How Well Do You Know Your IT Environment?
August 3, 2018
Network
Do you know what's in your data center? How about your wide area network (WAN)? If you had to draw a map or produce a list of all the things that are connected to your systems in the next week, could you? It sounds like the simplest of things to have, but more often than not, most people have no idea what's really going on in their IT organization.
Years ago our VAR took on a new client. This client was in the medical field and had a really good idea of the technology in their organization. They knew everything that supported their mission to provide value to their customers. However, the senior engineer from our company that was supporting the client wanted to map the entire infrastructure before we took them on. The client told him that it wasn't necessary. He insisted. He spent weeks mapping out every connection. He looked at every device and traced every cable. He produced a beautiful Visio drawing that ended up hanging in their office for years like a work of art.
What did our senior engineer find out? Well, as it turns out, one big thing he found was a redundant wireless bridge on the roof that was used in the past to connect to a building across the street. When he first discovered it, no one knew what it was supposed to do. It took a few days of questions before he found someone that even remembered the time when the company rented space from the ancillary building and wanted it connected. When we brought up the old equipment to the client's IT team, you can imagine the quizzical looks on people's faces. Well, except for the security team. They were more worried than curious.
Why is it so hard to keep track of things? How is it that rogue equipment can appear in our organization before we realize what's going on? In part, it's because of the mentality that we've had for so long that things need to "just work." Instead of creating port security profiles and alerting people when someone plugs a device into the network, we instead choose to enable everything in case someone moves a computer or needs an additional drop activated. Instead of treating our user space as a hostile environment, we open it up in the hopes that our users don't call us for little things that need to be dealt with. This leads to us finding all kinds of fun things plugged into the network causing havoc by the end of the day.
Likewise, we also don't have a good plan for adding equipment behind the scenes. How many times has a vendor offered a proof-of-concept (PoC) trial of equipment and plugged it directly into the network? I'm sure that some of you out there with an Infosec background are probably turning colors right now, but I've seen it more times than I care to count. Rather than taking the time to test equipment with good testing data, the vendor would rather test the equipment against live workloads and push traffic through a PoC to show everyone what it really looks like or how easy their equipment really is to work with.
If you don't know what you're working with in your IT environment, you might as well be trying to work with a blindfold on. You may have switches running as the root of a spanning tree that are from the last century. You may have older virtualized hosts that aren't getting patched any more. You may even find that someone has installed nefarious hardware or software to collect data without your knowledge. And all of that pales in comparison to what might happen if you work in a regulated environment and find out someone has been quietly exfiltrating data around a firewall because you don't have proper controls in place to prevent it.
How well do you know your IT organization? Do you know it well enough to point out every blinking light? If you had to disappear tomorrow, would your co-workers know it as well as you? Do you document like your replacement will come looking for you when things go wrong?