“Is that what you’re going to say to the auditor?”

/by

Today’s tale from the trench is brought to you by Brad Schwab, Senior Security Solutions Consultant.

 

In the high-stakes world of security operations, one question looms larger than most: Are you sure you’re scanning the entire network? It seems straightforward, but for any team dealing with a network of significant scale, answering this question can be a daunting task.

During a pivotal meeting with stakeholders of a large health organization, the focus was squarely on the performance and security of the network. As discussions turned to the scanning program, the head of security operations confidently outlined the procedures in place to ensure comprehensive scanning—scanning that covered the entire network. Wait, scanning that covered the entire network? This is when my skepticism crept in.

“How do you know you’re scanning the entire network?” I interjected, addressing the elephant in the room. The head of security operations deflected to the head of network operations, claiming his assurance. “[Head of network operations] said I could…” she asserted.

Turning to the head of network operations, I couldn’t resist a quip: “Is that what you’re going to say to the auditor? ‘He said I could’?” Though we shared a solid working relationship, I couldn’t let such a critical issue slide with mere assurance. And it was clear that the others in the room shared my same concerns.

With a blend of humor and seriousness, I delved into the complexities and uncertainties inherent in ensuring comprehensive network scanning. Questions rained down from the attendees, making it clear that a deeper exploration of their scanning protocols was necessary to instill confidence in the organization’s security measures. I began to outline critical considerations:

  • Does the scanner have a complete list of all IP space on the network that needs scanned?
  • Are there any overlapping subnets? If so, that overlapped portion of a subnet is not visible to the scanner, thus, creating a possible hiding place for a bad actor.
  • Is there a duplicate IP space in the network? This creates blind spots to any scanner.
  • And finally, the hard part of the answer, does the scanner have logical access to the entire network? Even if the scanner is trying to scan a network subnet, if the network architecture via Access Control Lists and Routing is blocking the access or not granting the access, the scan won’t be complete. On top of that, you will get no indication from the scanner that the scan didn’t work.

Beyond the logical access issue, no one had thought about the other issues. I then explained how RedSeal automatically looks for subnets that have no scan data, thus possibly not part of the IP list giving to the scanner. Also, overlapping subnets and colliding IP space is revealed as a RedSeal finding. Finally, I also explained how a RedSeal Access Query combined with our “show what is missing” feature can give you a list of everything that the scanner can’t reach because of network architecture.

I ended my explanation with “these features will give you comprehensive documentation of complete scanner coverage for your upcoming audit(s)…”

After less than a few days of work, we had provided a list to both network operations and security operations of additions and changes required by both teams to make their vulnerability program complete.

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure.

Reach out to RedSeal or schedule a demo today.