3.5.2. Patching, Monitoring, and Configuration Enforcement

💡 First Principle: Most successful attacks exploit known vulnerabilities with available patches. Regular patching is the single most impactful mitigation you can implement. Monitoring detects what patching misses. Configuration enforcement ensures secure baselines don't drift over time.

Patching — applying vendor-released fixes for known vulnerabilities. Patch management includes testing patches before deployment, prioritizing based on severity (CVSS scores), and maintaining a patching schedule. The challenge: balancing speed (patch before exploitation) with stability (test before breaking production). Third-party applications (Java, Adobe, browser plugins) often have more vulnerabilities than the OS itself — a comprehensive patching program covers all software, not just the operating system. Patch Tuesday (Microsoft's monthly release cycle) drives many organizations' patching cadence, but critical out-of-band patches require emergency procedures.

Monitoring — continuous observation of systems, networks, and user behavior. SIEM platforms aggregate logs for correlation and alerting. Network monitoring detects anomalous traffic patterns. Endpoint detection and response (EDR) monitors individual systems for suspicious behavior.

Encryption as a mitigation ensures that even when data is stolen, it remains unreadable. Encryption protects data at rest, in transit, and increasingly in use (homomorphic encryption, secure enclaves).

Configuration enforcement — maintaining secure baseline configurations and detecting drift. Configuration management tools (Ansible, Puppet, Chef) automatically remediate systems that deviate from approved configurations. The Center for Internet Security (CIS) Benchmarks provide industry-standard secure configurations.

Decommissioning — properly retiring systems that are no longer needed. Abandoned systems accumulate vulnerabilities and expand the attack surface without providing value. Proper decommissioning includes removing credentials, revoking certificates, wiping data (using cryptographic erasure or physical destruction as appropriate), updating asset inventories, and removing DNS records and firewall rules. A forgotten test server with default credentials in a DMZ is a classic breach vector.

⚠️ Exam Trap: Patching known vulnerabilities prevents the most attacks. When the exam asks "which action would have most likely prevented this breach?" and the scenario describes exploitation of a known, patched vulnerability, the answer is almost always "apply the available patch."