Do you know your network?

Can you tell how many devices are connected to your internal network at this moment? If so, how much do you know about these devices? Do you know which operating system is running on a specific IP address? Or when did this device first appear on the network? Which client has an important security patch missing?

This post is about identifying your IT assets (hardware, software, data), detecting unwanted devices and what Shadow IT means.

Discovering network devices

In order to keep track of your assets, it is important to build a database that contains their IP addresses, MAC addresses and host names. The database may also include system serial numbers, system owners and whatever information that helps you organising your assets. To maintain a database of active IP addresses you have to implement a process of regular discovery. Simple scanning works for IPv4 the same does not apply to IPv6 address space. A single /64 IPv6 subnet can contain more than 18 x 1018 IP addresses. In comparison with IPv4, the address space contains “only” 4 x 109 IP addresses. To discover your IPv6 devices use IPv6 Neighbor Discovery (see RFC 4861 [1]).

You can inventory your routers and switches with the help of SNMP (Simple Network Management Protocol). SNMP allows you to get information from your network hardware. However, you need a different approach for your clients and servers since SNMP is usually disabled. Instead, software agents can provide details about these devices. For example, information such as operating system information, installed software and logged on users can be provided.

There are at least two categories of devices: trustworthy devices and illegitimate devices. For example, rogue access points or personal notebooks are devices you do not want in your network. You have no idea if these devices are up to date or even already compromised. Therefore you need to differentiate the two categories. For this task you need to define criteria when scanning or querying your devices in the network.

Does the device have a known MAC address? Is it a domain member of your Active Directory domain? Does it have the latest antivirus patterns installed? Just because a device has access to your network it doesn’t mean that it is trustworthy. Maybe someone just set up a new access point that delivers a wireless network to your development department. You just have a rogue AP (access point) that put your network at risk. Hopefully your IDS will detect it. Authentication on the wired network could have prevented it.

Monitoring data streams

Monitoring the data streams between devices can help you to identify unusual traffic occurring in your network. IPFIX or NetFlow probes in your network help you to discover such events see [2]. Network flow data provides you with information about endpoints and protocols that are being used in your network. Check the book “Using SiLK for Network Traffic Analysis” [3] from the CERT Network Situational Awareness (NetSA) group for further information.

Tracking systems and applications

To get a view above the network layer you have to look at the operating system level. For example a WSUS (Windows Server Update Services) server will keep track of your Windows operating system patch levels on clients and servers. You can quickly tell where missing Windows updates are outstanding. However, you can only catch systems that are reporting to your WSUS instance. WSUS reporting shows you the weak spot in your patch management process.

What about applications? Developers often are allowed to install software. Are you running the latest version of your web browser? Is your CRM application fully patched on every client? In case your answer is yes, you are fine.

You need to have a clear view about all applications in your IT landscape. With a software inventory management you can track the patch status of each installed application.

Do not grant administrative rights to your users, just because they want to install some shiny software. You will slowly lose control over your IT security as non-maintained software can be installed, security settings can be changed and malware is able to nest in the system.

Have a clear process for software installation. Give the users a possibility to request a special application if they need it. Deploy Group Policies and control your patch management process.

Databases are the heart of many applications. Leakage of customer data to unauthorized users can heavily harm your reputation. Controlling and reviewing access rights and ensuring data integrity is vital for your business. This is why you should implement a regular review of user access so you can avoid a situation when employees change the department and access rights stay the same. You can find more about this in the document “Protecting Access to Data and Privilege with Oracle Database Vault” [4] from SANS.

To close this section, here are two tools for maintaining an IT inventory database:

  • GLPI [5]
  • Fusion Inventory [6]

Both are open source.

Shadow IT

Shadow IT is a term for infrastructure or services that are used without knowledge and/or approval of the company’s IT department. Chances are quite high that someone in your organisation is already using Shadow IT for his daily work. Examples are Google Docs or Dropbox that are used for file sharing or collaboration with customers. Or think about the development department that installed some services on their notebooks to run Continuous Integration (CI) and Continuous Deployment (CD) because the IT guys did not manage to set up the services in a certain amount of time.

Shadow IT is a symptom that you cannot ignore. Look for the causes of Shadow IT. Is your IT department understaffed? Are your business processes for requesting new services too slow?

Think about the consequences of Shadow IT and consider the following problems:

  • unclear responsibilities
  • no service-level agreement
  • who manages backup and recovery of data
  • cloud services can be compromised, passwords can be brute-forced, data is copied
  • BYOD: unmanaged devices (smartphones, notebooks) that could be vulnerable

It all leads to pain when you think of IT security and compliance. Your IT environment will deteriorate if you have no plan regarding Shadow IT. I know that it is not an easy task to eradicate Shadow IT completely, however, you should try at least to keep it under control. That means Shadow IT can be a source for new ideas and demands. Your users know what they want and will find a way to get their work done. Don’t block them, instead work with them and integrate the services into your IT security concept. Make Shadow IT a part of a security awareness campaign. If your users are properly educated and understand the risk behind Shadow IT, you should be able to reduce the amount of it.

Conclusion

Rogue devices violate company security policies. A notebook that someone brought from home can trigger a security event. Undetected malware could spread and encrypt your files on the file server. You surely have heard of several kinds of ransomware. In order to protect your IT infrastructure, the process of mitigating attack vectors must be understood.

Unpatched systems help attackers to successfully compromise your network. A properly maintained software inventory management system gives you a detailed view of your systems.

Shadow IT that is not visible to IT managers can effectively impact your internal IT security. Find out the reasons why Shadow IT evolved and ask users about their workflow.

To protect your critical data, you need a complete view of your IT landscape. Maintaining data security throughout the entire company is essential. This means you have to be up-to-date regarding the complete IT infrastructure and the business processes of your employees.

Hopefully you’ve obtained some ideas about managing your IT infrastructure.

[1] https://tools.ietf.org/html/rfc4861
[2] http://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/white-paper-c11-736595.html
[3] https://tools.netsa.cert.org/silk/analysis-handbook.pdf
[4] https://www.sans.org/reading-room/whitepapers/analyst/protecting-access-data-privilege-oracle-database-vault-35712
[
5] http://glpi-project.org/
[
6] http://fusioninventory.org/

Feel free to share the newsShare on Facebook
Facebook
Share on Google+
Google+
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin