What sounds like more fun than spending the start of the new year by taking inventory of all your systems? Unless you’re really odd, just about anything, to be truthful. But it’s something you should be giving serious thought to as 2014 draws to a close and 2015 begins. Even though we rarely think of it as a security function, a valid, up-to-date and accurate counting of our systems is one of the underlying building blocks that are absolutely necessary in having a successful security program.
It’s tempting to say throw out your old spreadsheets and start over from scratch to build a new inventory, but that’s not necessarily realistic for most organizations. On the other hand, we do need to realize that many of the inventories we have in spreadsheets scattered around the network are either old, inaccurate, just plain wrong or a combination of all three. An inventory has a half-life, a certain amount of time between when it’s created and when half of the information it contains is superseded. Depending upon your organization, this time period could be a couple of years, or it could be the end of the same day the inventory was created. In either case, relying on the old inventories is problematic, so use them as a starting point, with the understanding that you’re trying to create something new that’s more accurate.
Many inventories rely on the people working in the departments responsible for systems to self-report. If you’ve been in security for any length of time, you realize that this type of self-reporting just doesn’t work. Even people with the best of intentions often forget about one or two systems that have been used by the department since time immemorial. Or they’ll forget about a box running under someone’s desk because that person isn’t available the day the inventory was taken. Or maybe they’re trying to hide a system from the security department because it’s running something that’s against policy and they’re afraid it’ll get shutdown. Finally, there’s always the apocryphal story of a server that was walled away when a remodel happened, but continued running for years.
Network discovery tools make for a great way to start off your count, but never pretend they’re going to find everything on your network. Some systems are not going to respond to network discovery in a manner that will be recognized by many tools, and in some cases won’t respond at all. Look beyond these tools and start mining some of the other tools and data stores you have, especially DNS. When you start looking at the hosts that are making requests to your DNS servers, interesting patterns might start to emerge. The responses to those requests can be interesting as well.
This brings us to two of the hardest parts of creating a valid and accurate inventory: BYOD/IoT and the Cloud. Every day our coworkers, our executives and even our own teammates are bringing more of the technology we use at home into the office. After the Christmas holiday there’s going to be an influx as all the new toys and gadgets people received as gifts flood into the office. Making an inventory of these systems on your network is a sensitive proposition, but one you have to decide how your company is going to deal with. You already have a set of policies and procedures to deal with that, right?
Cloud brings its own set of problems for inventories. Begin with an inventory of the approved Cloud services, but be aware that it’s just a starting point. Just about anyone with a credit card can set up a server on AWS or Microsoft and have services that contain your corporate data up and running in just a few minutes. There are many organizations that have shadow IT infrastructures in the Cloud that the official IT and security teams have no idea exist. This is another reason mining your DNS logs is so vital; those departments might not tell you they have shadow servers, but they still have to make DNS queries in order to connect to their servers. Another great resource is to work with your accounting departments to see whose expensing credit card receipts for Cloud resources. Between DNS and expenses, you might be surprised how many external resources you find.
Inventories aren’t exactly anyone’s idea of fun, but there’s an old adage that if you don’t know it exists, you can’t secure it. Yours might be one of the companies who have a recent and accurate inventory of resources that make up your business and your network. But even the best companies could be well served by double-checking their inventory to make sure they haven’t missed anything. Or that a new system hasn’t been added in the time it took you to read this post.
Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. As a member of Akamai's Security Intelligence Team, he is responsible for...