Those devices hidden in your closet CAN hurt you

I recently took over responsibility for IT at my church, an urban congregation with around 500 members, just finishing its first year in a new facility. Most of their core network gear is, as with most other smaller organizations, stuck in a closet which is also used for storage. Recently, I surveyed the equipment in that closet, which by appearance did not amount to much. After a more detailed review, the closet actually contained eight networked devices, including three Internet gateways, a firewall, a managed network switch, an access point, and some miscellaneous equipment. 

I also used NMAP to survey the building, and found numerous other networked devices, including the usual mix of printers/copiers, access points, and digital signage displays. Overall, this relatively small church with a staff of 12 had over 40 networked devices, not counting PCs. There was of course no inventory of all of the devices in use. 

In my experience working with customers in the business world, the situation is much the same, with gear in one or more closets, and scattered throughout the organization. The items usually are installed gradually over time, and company personnel quickly lose track of what is connected. 

This ad hoc approach to network management is an issue for various reasons, not the least of which is the possibility of vulnerabilities in the devices exposing the organization to attack. Network devices have in the past been the focus of attacks, but that has been expanding of late, given the advent of what the industry refers to generically as the Internet of Things (IoT). This term refers to all equipment, other than core network gear, that connects to a network. 

Some years ago, DuPont used the slogan “better living through chemistry.” In today’s world, a key slogan seems to be “better living through IoT.” We are told that connecting anything and everything to the network will make our lives happier and better. The potential exposure is bad enough by itself, and made worse because such devices are often user installed without the knowledge or consent of the IT function. 

The increased presence of IoT will likely benefit all of us in some way, and will help fuel business growth for some time. A recent study published by George Mason University projected that the economic impact of IoT would be between $2.7 trillion and $6.2 trillion per year by 2025. I do not dispute the value of IoT in the business world, or at home. My issue with networked devices in general is the assumption that they can be installed and forgotten. 

In fact, any of these networked devices can become a gateway for unauthorized network access, or loss of privacy, if not monitored and maintained. We get warnings about new vulnerabilities, and the firmware releases that fix them, almost daily. These range from major issues with core network equipment, such as the Arris cable modem back doors just discovered, to privacy issues at home, like the hacking of toy company Vtech, exposing the chats by kids, as well as their pictures, to public view.

So, how do you address the problem of such devices, and their vulnerabilities, creeping into the network without being managed?  Here are some thoughts: 

Discover what you have

In the likely event that you have unknown network devices, there is no perfect substitute for a physical survey of the equipment you can visualize. This can be somewhat impractical for a large building, and can miss items hidden well. To help, there are tools, such as NMAP mentioned above, which can can survey your network, and in many cases identify the devices connected. I recommend that both approaches be used. 

Track your devices

Once you know what devices are connected, you need to maintain a list, including model number, address and location. This can be as simple as creating a spreadsheet. For larger and more complex organizations, a variety of tracking tools exist, including functionality built into the venerable Spiceworks. 

Restrict device connections

One of the challenges related to IoT is the fact that any user can connect a device themselves, which you may not realize until you recheck your network survey. Short of guards at the doors, here is no easy solution for this problem. One possible approach is to use your DHCP server, which issues addresses to devices on a network, to restrict addresses to known devices, based on the MAC address. With this approach, an unauthorized device connected to the network will not function without intervention by the network manager. 

Keep up with firmware and vulnerabilities

Probably the single most difficult aspect of network device management is keeping up with firmware versions and vulnerabilities. This is manageable for one or two devices, but when you have many devices, this can be a major consumer of time. Some devices can be set to upgrade their firmware automatically, which unfortunately has disadvantages as well.  While monitoring each vendor’s website for issues can be useful, vendors are often not the first to report issues. Independent sources, such as US CERT and Security Tracker, provide information for a broad range of products, which you can check against your inventory.  

Bottom line — if you don’t track and maintain your hidden devices, the likelihood of you experiencing a security incident increases daily. As the saying goes, pay me now, or pay me later.