Network vulnerabilities are everywhere — to find them you simply have to keep your eyes open. But vulnerabilities don’t live in a vacuum, they often occur in conjunction with some other IT security policy or procedure violation, creating a multilayer challenge for the security team.
Recently, Atuf Ghauri, the cybersecurity practice lead at the accounting/consulting firm Mazars, was visiting a large manufacturing client and he noticed that employees had installed their own wireless access points to get faster and stronger LAN connections. Ghauri also noticed that the access points didn’t have any security measures.
When he asked if anyone had told IT or security team about the consumer-grade devices hanging off the network — and bypassing the enterprise’s authentication measures, allowing anyone to jump on the LAN without verifying credentials — he was told that no one had. Some were puzzled as to why they would have.
This example perfectly encapsulates how one of the most difficult challenges for CISOs trying to master their data and device assets: Shadow IT adding devices placed almost randomly on the network, siphoning off untold amounts of sensitive data and storing it wherever. The problem is quite complex, and the solutions can be a difficult medicine for the security staff and employees to swallow.
As the security team tries to build a coherent asset management program, it first starts with identifying the unauthorized accesses and device-installations — shadow IT might be benign, or it could be placed by a malicious insider or external criminal element. Then they add in the authorized, but seldom-monitored efforts of partners and customers accessing the network, plus the lack of precise tracking of data stored or retrieved from anywhere in the enterprise’s landscape due to these shadow IT devices.
Often, once all the efforts begin to build a comprehensive asset management database, the CISO and security teams end up facing a potential asset management nightmare. “Because of the sheer volume of devices, you can’t keep up,” Ghauri says.
Lions and tigers and shadow IT
From a data, application, and potential malware perspective, the asset management situation gets even more frightening. Consider an employee who brings a tablet to work and it is the same tablet that their child uses. Is enterprise security in danger “because of something his kid downloaded on an iPad?” Ghauri asks.
One of the reasons the employees at his manufacturing client opted to attach unreported devices onto the network and not tell anyone was because of budget. There are “political issues” at the company and one reason employees did not call security or IT “is because there are costs associated with it,” Ghauri says.
“Security is only as good as the weakest link and, in the case of IT asset management security, that link is a connected device. Every day a new weak link is introduced to the network and, regardless of the link’s profile and origin, whether it is an IoT lifestyle device, employee personal cell phone, or guest laptop in a conference room — automated inventory discovery, quarantine, and risk mitigation is a must and not a ‘nice to have,'” Ghauri says.
“Ask any CIO how many assets they have, and many may actually know — or have processes in play to tell you quickly — but without automation, that process can’t keep up with the weakest link threat in IT asset management,” he continues. “This process can be driven by authentication logs and DNS, after all almost every request on a network requires them.”
Ghauri says he is fond of domain name service (DNS) tracking and other network traffic logs because they focus on tracking where data is going and where it comes from, even if it cannot detect the originating device.
“What all organizations need to do is deploy a Zero Trust model internally. [They need to] treat corporate networks like the dirty internet, protecting all critical data with layers of controls,” he says. “Gone are the days of hard-on-the-outside and squishy-in-the-middle security. Security needs layers of hardening baked into applications and an all-encompassing framework and process that can effectively mitigate all threats.”
A barrel of network devices
There are other big hurdles for asset management executives, however. A significant challenge they face is incorporating the IT assets of corporate acquisitions for two very distinct reasons. The first is that an acquisition is almost always the single, largest, onetime introduction of new devices and data that the enterprise sees. Incorporating that alone is a daunting task.
Second, the nature of how the acquired company’s executives act and how they tend to operate in the final months before the deal closes can often make for a more lackadaisical approach to asset management. That tends to make the state of systems and data upon their absorption into the new parent company potentially suboptimal.
Often, the acquired company “was probably struggling and they likely weren’t spending much money upgrading systems,” says John Nye, senior director of cybersecurity research and communication at the CynergisTek consulting firm.
As challenging as acquiring another company can be for the asset management team, experts agree the bigger the acquiring company is, the bigger the headaches the team will have. Selling a business unit can be even worse, as the sale potentially can leave barrels of orphaned devices that no one bothered to disconnect, along with untold petabytes of abandoned data that was not deleted. One can easily imagine the potential number of folders full of protected data and massive compliance fines the instant regulators stumble onto them.
Nye says he sees similar shadow devices that Ghauri noted, especially at manufacturing and construction companies. “They just go to Best Buy and buy 20 routers and then plug them in and use them,” Nye says. The problem that Nye sees is not that enterprises do not have strict policies against such conduct — almost all do — but that the policies are not enforced.
The typical approach to giving policies enforcement teeth is to make public examples of employees who are caught violating the policy. Nye notes that perhaps a more effective approach is to fine or charge the department where the violation occurs, thereby giving the line-of-business leader a budgetary reason to enforce the policy directly. It could be characterized as an appropriate punishment, perhaps by labeling the fine “reimbursement” of the labor expended by IT or the security team to chase it down and fix the problems the policy violation creates.
“Charge for the time lost by not following the procedures and it is billed to your department,” Nye says. “Nothing is going to happen until executives buy into it and make it a high priority for the organization. Just stopping the new devices is going to be a big start. They are doing real harm to the organization and there really should be consequences. Make them think twice. That alone would probably eliminate half the shadow IT out there,” he adds.
There are some outdated mechanisms that Nye points to, such as tying activity to an Ethernet port, which is often irrelevant for wireless access today. Another is open floor plans that eliminate the useful ability of noting where in the building a user typically accesses the network. This is one element of behavioral analytics used for authentication.
“I might go in on Monday [and] sit at a desk, but next week I might be sitting in a conference room. With port security, you’d be blocked constantly. That’s why we don’t that used as much now,” Nye says.
As for asset management return on investment, Nye says he has seen companies, including a Fortune 500 client, literally give up. The Fortune 500 company “spent millions over the course of two years and never were satisfied.
“They finally gave up because it was just sucking money but not giving any great solutions and no major improvements,” he continues. By instead focusing on smaller line of business requests, at least the company would have had something to show for it.
“It gets extra hard when you have to take this information to the board,” Nye quips. “Asset inventory is really hard to quantify to your board.”