Partner Perspectives  Connecting marketers to our tech communities.
9/29/2015
02:00 PM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

3 Steps To Knowing Your Network

Managing your IT assets is a daily effort requiring vigilance and persistence.

I recently stepped on the scales and was happy to discover that I weighed three pounds less than the week before. My happiness was tempered a bit by the fact that I weighed five pounds more than expected the week before.  In our day-to-day efforts to stay fit, a change in weight is a normal, easily measured and (not so easily) addressed issue. In our IT security lives, however, being surprised by things coming and going is rarely pleasant.

Most security teams lack accurate knowledge of what is on their networks. IT operations rely on configuration management databases (CMDBs) to track assets that deliver critical business services. However, tracking laptops, BYODs, services, and on-premises or SaaS applications is another story, and in this case ignorance is not bliss. In fact, this situation may present significant security risk. Unknown assets are very likely to be unmanaged, which means they likely don’t have current patches and may not comply with configuration policies that reduce their attack surface. The bottom line: If you don’t know about an asset on your network, you can’t know about its weaknesses or about what malware it may be bringing to your network.

Knowing What Is On Your Network Is Foundational

Asset discovery is like good nutrition and regular exercise. Everyone knows they’re important to good health, yet in spite of recommendations from prestigious organizations such as the American Heart Association and the United States Department of Health and Human Services, many take little or no action. Similarly, asset discovery is prescribed by a number of information security frameworks, including:

  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense: Creating an inventory of authorized and unauthorized devices is the first control in the prioritized list of Critical Security Controls, and creating an inventory of authorized and unauthorized software is the second control on the list. According to the standard, “Attackers, who can be located anywhere in the world, are continuously scanning the address space of target organizations, waiting for new and unprotected systems to be attached to the network. Attackers also look for devices (especially laptops), which come and go off of the enterprise’s network, and so get out of synch with patches or security updates. Attacks can take advantage of new hardware that is installed on the network one evening but not configured and patched with appropriate security updates until the following day.” Additionally, the center recommends organizations deploy an automated asset discovery tool and use it to build an asset inventory of systems connected to their public and private networks, and that organizations also deploy both active tools that scan through address ranges and passive tools that identify hosts by analyzing their traffic.
  • NIST Information Security Continuous Monitoring for Federal Information Systems and Organizations -- SP 800-137Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST says that ISCM necessitates maintaining situational awareness of all systems across the organization.
  • NIST Framework for Improving Critical Infrastructure Cybersecurity: This framework advocates a risk-based approach in which “Identify” is a core function. Within the Identify function, asset management, including an inventory of physical devices, systems, software platforms, and applications within the organization, is the first category to be addressed.
  • ISO/IEC 27001 Information Management Security System Requirements: This standard requires that all assets be clearly identified and an inventory of all important assets be drawn up and maintained.

As with a diet and exercise program, getting started with asset discovery is half of the battle. Here are three recommendations to get you moving:

  1. Broadly Define the Concept of Assets. When dieting, you want to know your target weight. With assets, you want to know where your targets are. Devices with an IP address are an obvious place to start, but you should also include active ports, services, applications, and users. Both on-premises and SaaS applications must be accounted for, as well as legacy applications that may not have been implemented with security in mind and may be running on unsupported and unpatched systems. Users may be storing critical data in unsanctioned SaaS applications and may be using applications in violation of acceptable use policies.
  2. Continuously Monitor for New and Retired Assets. A scale is the most important tool to help you watch pounds come and go. Transitory assets connect and disconnect from your network in a random manner that, according to the Center for Internet Security, can “get out of synch with patches or security updates.” The “scale” for your IT environment should be a combination of regular active scans and ongoing passive network monitoring to watch for new assets, whether they be computers, network devices, applications, or users. This will also allow you to see when systems are retired or decommissioned (such as when that Windows XP workstation finally is replaced by a new Windows 10 system on the same IP). Most of what you find will probably be innocuous. However, you could find an unauthorized wireless access point or an unexpected server.
  3. Automate Response Actions. Losing pounds means your plan is working; gaining pounds means you may want to skip this morning’s donuts. Unless your network is static (and whose is?), finding new assets is a common occurrence. To keep up with the volume, you will need to automate your response. For example, you could trigger a thorough scan of new systems to identify critical vulnerabilities, misconfigurations, and known malware. If the scan finds high-risk systems, you could trigger a quarantine of those systems. You could also generate a daily report of new users and send it to the person or team responsible for managing user accounts.

Just like managing your weight, managing your IT assets is a daily effort requiring vigilance and persistence.  Sometimes you’ll be surprised by new assets that represent new risk; other times you’ll be pleased to see that your inventory-management controls are working well.  In any case, you will have the assurance that -- just like stepping on a scale -- you’re doing what you need to do every day to keep your security posture fit.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.