Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Digital cartographers - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Digital cartographers

Mankind has always had a desparate need to identify its environment. Only by studying our surroundings, we’ve been able to make changes that help us live better. This is also valid for the virtual world we ourselves created.

Complicating matters though, there are multiple parallel maps which essentially cover the same infrastructure, but from different points of view. There are network diagrams, huge maps of the internet and those showing how individual cities interconnect.

At another layer, there are now maps that try to chart how people interrelate – social networks, as we call them. Other maps identify how suspected criminal networks operate or how they structure domains used in specific attacks.

One major issue with maps is that we tend to consider them accurate. When we use maps in our daily lives, they generally show us the way from point A to point B, and they are always right. This is because of a fundamental feedback loop. When I cross from point A to point B, others have likely crossed from point C to point D while meeting the same road. If the map is inaccurate, errors get reported and fixed very smoothly. There’s a lot of traffic, after all.

Our network maps however compare much better to those built hundreds of years ago. They were created by a single person visiting a new region or continent, and contained errors. From 1605 to 1722, for example California was regularly painted on maps as an island.

In addition, maps are often used to sell beliefs. They aren’t necessarily wrong, they just present the world as it exists in the cartographer’s mind. Try grabbing maps of the Spratly Islands from various East Asian countries, or maps of the Middle East from Israel and Syria.

As security professionals, we all meet organizations maintaining network diagrams that do not fully match reality. Their perimeter is not where they thought it was, or various hosts are exposed in ways not fully realized. Making good risk management decisions starts with great asset management, and this requires you to keep your maps up to date. From experience, it appears to me that smaller organizations have problems keeping smaller diagrams up-to-date, while larger organizations have really good detail diagrams for individual solutions, but are lacking insight in their overall, distributed network environment.

Some ways to remediate this:

  • Recognize that diagrams may not be accurate by assigning a confidence rating to each of them, and then work to increase confidence through verification;
  • Use vulnerability management such as scanning to identify assets. However, always take into account their limitations (discovery can be slow, is always incomplete – even when you scan 65535 ports on a variety of protocols);
  • Network IDS can sometimes contribute if you're looking beyond the individual alerts but at overall flows.

I'm very interested in hearing from you on measures you've taken to deal with these issues.

--
Maarten Van Horenbeeck

Maarten

158 Posts

Sign Up for Free or Log In to start participating in the conversation!