Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
9/29/2015
02:00 PM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

3 Steps To Knowing Your Network

Managing your IT assets is a daily effort requiring vigilance and persistence.

I recently stepped on the scales and was happy to discover that I weighed three pounds less than the week before. My happiness was tempered a bit by the fact that I weighed five pounds more than expected the week before.  In our day-to-day efforts to stay fit, a change in weight is a normal, easily measured and (not so easily) addressed issue. In our IT security lives, however, being surprised by things coming and going is rarely pleasant.

Most security teams lack accurate knowledge of what is on their networks. IT operations rely on configuration management databases (CMDBs) to track assets that deliver critical business services. However, tracking laptops, BYODs, services, and on-premises or SaaS applications is another story, and in this case ignorance is not bliss. In fact, this situation may present significant security risk. Unknown assets are very likely to be unmanaged, which means they likely don’t have current patches and may not comply with configuration policies that reduce their attack surface. The bottom line: If you don’t know about an asset on your network, you can’t know about its weaknesses or about what malware it may be bringing to your network.

Knowing What Is On Your Network Is Foundational

Asset discovery is like good nutrition and regular exercise. Everyone knows they’re important to good health, yet in spite of recommendations from prestigious organizations such as the American Heart Association and the United States Department of Health and Human Services, many take little or no action. Similarly, asset discovery is prescribed by a number of information security frameworks, including:

  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense: Creating an inventory of authorized and unauthorized devices is the first control in the prioritized list of Critical Security Controls, and creating an inventory of authorized and unauthorized software is the second control on the list. According to the standard, “Attackers, who can be located anywhere in the world, are continuously scanning the address space of target organizations, waiting for new and unprotected systems to be attached to the network. Attackers also look for devices (especially laptops), which come and go off of the enterprise’s network, and so get out of synch with patches or security updates. Attacks can take advantage of new hardware that is installed on the network one evening but not configured and patched with appropriate security updates until the following day.” Additionally, the center recommends organizations deploy an automated asset discovery tool and use it to build an asset inventory of systems connected to their public and private networks, and that organizations also deploy both active tools that scan through address ranges and passive tools that identify hosts by analyzing their traffic.
  • NIST Information Security Continuous Monitoring for Federal Information Systems and Organizations -- SP 800-137Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST says that ISCM necessitates maintaining situational awareness of all systems across the organization.
  • NIST Framework for Improving Critical Infrastructure Cybersecurity: This framework advocates a risk-based approach in which “Identify” is a core function. Within the Identify function, asset management, including an inventory of physical devices, systems, software platforms, and applications within the organization, is the first category to be addressed.
  • ISO/IEC 27001 Information Management Security System Requirements: This standard requires that all assets be clearly identified and an inventory of all important assets be drawn up and maintained.

As with a diet and exercise program, getting started with asset discovery is half of the battle. Here are three recommendations to get you moving:

  1. Broadly Define the Concept of Assets. When dieting, you want to know your target weight. With assets, you want to know where your targets are. Devices with an IP address are an obvious place to start, but you should also include active ports, services, applications, and users. Both on-premises and SaaS applications must be accounted for, as well as legacy applications that may not have been implemented with security in mind and may be running on unsupported and unpatched systems. Users may be storing critical data in unsanctioned SaaS applications and may be using applications in violation of acceptable use policies.
  2. Continuously Monitor for New and Retired Assets. A scale is the most important tool to help you watch pounds come and go. Transitory assets connect and disconnect from your network in a random manner that, according to the Center for Internet Security, can “get out of synch with patches or security updates.” The “scale” for your IT environment should be a combination of regular active scans and ongoing passive network monitoring to watch for new assets, whether they be computers, network devices, applications, or users. This will also allow you to see when systems are retired or decommissioned (such as when that Windows XP workstation finally is replaced by a new Windows 10 system on the same IP). Most of what you find will probably be innocuous. However, you could find an unauthorized wireless access point or an unexpected server.
  3. Automate Response Actions. Losing pounds means your plan is working; gaining pounds means you may want to skip this morning’s donuts. Unless your network is static (and whose is?), finding new assets is a common occurrence. To keep up with the volume, you will need to automate your response. For example, you could trigger a thorough scan of new systems to identify critical vulnerabilities, misconfigurations, and known malware. If the scan finds high-risk systems, you could trigger a quarantine of those systems. You could also generate a daily report of new users and send it to the person or team responsible for managing user accounts.

Just like managing your weight, managing your IT assets is a daily effort requiring vigilance and persistence.  Sometimes you’ll be surprised by new assets that represent new risk; other times you’ll be pleased to see that your inventory-management controls are working well.  In any case, you will have the assurance that -- just like stepping on a scale -- you’re doing what you need to do every day to keep your security posture fit.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.