 