If you were asked, “Is your environment secure?” you’d probably respond with something like “more or less.” After all, we IT professionals are pretty logical, and while we make a solid effort, there are areas of our network environments that are in less-than-desirable shape. You have a lot on your plate, and you just don’t have the time to get to everything, right?
But what if I told you it was worse than that? Much worse.
The most fundamental part of a security strategy is assessing the current state of security and identifying risk. But risk itself is defined by the gaps that may exist in your current environment. So, by definition, if you don’t look everywhere, your risk assessment itself is creating risk. Think about that for a second. Unless you are completely 100% thorough, your security check itself may create risk. If every server has the latest patches and has an automatic way of being updated, you’re probably going to say you have little risk against known vulnerabilities. However, if you decide to skip checking a server to make sure all the patches are up to date, that could create a risk.
It’s simple. You need to look everywhere in order to uncover the true state of your security.
To make matters even more painful, the state of security is constantly changing, so you can’t just run a check once a year. Security needs to be addressed continuously.
Protection from vulnerabilities, malware, persistent threats, etc. all need to be looked at in this manner — the same manner in which Imanami focuses on managing groups in Active Directory.
Most companies like yours think that their groups are fairly secure. You may be right, but you won’t know until you look. As with any assessment of risk, you need to include any system that may grant access — including groups. Do you have unchecked group memberships? That’s a risk. How about nested groups? Risk there, too. What about the last time you actually audited the state of groups? That’s probably so long ago you can’t remember. Inherently, these assessments can create risk by themselves.
So risk isn’t something you find. It’s something that can be created by not looking in the first place.
If you haven’t taken a look recently at the health of your Active Directory groups, I recommend you do so as soon as possible. Imanami’s free Health Meter tool is a great way to give your groups a thorough diagnosis.