30 Days of IT Compliance Q&A #7: What Devices Were Added to Your Network Yesterday?
This is a question that you may hear during a typical compliance audit. This question applies to many types of IT audits: PCI DSS, HIPAA, SOX, ISO, FERC, NERC, and more.
Why the auditor is asking this question: Auditors ask about things that might show weakness in your processes. If you are unaware of something that will most likely be the thing that hurts your environment in the end. This seemingly basic question can be very difficult to answer if you don’t have the right tools and processes in place.
For example, you may be part of the server group, but you don’t have visibility into the network group and their devices. The network group just installed a new tool that required a web server to be installed on their server. Although they installed the software, they did not install any patches on the web server. You are not aware of the new software or the requirement to have a web server on their server. Now your organization is susceptible to vulnerabilities or attacks on the network server through the unpatched web server.
How to answer this question:
In order to be compliant, you need to know what’s happening throughout the entire environment to know how devices or applications might introduce vulnerabilities or an attack vector into your environment, including: a comprehensive and current list as possible of all of your servers, appliances and network devices; where they are physically located and what and applications and version are running on them; what patches are installed or not installed is critical in order to safeguard your intellectual property.
There are several ways to do this:
- Document all changes on a spreadsheet … a cumbersome and unreliable method
- Use tools like an IP management databases that will ping all of the IP addresses on your subnets and try and resolve the names in your DNS server … but it will not give you any information about what that device is and what is installed and running on it.
- Run NMAP scans to give you information about the type of device it discovered and what ports were open … but you will not know anything about its software and patches on those devices.
- Use patch management software to scan every computer and tell what was install and running … but it will not tell you anything about your network devices like switches, firewalls, IPS, wireless access points, or physical or virtual appliances.
- Use a vulnerability scanner like Nessus or Qualys to do a combination of ping sweeps, and actual attacks to see if your vulnerable to attacks … these solutions are not cheap and could cause outages in your production networks if the attack causes a system to hang.
The best answer …
- Use a Configuration Management Database (CMDB) and completely automate detection of devices, serial numbers, software, patches, IP addresses, interface information, patches, configurations, physical and virtual servers, and topology maps. Using no agents and common access methods like SNMP, SSH, Telnet, WMI, API’s, and logs that automatically populate the CMDB.
Here is some key information you should be able to get out of your CMDB:
- What users were added or removed from my network?
- When are passwords going to expire on your accounts?
- What users have been added to privileged groups?
- What accounts were not used in the last 30, 60, 90 days?
- When was the last time this device was updated?
- What are the differences in two different network configurations?
- Does the CMDB have location information on each device?
- What Patches were install on a particular server(s)?
- When did the patches get installed?
- What software and version is installed and running on a device?
- History on performance and availability of a device.
- How much free disk space do I have on a server?
- Logically categorize and group devices, applications, users, and networks.
- Easily customizable to reflect how your organization is defines and classifies devices?
- No Professional Services required to customize the CMDB?
- Where is a particular process or application is running in your environment?
- Automatically create Layer-3, Layer-2 topology maps?
- Run and create your own reports from information stored in the CMDB?
- Easily export information out of the CMDB (API, PDF, CSV)?
- Reference the CMDB in your rules and reports for Compliance Monitoring, SIEM, and Performance and Availability monitoring.
AccelOps brings all of this information into a single solution linking a CMDB that constantly monitors your environment for changes. Once a change is detected, you can be alerted to take the appropriate action. The CMDB allows for compliance monitoring, SIEM, Log Management, Performance and Availability monitoring. AccelOps comes with over 2,000 rules and reports covering Compliance (PCI, COBIT, ISO, ITIL, GLBA, SOX, GPG13, NERC, FERC), Security, Performance, Availability and Changes.
Want to discuss how a CMDB can make your I.T. Operations and compliance easier? Contact AccelOps to learn more.