By Brad Pierce, Structured Managing Director of Security, CISSP/CISA/PCIP —
One of the first things you must do as a network or systems administrator is document. Oh, Documentation! The bane of IT professionals everywhere. In our harried work lives, it is a tedious, time-consuming process. Most people prefer to avoid documentation. But, when it is needed and not there – watch out! Everyone is quick to complain. Loudly.
Documentation as Process and Control
Inventory is the documentation I’m highlighting today and represents documentation as process. Owning an accurate representation of the systems and devices on your network is key to maintaining security and functionality. This is an increasingly daunting task for all organizations, regardless of size, but is actually the #1 control of the Center for Internet Security controls. Inventory documentation is alive, and ever-changing, in today’s world.
The first control of the CIS Controls is: “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”
The phrase “actively manage” is key. Performing an NMAP scan once a month and truing up a spreadsheet with IP addresses is insufficient in today’s dynamic network environment. Depending on the architecture and segmentation of your wired and wireless networks, systems will be connecting and disconnecting within hours or minutes. These systems, depending on your BYOD tolerance or policy structure, may or may not be managed by you.
You cannot protect, patch, prevent, or manage what you can’t see. At a bare minimum, you must manually track known systems and frequently scan various segments for unknown users and/or devices. Comparing the known with the unknown is a requirement.
Tools of the Trade
If starting from scratch, there are free utilities available like Spiceworks which is a community developed and supported inventory, tracking, and ticketing platform.
As an organization progresses from simple inventory to active scanning and prevention, segmentation and Network Access Control (NAC) becomes critical. In a smaller environment this may mean putting things you cannot patch or do not manage (personal phones, fishtanks, etc.) into a separate WLAN, running an active scanner on the managed IP space, and reviewing logs.
In a medium to large enterprise, depending on network and security maturity, this means reviewing and updating current segmentation and enforcement models. It means using wired and wireless NAC to control access. And, it requires automated device identification and classification technologies to ensure systems are found, inventoried, controlled and placed on the appropriate segment. This space is well served by mature solutions like Aruba Clearpass and Forescout for Device ID/Classification, as well as policy-based Access Control and Authorization. Additionally, newer solutions like ORDR focus on advanced ID and classification methodologies and use scripting and AI to monitor behavior and push security policies.
Regardless of the size of your enterprise, knowing what you have and where you have it are among the most basic building blocks of a security strategy. From this you can begin to work toward securing those devices with further controls like Continuous Vulnerability Management (CIS Control 3), Least Privilege (CIS Control 4), and Secure Configuration (CIS Control 5).