While information technology (IT) has evolved dramatically in the past decade—blockchain, artificial intelligence, and the cloud—some organizations continue to have the same network vulnerabilities that were problems 10 years ago. Organizations seem transfixed on the solutions of the future at the expense of basic prevention, leading to a crisis of network hygiene today.
As more of IT managers’ time is consumed with managing outsourced applications and infrastructure, less time remains for equally critical preventive and maintenance activities—the underlying cause of poor network hygiene.
The best advice for improving network hygiene can be borrowed from life advice from Admiral William McRaven (Ret.), who famously advocated the importance of “making your bed” as a simple, elegant act to accomplish a small win and provide a basis for all that follows.
“If you make your bed every morning, you will have accomplished the first task of the day,” he says. “Making your bed will also reinforce the fact that the little things in life matter. If you can’t do the little things right, you’ll never be able to do the big things right.”
No matter how big or small your network may be, there is always time to review the logs for critical application errors, network connectivity issues, failed log-in attempts, and other events. It is the IT equivalent of making the bed.
Depending on your resources, the review process may be automated or manual on a daily basis for event logs and less frequently for system logs. However, for an IT manager, there is no substitute for, and no greater win, than identifying leading indicators of failure before systems fail.
Make sure your logs are properly configured to yield the data you care about. A faithful review of log activity for security events will be less than useful if unsuccessful log-in attempts are not captured, or if log file settings are so small that logs are overwritten hourly.
Regularly ask yourself three questions: What is connected to your network, how is it managed, and is it up to date? This is an effective way to identify problems before a failure. Here are some examples.
No, these aren’t presents, and they aren’t happy surprises. These are networked devices that are a mystery to IT:
They aren’t known, nobody knows how they got there, and nobody knows how long they have been connected.
While often not malicious, these items cause a lot of scrambling as IT tries to find them and determine how they were connected to the network and when.
Solution: Clear “Acceptable Use” policies can help remind users of their responsibilities to control what connects to the network, as can port-detection monitoring tools, which are system controls that block unauthorized access by port or MAC addresses and prevent unauthorized connections in the first place.
Also, never underestimate the value of walking around your environment to see what is out there; it can be an informative exercise. Personal laptops, previously decommissioned hardware, USB drives, external hard drives attached years ago for a specific purpose but were never removed—all are things that can lurk on your network as vectors for a security attack.
Think of these as user-generated content, or applications that were installed by users to fit a need at a particular time, without IT input or support. These may be apps or services. Rogue apps are similar to mystery boxes in that they are often missing updates since initial installation. In environments without strong local administrator controls to prevent anyone from downloading and installing apps, this can be a big problem.
Solution: The best practice is to prevent these apps in the first place, through education, policy and periodic scanning. If your users can install Google Toolbar, assume that they can download something more malicious as well.
Nobody wants to suffer through a security incident for want of a readily available patch to address a well-known issue. Even with the advent of automated patch control systems, invariably audits find:
• Patches downloaded but not applied.
• Patching for some systems (such as Windows), but not others (Java).
• Open source software that exists exactly how it was installed in 1999, without any updates.
Solution: If you have systems that are no longer supported, but must remain online, make sure you know the risk and communicate the risk to management. Also, establish a patching regimen that is frequent and tested.
Never assume that things will work indefinitely, especially a patch management system.
Does your company suffer from any of the following commonly observed maladies?
• Using the admin account as a service account.
• Failing to regularly delete unused accounts and services.
• Lacking a defined benchmark for systems deployments (different apps and settings configured by a user, rather than with a security-focused benchmark).
These are common markers of a disorganized IT process prone to higher levels of support to address avoidable issues.
Solution: Set up devices as if you will have to troubleshoot them one day. Repeatable processes enable more consistency and better forensics.
As Admiral McRaven wrote, “And if by chance you have a miserable day, you will come home to a bed that is made—that you made. And a made bed gives you encouragement that tomorrow will be better.” Even the best-designed network and best-laid plans will fail at some point. Knowing that your network consists of a known set of patched and supported devices, well-configured to reduce time and effort needed to get to the root cause, is priceless in an emergency.
Network hygiene, because it is so basic and solvable, provides real and sustainable ways to improve network reliability and security. These small tasks, faithfully performed, are invaluable for creating a sound environment to support your business.
Jeff Mansir, CPA, CISA, is a senior manager in the Risk and Business Advisory Practice at Baker Newman Noyes in Manchester. Pat Morin, CPA, CISA, is a principal at the firm and the director of the Risk & Business Advisory Practice. They can be reached at JMansir@bnncpa.com and PMorin@bnncpa.com, respectively.