Exposure Management: You can’t secure what you don’t know about

It is not a new concept that IT is not fully aware of all of the assets and devices that are on the network. Projects come and go, rogue devices are put on the network, legacy assets are forgotten about, etc. The other concept that is not new is that attackers love these assets and devices that have been orphaned and forgotten. These assets and devices are not updated, patched, configured, secured, or monitored.  

Imagine you are building a new house and a special side door is created to allow the crews in and out without mucking up the fancy wood flooring. When the house is finalized, the side door is not removed and close up. It is forgotten! Tell me an intruder wouldn’t target this door if they were trying to enter the house! 

Asset and device discovery 

Often the IT staff relies on documentation to track assets and devices. This is a poor process, as documentation is easily passed over for the “fires” that the IT staff must deal with daily. This means that documentation is outdated. New devices are not added, older devices are not removed.  

Most organizations don’t rely on a solution that will find their assets and devices. They might do periodic ping sweeps or manual inspections, but with virtual machines, small devices, IoT, and other easily hidden assets and devices, these measures are just not enough.  

Automatic Asset and Device Discovery and Inventory 

Ideally, organizations of all sizes need to have security solutions that are automatically updating the asset and device inventory to track everything that is connected to the network. This will ensure that IT is aware of every possible “entry point” into the network.  

There are options like using ARP and routing tables, which will help uncover devices that might come-and-go from the network, but their communications are left behind on other static devices. ARP and routing tables can uncover “friends of friends” to give a blanketing effect on asset and device discovery.  

“Nanitor was able to discover assets and devices that we never knew were on the network, which were brought into the organization from employees.”  

Another great option for automatic asset and device discovery is to use Active Directory, as you can see in Figure 1. When devices join Active Directory they have a computer account that represents the device. Getting a full list of the computer accounts from Active Directory can uncover unknown or forgotten devices with ease.  

“Nanitor uncovered over 100 computers that we thought were no longer on the network.” 

Figure 1. Automatic asset and device discovery using Active Directory. 

Asset and device Prioritization and Labeling 

Once an asset is found, it is essential to automatically label that asset. The labeling of an asset provides for easier prioritization, grouping, report filtering, and organizing of overall security prioritization.  

Labels would include “Windows”, “Domain Controller”, “Printer”, “Cloud”, etc. By assigning a label when the asset is found, the system can then automatically know what to gather from the asset, know what analysis needs to be performed, and finally triage the security issues within the other asset security issues for a master prioritized list of issues.  

Not prioritizing assets is a very bad decision and design for exposure management. Every asset must have a priority, so the IT and security staffs know exactly what to remediate to give the best risk reduction from their efforts. Not every security issue can be resolved, so having as many analytical points to incorporate into the overall decision on what issues need to be fixed on which assets can mean the difference from being breached or deny an attack.  

Summary 

Asset and device automatic discovery and inventory is essential for every organization, regardless of the size. Not knowing what is on the network immediately opens up an attack pathway for an intruder. It is impossible to secure what the IT staff is not aware of. This asset inventory can then be labeled and prioritized, so the resulting prioritized list of security issues is clearly directing the IT and security staff to the most exploitable and high valued assets.  

To see what Nanitor finds in your environment, get a free trial.