As well noted in this SearchSecurity article:
“There’s a perpetual buzz around software flaws and exploits researchers disclose daily, but security experts say it often distracts IT pros from a growing and more serious problem — networks so sloppily configured and maintained that the bad guys can drive a virtual bulldozer through them without attracting attention.”
Having systems properly configured is a tenant of good security, certainly as key as patching, AV and firewalls are when focused on securing systems from outside access. But if a system is not properly configured and the network becomes infected by malware, these defenses become ineffective. What good is a firewall once the malicious code is running on your network, due to an attacker gaining insider access to the network? Basic things like easy passwords, unsecured shares, over-used administrator accounts and user rights are easy to fix and even more easy to break. When there is a time crunch, or when someone just needs something to work, it’s convenient for users to turn off the desktop firewall to get a business critical application running, or to open the Share to everyone to distribute a report, making a software developer an admin so they can test their software – the list goes on, and it’s done by both administrators and end-users. Of course, this is not the right thing to do from a security perspective because this is how malware finds its way onto the network, and unfortunately it happens all the time.
GPO can help, but it lacks a double check and it’s not easy to tell if things were setup right. Much like WSUS, GPO can help the problem, with a fair amount of effort applied by the IT staff, but it does not go far enough. What is needed is something that automatically double checks (we all make mistakes so double checks are a good thing) and automatically enforces IT security settings in accordance with policies,which creates both a cost savings (automation equals saving money when properly done), and it gives all of us a much needed second pair of eyes. An added plus is we can report to the C-level staff that things are being continually fixed if they fall out of compliance with company policy. These are very practical solutions.
As technical people we all know things are continually being changed on the network, and we know exactly where on our own networks. The problem that often arises in companies is that the boss also knows things are being continually broken, but may not know where on the network, and a lack of proper reporting can make his or her job very difficult – it’s impossible to manage what you do not know. If automated security configuration tools that include reporting capabilities are used this will eliminate the information gap. The boss can do his or her job, we can do our job, and our networks are secured.
As the article notes, as we start to run patching software we will soon learn that we also need to run automated security configuration software, it just makes sense. This is something I myself have been working on in one way or another since 1983, 25 years already, and maybe soon the problem will start to be solved!