Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Control 1 - Inventory of Authorized and Unauthorized Devices

Published: 2011-10-03
Last Updated: 2011-10-04 20:01:33 UTC
by Mark Hofman (Version: 1)
1 comment(s)

Control 1

How many servers are in your DMZ?
How many Servers do you have in total?
How many workstations are connected to the network?
How many printers?
Switches/switches/routers/firewalls/Access Points?

If you can answer all the questions above for your organisation accurately, well done. Unfortunately the reality is that many people will not be able to answer them at all.  

Knowing what you have in your environment is critical to the security of the environment. We know that many attackers use automated processes to identify and attack machines on the internet.  If you are not aware of what internet facing systems you have, or they are not controlled, then it is likely that they will be discovered and compromised quickly.  So it is quite important to know what is actually there.

How can you achieve that? you need to be able to control what is plugged in.  Failing that, you will need to know when something has been plugged in.  802.1x controls or other forms of Network Access Control will help you achieve the first, but this may not be suitable for all areas of your environment, or you may not get around to implementing it for a while.

Detecting what is plugged in can be achieved in a number of ways.  Tools like arpwatch will detect when something is plugged in.  You could scan the network segment on a regular basis using something like nmap and use ndiff to compare the results.  This will let you know when something is connected to your network.   You my be able to watch DHCP allocations and detect or prevent unauthorised allocations.  In order for it to be effective you will need some sort of inventory, if you don't know what you have, then you will not know what should or should not be there.  Document the operating systems in use, the types of hardware used, switch types, printer types etc.  

There are of course other tools that will help in this scenario. Many management tools will have inventory capabilities, some patching tools have the capability and some of the AV solutions will now detect "unknown" devices on the network.  

What do you do to identify and control what is on your network?

Mark - Shearwater

1 comment(s)
Diary Archives