Consistency
Most organizations don't start out with the resources or immediate need to properly roll out imaged workstations or manage their networks using high-level tools. What happens more often than not is that the network is a collection of very different PCs, all of which have been built and configured individually. As a result, there are as many variations in loadout as there are workstations. As the organization grows, this practice is scaled to meet the need, and results in an IT department which works mainly in fire-extinguishing mode.
There is a certain point at which more consistent control over the network is an absolute must. The problem is that, in my experience, many medium-sized networks are being run without the proper tools. Management tools, strict domain policy, and imaging are all incredibly useful when combatting sprawl and growing pains.
Consistent network management not only makes IT staff more productive, but also allows for self-auditing and quick response to security events. Patching becomes easier (and can be more comprehensive than just WSUS or Windows Update), which allows the very common issue of third-party software vulnerabilities to be addressed in a more elegant and effective way.
Let's take a look at the basic functions that these tools need to help accomplish in order to be useful. The first is enumeration, cataloging, and inventory control. Basically, you need to know what each device is, does, and has on it. By the same token, you need to know what is on your network that shouldn't be. In addition to a simple understanding of the devices on your network, a good management system will keep track of when devices were purchased, what kind of warranty/service plan they have, and what their serial numbers are. Having all of this information in one place is the first step towards getting your network under control to the point where securing it becomes an easy task.
The second tool in your arsenal should be a package/file management tool. In order to properly manage software updates, it's important to know the loadout of each machine, to be able to verify that ONLY the software you approve is installed, to be able to perform updates to your software, and to be able to remove unauthorized installs. Many of the issues I see in security assessments come down to good patch management. I'd estimate that at least half of the vulnerabilities are a result of old software which has updates available. For those thinking that Windows Update or WSUS will cover all of these issues, you are sorely mistaken. Many of the vulnerabilities I find in assessments aren't in Microsoft products, simply because they do get automatically updated. More often than not, it's old antivirus or backup software which runs at system privileges that provides a way in.
Overall, being consistent usually comes down to putting a bit of initial effort in to a structure, then being disciplined enough to follow it. Automation of the boring, repetitive tasks makes this worlds easier. Manually going to every device in your organization and checking for updates is very tedious and gets frustrating rather quickly for the high-IQ types who usually make up an IT department. This leads to mistakes being made and eventually to the practice being missed or avoided.
Find some good tools, become intimately familiar with their innerworkings and behavior, then use them as an extension of yourself in confidently controlling your network. Get things to be consistent across the organization, then you can begin to manage one set of common machines instead of many individuals.
Leave a comment