There’s a lightbulb in the bathroom at home that’s been burnt out for about eight months. It’s always been on the list of things to fix, but I’ve either forgotten about it when at the shops or had more pressing things to do; after all, it wasn’t really a big deal, especially when there are plenty of other bulbs working in the bathroom.
I say ‘wasn’t’ a big deal as things changed. Lockdown happened. Spending all your time at home makes you more aware of the small, and not so small, jobs that need to be done around the house. Previously insignificant home improvement jobs start to play on your mind. The clock on the oven is out by three minutes, the living room door isn’t quite sitting correctly, there’s a small crack in one of the bathroom tiles, one of the kitchen chairs has been wobbly for years. Things you could easily dismiss and ignore before suddenly start to play on your mind, growing until they become critical issues. It’s no surprise that people were queuing outside Ikea for over two hours on the first day after lockdown was eased. (To clarify, I wasn’t one of them!)
I usually go to great lengths to avoid doing the home improvement jobs, hence why the lightbulb has been out for so long, but during lockdown they have often given me a welcome distraction from what’s going on in the outside world. I’ve even got around to tackling the big jobs, the ones I really hate, like cleaning out the garage.
It’s amazing the stuff you find when you do that: old games consoles you’ve not seen in years, records you never knew you had, a million and one Allen keys, an assortment of sports equipment, the traditional tin of quality street from the 80s, now containing screws and wall plugs, cables, and lots and lots of electronic wires and cables.
Whilst some of this stuff is useful, most of it will either end up at the charity shop, or at the tip, but at the end of it all there’s a great sense of satisfaction that you know where everything is and that everything is in order (for now at least).
Organizations aren’t so different and it’s easy to collect a host of information technology ‘stuff’. It’s even easier to lose track of this technology as time goes on – especially as the company grows and people move on, vital knowledge can easily get lost along the way. But when it comes to organizations, the consequences of not knowing what you have or how it may be connected to the outside world can be dangerous, providing malicious threats with a potential way into your networks.
Knowing what you have
One of the fundamental IT security challenges within organizations, especially larger ones, is the shadow IT ‘visibility gap’ between assumed or known infrastructure and what actually exists. Understanding this is a first vital step in developing a robust security posture for an organization. After all, if you don’t know a legitimate device or application exists on your network, how can you properly defend it?
Similarly, if you are missing legitimate devices, you may also be missing unauthorized devices. Could any of these anonymous devices provide backdoors into the network, and leave your infrastructure exposed and vulnerable?
“But I know exactly what I have on my network,” I hear you say. Well, you’d be surprised. There have been plenty of cases where we have heard this, only to discover an unknown device or application on a network during an estate discovery investigation, whether it be a legacy server situated at a remote site, a website that has been put online as a test by an internal department, an IoT device plugged into your network by a member of staff, IT infrastructure inherited as part of an acquisition or an application that was meant to be internal, but is available to the internet. It can be hard to have a full oversight on what’s truly sitting on your network.
Assess the risk, protect or get rid
Like the stuff from my garage, once you know what you have, you need to decide whether it’s still needed. If it is useful to the organization, then you’ll need to take the necessary steps to analyze the security and data compliance risks, and to put in place effective measures that bring it in line with corporate policies. If it’s not useful, then it’s best to remove it from the network and from external view. But how do you go about securing a previously unknown device or application that you wish to keep on the network? Well, it will all depend on what you’ve found and the nature of the data it stores or processes, but there is one standard thing you should be checking as a matter of course. One of the easiest things you can do to improve security of a previously unknown device or application on your network is to make sure you have up-to-date versions of software where possible. If a device or application is running on an old version of software, then it is highly likely there will be security flaws present. Attackers are all too aware of the security vulnerabilities within unpatched software, meaning these could be potentially used to gain entry to a network and to ultimately exploit your organization.
Starting with a clean house
There is no doubting that the coronavirus situation has been terrible. As businesses and as a society, we are likely to face more turbulence as we ease back towards normality, however that normal may look. But before the stresses, strains and ‘busyness’ of this new ‘normal’ take over, I would argue that now is the perfect opportunity to step back, to take a look at some of the jobs we’ve always put off and to prepare our organizations for better times ahead.
Gaining a full understanding of your IT estate should be considered one of these vital jobs and, as a company, we’ve seen first-hand that it’s a job that many organizations have put off over the years. Yes, you want to be doing something more exciting, but it’s not as painful as you may think; we do all the leg work for our clients. And unless you know what you have and what the risks are, you won’t be able to gain the peace of mind that your network is as secure as possible.
Originally published in Computing Security