In the last article, we looked at some ways to start the process of understanding the impact to your organization’s mission if there was a compromise or other event that caused a disruption of service. We also looked at how to start determining what information assets exist and where they reside. Let’s look at understanding our system boundary and creating a system inventory so you know the full scope of what you are dealing with. After creating an inventory of all information assets, it may help justify the need to allocate money to the budget for security services support. Organizations can grow and so can the information assets that accompany growth. However, some control is needed over what networked assets are in the organization so that critical information can be properly managed.
We cannot begin to manage the number of security threats if we don’t have a firm grasp on what we are protecting. How many organizations can really and truly count the number of networked assets they have in their organization with at least 95 percent confidence? How many know and understand their security boundary?
A security boundary contains all information assets for which an organization’s security responsibility resides. In the image below, you see a very small and simple network that has quite a simple security boundary.
In this case, the ADSL/Cable Modem is where the security boundary begins and ends. Once networked data enters the modem, the responsibility of that network data falls in the hands of the organization where it resides. All networked devices within that organization must traverse the modem to go out to other networks. Each networked device that it traverses is no longer the responsibility of the sending organization, unless they are sending malicious traffic. However, in the image below, security boundaries can be quite complex and extend across long distances.
Imagine the difficulty of trying to keep up with threats within an organization if it looked like the one in Figure 2 if they didn’t understand their network topology and information assets. It is not impossible, however. It is hoped they are using enterprise level tools to monitor and audit these systems. Otherwise, it could be a very difficult task to maintain the security of their organization. Once you understand how targeted malware attacks work, having a large and extended security boundary as in Figure 2 is well worth the effort to go through the tasks of mapping your network and frequently updating the network map, as well. That is because a targeted attack could infect multiple computers in a distributed environment, like in Figure 2, which makes identifying and eradicating the malicious code that much more difficult.
Creating a network diagram helps you to understand the SCOPE of what you have to secure. Also, along with identifying your security boundary is maintaining an active system inventory list. Many organizations keep track of all computers and their corresponding components in a database. The system inventory typically contains all networked or network capable devices which includes PCs, laptops, mobile phones, routers, switches, hubs, handheld devices, printers, etc. Basically, any electronic component that can be uniquely identified with an IP address, which includes virtual machines.
If you don’t know your system boundary or don’t maintain an active system inventory, then you don’t have control of your network and can’t maintain a strong security program to protect your organization’s information assets from the numerous existing and new threats. To reiterate, your organization should have a network diagram that is actively maintained. You also need an actively maintained system inventory. The system inventory should contain at a minimum:
Hostname (including aliases), IP Address(es), Function(s), Location, Primary Point of Contact, Operating System Version, Serial number
The information can be maintained in a spreadsheet or on a wiki page where others can quickly make any necessary updates to the above information. Actively maintaining this information will go a long way in maintaining control of your network and its information assets. It becomes the baseline from which your security testing, continuous monitoring, and security-based decisions are made.
All of this helps with understanding the SCOPE of what you have to maintain in your organization and helps you better maintain control of your network. By having this baseline, you can better understand what current and emerging threats are pertinent to your organization. How? Because you know the type of services and business functions your organization performs to make good risk-based decisions based on the information you are gathering about the emerging threats. You’ll be able to determine if your defenses are adequate to protect your organization’s assets and if the threat is even pertinent to assets within your organization. Once again, this is due to you being able to read about a threat and know which specific assets will be affected within your organization.
Once you understand the security boundary and the IT assets that exist, you are much better prepared to develop a strong security strategy to protect the systems. It can also help determine if the work for securing information assets can be done internally or if a security consultant or provider will be needed. With a network map, you can visualize the network and begin to understand how data flows within the organization. The system inventory helps you to understand what all you have to secure and then you can develop security groups. Within the security groups, you can begin to plan which systems will have similar security controls to make the deployment and management of it easier. You can also begin to target the publicly accessible systems and determine their current security posture and what more needs to be done to protect the systems.
From the system inventory, you’ll be able to determine the types of protocols used on your network. You can determine that by looking at the “function” of each system from the inventory. You’ll be able to determine your web servers, mail servers, FTP servers, domain controllers, client computers, database servers, etc. This is critical because you’ll then be able to create security controls and monitoring controls that will look for anomalies for those systems. For example, if you have two servers that are allowed to receive and send email, then your monitoring controls can look for systems, besides those two, that are sending email messages. Any type of alert would then be considered a security incident which should then be investigated.
Effectively, your inventory and network map are a baseline from which you learn to continuously monitor your systems looking for anomalies. If you are new to an organization, get the network map and system inventory to help you understand the organization. If either doesn’t exist, then you are in a good position to begin to learn and understand how the network works.
You are not done when you have this information together. What you need to do is then scan the network and scan each host to determine if a hosts has multiple IP addresses. Let’s say you are told that the organization has the following network addresses:
Then you scan a host and find that it has an IP of 192.168.0.3. Note that the 192.168.0 network wasn’t in the list in which you were told existed. You then have to probe further to understand what is listening on that interface. You may discover an entire LAN that few, if anyone knew existed. This extends your security boundary and requires modifying the system inventory. Every host needs to be analyzed to determine if it has multiple interfaces that may serve various purposes.
1. Conduct a network sweep on a routine basis to identify new hosts.
1a. Any new hosts should be quickly identified and located
1b. A policy should be created and signed by management that any new hosts that can’t be physically located on the LAN or identified by name resolution or the IP address be sent into an isolated VLAN by the switch from which it is connected until it can be verified to be authorized.
2. Ensure any new hosts are added to the inventory and any retired hosts are removed or labeled in the inventory as removed. Labeling it as removed, may be a better option because if the host shows up again, there is an anomaly and may be a security incident.
3. Determine all the protocols used on the LAN. Any new hosts should be added to the list to ensure it has the same or similar security controls.
4. Routinely check to determine if existing systems in the inventory have changed such as new IP addresses, disks, external components or any new services or applications have been installed.
5. Locate all high value assets. Those are assets that contain sensitive information such as trade secrets, Research and Development (R&D), customer or personnel private information, private financial information, etc.
6. Audit the firewall to ensure access controls for hosts that have been decommissioned are removed.
7. Invest in a centralized application to help maintain the system inventory.
Original report can be found on VTDIGGER.