Why your organization needs to do network auditing
Network auditing is a must for any organization. Networks are dynamic entities; they grow, shrink, change and divide themselves continuously. Network administrators cannot even assume this process is entirely under their control. Users add devices and sometimes even new hardware to the network infrastructure. Even worse, it is not the first time a user would install software they need without informing the administrator. These activities can have drastic repercussions on network security. To solve this, an administrator needs to perform regular network auditing and monitor any changes to the preset baseline.
Network auditing is a process in which your network is mapped both in terms of software and hardware. The process can be daunting if done manually, but luckily some tools can help automate a large part of the process. The administrator needs to know what machines and devices are connected to the network. He should also know what operating systems are running and to what service pack/patch level. Another point on the checklist should be what user accounts and groups are on each machine as well as what shares are available and to whom. A good network audit will also include what hardware makes up each machine, what policies affect that machine and whether it is a physical or a virtual machine. The more detailed the specification the better.
Once the machines running on our network are mapped, the administrator should then move to audit what software is running on each of the machines. This can be done manually, through an application, or simply asking each machine owner to run a script that would automatically catalogue applications and send the administrator an email with a report of the software installed. After the software inventory is done, the process can then catalogue the services which are installed, which are running and which are stopped. The audit for the machines can be finalized by noting which ports each machine listens on and what software is actually running at the time of the audit.
Once the administrator concludes auditing the computers on the network, s/he can move on to cataloguing the devices. These can include printers, fax machines, routers, access points, network storage and any other device that has connectivity with the network. Once this is done, the network audit would be complete, but the data will now need to be analyzed. Is any machine running unauthorized software or hardware? Is any machine lacking necessary patches? After these and other relevant questions to each specific network are addressed and machines that weren’t up to standard are brought in line, the administrator now has an effective security/inventory baseline for all machines on the network.
Where should an administrator go from here?
So what can the information gathered through the network audit be used for? Network auditing tools can be set to run an audit automatically on a schedule, for example every Friday. These weekly reports can then be used to monitor changes on the network, based on the baseline the administrator would have created, and report changes when they occur. The administrator can then enforce proper change management policies on the network. He/she would also be able to detect and take action against unauthorized software/hardware that might potentially jeopardize the network’s security, or even put the company at risk of legal action as the user installing this software might not have the necessary licenses.
A regular security audit can potentially detect theft; some users might decide a fraction of the memory available on their workstation might be put to better use at home, for example. Another common case is when a user might think it wouldn’t be a problem if he/she bought and connected a wireless access point at work to have internet connectivity on his mobile phone. This process can also help the administrator know if users disabled the company antivirus or uninstalled any other security software on his system.
All in all, network auditing is important for any administrator. Networks change dynamically both through the actions of the administrator and without his or her intervention. Regular network auditing is the only way an administrator can keep up with changes to the network under care.
A fantastic point. How can you know how secure your network is if you can’t compare its present incarnation to its initial setting and most secure state. Regular auditing of changes can give an administrator an absolute grip on what needs to be done in order to keep the network tidy and safe. Should be a totally regular practice.
Thanks for a great article. The human element is always the most uncontrollable. Now that laptops, netbooks, smart phones and tablets are becoming so prevalent employees, customers and visitors will always be bring devices onto the premises and they may connect them to the network.
@ Freddie James, I couldn’t agree more about baselines… but I wonder if running the baseline comparison during the week would be better (than on Friday evening) as any rouge laptops etc will most likely be taken away at the weekend.
Thank you both for your kind words, I am glad you liked the article
Regarding monitoring of rogue laptops or other devices that might be connected for a brief time to the network and subsequently disconnected, scheduled base scanning can be a bit tricky as the scheduled scan needs to execute at a time when the rogue device is connected to the network.
However there are options; you could run an scanner that continuously monitors arp traffic and reports new mac addresses or, even though less reliable, you can monitor the dhcp leases.
Usually, IT managers / administrators and CTOs are only concerned with software auditing. With so many software vendors increasing their auditing activities, we can’t blame them. However, based on my experience as a network admin for an SME for more than five years, we should also not forget about network auditing. This system encompasses all IT-based management, such as software metering / auditing and license management.
Companies that are looking for more ways to save more financial resources should look into network auditing.
In one of the companies I used to work for (but for obvious reasons I won’t name it), some of my colleagues in another office didn’t know they had a server with a particular IP and when a guy from our office asked them to check if the server was down (because obviously it was down at least for us and we can distinguish a dead server from a running one, me thinks), this was such a shock for them because nobody knew where the damned thing was physically located. I suppose that the poor server might have run away from admins like them but since they had hardly ever done an audit, it was hard to tell where the server was hiding.
I was really shocked by the fact that you can be totally ignorant about the devices in your network but after I spent some more time with the company and saw much more shocking things, this experience didn’t look that shocking any more.
Hi Tana,
I can see such stories happening; most systems are automated nowadays – meaning they don’t require maintenance to work. As such, if you ignore security you’ll end up in situation were administrators leave and new ones are employed, and systems that do not cause any issues get forgotten.
If existent systems are forgotten I think we can safely assume there is no way such companies will realize why foreign hardware is introduced, be it key loggers or wireless access points.
A story comes to mind in which a post office suffered a break-in; an investigation found nothing missing, in fact there was an access point added! Investigators then found out this access point was meant to capture transactions and steal financial data.
I cannot stress enough how important it is for an administrator to know exactly what hardware there is on his/her network!