Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/29/2015
02:00 PM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

3 Steps To Knowing Your Network

Managing your IT assets is a daily effort requiring vigilance and persistence.

I recently stepped on the scales and was happy to discover that I weighed three pounds less than the week before. My happiness was tempered a bit by the fact that I weighed five pounds more than expected the week before.  In our day-to-day efforts to stay fit, a change in weight is a normal, easily measured and (not so easily) addressed issue. In our IT security lives, however, being surprised by things coming and going is rarely pleasant.

Most security teams lack accurate knowledge of what is on their networks. IT operations rely on configuration management databases (CMDBs) to track assets that deliver critical business services. However, tracking laptops, BYODs, services, and on-premises or SaaS applications is another story, and in this case ignorance is not bliss. In fact, this situation may present significant security risk. Unknown assets are very likely to be unmanaged, which means they likely don’t have current patches and may not comply with configuration policies that reduce their attack surface. The bottom line: If you don’t know about an asset on your network, you can’t know about its weaknesses or about what malware it may be bringing to your network.

Knowing What Is On Your Network Is Foundational

Asset discovery is like good nutrition and regular exercise. Everyone knows they’re important to good health, yet in spite of recommendations from prestigious organizations such as the American Heart Association and the United States Department of Health and Human Services, many take little or no action. Similarly, asset discovery is prescribed by a number of information security frameworks, including:

  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense: Creating an inventory of authorized and unauthorized devices is the first control in the prioritized list of Critical Security Controls, and creating an inventory of authorized and unauthorized software is the second control on the list. According to the standard, “Attackers, who can be located anywhere in the world, are continuously scanning the address space of target organizations, waiting for new and unprotected systems to be attached to the network. Attackers also look for devices (especially laptops), which come and go off of the enterprise’s network, and so get out of synch with patches or security updates. Attacks can take advantage of new hardware that is installed on the network one evening but not configured and patched with appropriate security updates until the following day.” Additionally, the center recommends organizations deploy an automated asset discovery tool and use it to build an asset inventory of systems connected to their public and private networks, and that organizations also deploy both active tools that scan through address ranges and passive tools that identify hosts by analyzing their traffic.
  • NIST Information Security Continuous Monitoring for Federal Information Systems and Organizations -- SP 800-137Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST says that ISCM necessitates maintaining situational awareness of all systems across the organization.
  • NIST Framework for Improving Critical Infrastructure Cybersecurity: This framework advocates a risk-based approach in which “Identify” is a core function. Within the Identify function, asset management, including an inventory of physical devices, systems, software platforms, and applications within the organization, is the first category to be addressed.
  • ISO/IEC 27001 Information Management Security System Requirements: This standard requires that all assets be clearly identified and an inventory of all important assets be drawn up and maintained.

As with a diet and exercise program, getting started with asset discovery is half of the battle. Here are three recommendations to get you moving:

  1. Broadly Define the Concept of Assets. When dieting, you want to know your target weight. With assets, you want to know where your targets are. Devices with an IP address are an obvious place to start, but you should also include active ports, services, applications, and users. Both on-premises and SaaS applications must be accounted for, as well as legacy applications that may not have been implemented with security in mind and may be running on unsupported and unpatched systems. Users may be storing critical data in unsanctioned SaaS applications and may be using applications in violation of acceptable use policies.
  2. Continuously Monitor for New and Retired Assets. A scale is the most important tool to help you watch pounds come and go. Transitory assets connect and disconnect from your network in a random manner that, according to the Center for Internet Security, can “get out of synch with patches or security updates.” The “scale” for your IT environment should be a combination of regular active scans and ongoing passive network monitoring to watch for new assets, whether they be computers, network devices, applications, or users. This will also allow you to see when systems are retired or decommissioned (such as when that Windows XP workstation finally is replaced by a new Windows 10 system on the same IP). Most of what you find will probably be innocuous. However, you could find an unauthorized wireless access point or an unexpected server.
  3. Automate Response Actions. Losing pounds means your plan is working; gaining pounds means you may want to skip this morning’s donuts. Unless your network is static (and whose is?), finding new assets is a common occurrence. To keep up with the volume, you will need to automate your response. For example, you could trigger a thorough scan of new systems to identify critical vulnerabilities, misconfigurations, and known malware. If the scan finds high-risk systems, you could trigger a quarantine of those systems. You could also generate a daily report of new users and send it to the person or team responsible for managing user accounts.

Just like managing your weight, managing your IT assets is a daily effort requiring vigilance and persistence.  Sometimes you’ll be surprised by new assets that represent new risk; other times you’ll be pleased to see that your inventory-management controls are working well.  In any case, you will have the assurance that -- just like stepping on a scale -- you’re doing what you need to do every day to keep your security posture fit.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16246
PUBLISHED: 2019-12-12
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
CVE-2019-17358
PUBLISHED: 2019-12-12
Cacti through 1.2.7 is affected by multiple instances of lib/functions.php unsafe deserialization of user-controlled data to populate arrays. An authenticated attacker could use this to influence object data values and control actions taken by Cacti or potentially cause memory corruption in the PHP ...
CVE-2019-17428
PUBLISHED: 2019-12-12
An issue was discovered in Intesync Solismed 3.3sp1. An flaw in the encryption implementation exists, allowing for all encrypted data stored within the database to be decrypted.
CVE-2019-18345
PUBLISHED: 2019-12-12
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrat...
CVE-2019-19198
PUBLISHED: 2019-12-12
The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS.