Can you honestly say you know where every asset is located on your network? Most IT professionals would be honest and say that this was not the case. Can you really afford to not know where they are?
Having an up to date asset information register is critical in the event of a breach – you need to know where that suspect host is located so it can be isolated and inspected without an infection spreading to the remainder of the network. If a machine is compromised, the last thing you want to be doing is scrambling to find where it is located.
What should an asset list look like?
Every device on your network has an associated IP Address. This is a unique identifier, like a door number in a street, that allows you or someone else to locate where it is, and what it has access to. Similarly, each network address has a default gateway – you can think of this as the only way out of the street – everything needs to pass through here in order to leave. Finally, there’s the subnet mask – you can think of this as a post or ZIP code – the same code can be used for hundreds of door numbers in the same street, and this very principle applies to IP Address information.
Now that we have the networking details, that about the machine itself ? After all, a network address is nothing more than a set of numbers, and tells you nothing about the hardware attached to it. Organizations may keep IP Address records (at least, they should do), but unless you know what that address is associated with, how do you know what sort of risk it poses ? For example, it could be a printer, server, workstation, laptop, or even a WiFi access point – if you do not keep adequate asset information, then how will you know ?
Not having this information to hand can significantly impact the ability to isolate and exacerbate the damage that the breach can cause.
What should be the process?
Every organization should keep an up to date asset register in order to be best equipped when dealing with any address suddenly exhibiting odd behavior. If you know exactly where that asset is, and have all the relevant information, then you are much better placed to respond quickly and effectively. In an ideal situation, an updated inventory should be gathered each time a machine logs in or out of the network, and should be held in a centralized database that can be searched as necessary using any combination of keywords – obviously, the most important is IP Address.
How can this be implemented?
There are a number of utilities that can do this – inevitably, most involve a cost, and are not free. However, one that has been around for a number of years, and is still free (there is a commercial offering as well) is Open-AudIT. The screenshots I’ve included below with give you an indication of what this product can do – it should be noted that even the free product provides a wealth of information that is invaluable in the event of an attack.
Once the product has been installed, it can then be configured to collect data using a custom VBS script that then populates a central database. This can then be searched for a wealth of information, including software, hardware, shares, registry, antivirus, and many others. This collection method works well for Windows based PC’s, and there are scripts for Linux, ESX, and several others.
What is considered best practice?
Open-AudIT allows you to walk an entire subnet looking for devices, and use NMAP or SNMP (built in) to query them. This is particularly useful, and should be performed on a regular basis (once a week is a suggestion) to see what has appeared on your network. NMAP is capable of probing a device to see what ports are open, and if they respond (like Finger), whilst SNMP will try a number of community names (such as public, private etc) to see if it is able to retrieve information this way.
As part of the logon and logoff Group Policy, all workstations should execute the inventory script. My preference is to execute the script using a wrapper such as AutoIT to hide the process from the user so that they do not attempt to close it (which of course means it will not submit an inventory). Finally, you should schedule weekly scans of your entire Active Directory infrastructure looking for new hosts. If somebody plugs in a new workstation at one of your remote offices, wouldn’t you at least like to know it’s there ?
As a final point, Open-AudIT also has an RSS feed which can be used to provide regular updates of new equipment that has arrived on the network. Don’t take my word for it – it you don’t have an asset register, you should resolve this shortfall now – it could be your saving grace.
About Mark Cutting
Mark is a network security expert with 27 years of experience in numerous industries. These include manufacturing, engineering, commodity based trading, and finance. Over this time, he has gained extensive knowledge in most areas of IT Infrastructure and Systems Management.
