This time around on Ask The Experts, we have a question from a reader and it got some great responses from the team:
Q: “I need a quick 10 item or less checklist that I can apply to new devices when my company wants to put them on our network. What kinds of things should I do before they get deployed and are in use around the company?”
Bill Hagestad started us off with:
The Top 10 checklist items a CISO/or equivalent authority should effectively manage before installing, configuring and managing new devices on a network includes the following;
1)Organize your staff and prepare them for the overall task of documenting and diagramming your network infrastructure – give them your commander’s network management intent;
2)Create a physical and logical network map – encourage feedback from your team regarding placement of new hardware and software;
3)Use industry standards for your network including physical and logical security, take a good look at NIST Special Publication SP 800-XX Series;
4)Make certain that you and your team are aware of the requisite compliance standards for your business and industry, it will help to ensure you are within legal guidelines before installing new devices or perhaps you may discover the hardware or software you are considering isn’t necessary after all;
5)Ensure that after you have created the necessary network maps for your infrastructure in Step 2) above, conduct a through inventory of all infrastructure which is both critical and important to your business, then document this baseline;
6)Create a hardware/software configuration change procedure; or if you already have his inlace, have your team review it for accuracy; make certain everyone on the team knows to document all changes/moves/additions on the network;
7)Focus not only on the correlation of newly implemented devices on the internal networks but also look at the dependencies and effects on external infrastructure such as voice/data networks – nothing worse than making an internal change to your network and having your Internet go down unnecessarily;
8)Ensure that new network devices being considered integrate gracefully into your existing logging and alerting mechanisms; no need to install something new only to have to recreate the proverbial wheel in order to monitor it;
9)Consider the second & third order effects of newly installed devices on the infrastructure and their potential impact on remote workers and mobile devices used on the network;
10)Install HoneyPoint Security Server (HPSS) to agentlessly & seamlessly monitor external and potential internal threats to your newly configured network….
Of course a very authoritative guide is published by the national Security Agency called appropriately “Manageable Network Plan” and available for download @:
http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf
Jim Klun added:
1. Make sure the device is necessary and not just a whim on the part of management. Explain that each new device increases risk.
2. If the device’s function can be performed by an existing internal service, use that service instead.
3. Inventory new devices by name, IP addresses, function and – most importantly – owners. There should be a device owner and a business owner who can verify continued need for the device. Email those owners regularly, querying them about continued need. Make sure that these folks have an acknowledged role to support the application running on the devices and are accountable for its security.
4. Research the device and the application(s) its support. Have no black boxes in your datacenter. Include an abstract of this in the inventory.
5. Make sure a maintenance program is in place – hold the app and device owner accountable.
6. Do a security audit of the device wehn fully configured. Hit it with vulnerability scanners and make sure that this happens at least quarterly.
7. Make sure monitoring is in place and make very sure all support staff are aware of the device and any alerts it may generate. Do not blind-side the operations staff.
8. If the device can log its activities ( system and application ) to a central log repository, ensure that happens as part of deployment.
9. Make sure the device is properly placed in your network architecture. Internet-exposed systems should be isolated in an Internet DMZ. Systems holding sensitive data should similarly be isolated.
10. Restrict access to the device as narrowly as possible.
Finally.. if you can, for every device in your environment, log its network traffic and create a summary of what is “normal” for that device.
Your first indication of a compromise is often a change in the way a system “talks”.
Adam Hostetler chimed in with:
Will vary a lot depending on device, but here are some suggestions
1. Ensure any default values are changed. Passwords, SNMP strings, wireless settings etc.
2. Disable any unnecessary services
3. Ensure it’s running the latest firmware/OS/software
4. Add the device to your inventory/map, catalog MAC address, owner/admin, etc.
5. Perform a small risk assessment on the device. What kind of risk does it introduce to your environment? Is it worth it?
6. Test and update the device in a separate dev segment, if you have one.
7. Make sure the device fits in with corporate usage policies
8. Perform a vulnerability assessment against the device.
9. Search the internet for any known issues, vulnerabilities or exploits that might effect the device.
- Configure the device to send logs to your logging server or SEIM, if you have one.
And John Davis got the last word by adding:
From a risk management perspective, the most important thing a CISO needs to ensure is in place before new devices are implemented on the network is a formal, documented Systems Development Life Cycle or Change Management program. Having such a program in place means that all changes to the system are planned and documented, that security requirements and risk have been assessed before devices have purchased and installed, that system configuration and maintenance issues have been addressed, that the new devices are included in business continuity planning, that proper testing of devices (before and after implementation on the network) is undertaken and more. If a good SDLC/Change Management program is not in place, CISOs should ensure that development and implementation of the program is given a high priority among the tasks they wish to accomplish.
Whew, that was a great question and there is some amazing advice here from the experts! Thanks for reading, and until next time, stay safe out there!
Got a question for the experts? Give us a shout on Twitter (@microsolved or @lbhuston) and we’ll base a column on your questions!