Do You Really Know Your Network?

How well do you know your IT infrastructure? Who is communicating with whom across your network backbone? What systems are bandwidth starved? With legacy systems, PII data, hundreds of networks, complicated databases, hybrid clouds, data warehouses, countless mobile devices and outsourced functions needing 7x24 access, how do you determine what's truly secure? As we prepare for the new Internet of Things (IoT) era, here are some questions that need answers now.

by / July 19, 2015
Shutterstock/Fotovika

So you think you know your enterprise IT infrastructure pretty well. Really?

OK – Pop quiz. Don’t worry. Only three questions, but with multiple parts to each question:

1) How many devices do you have on your agency and enterprise networks?

a. Can you name them with IP address, basic function and applications running?
b. How many devices connect via wireless access points?
c. What do you do when you discover an unknown or unauthorized connection or app running?
d. Who reports when operational systems go down? How? To whom?

2) Do you have an accurate network diagram showing all infrastructure connectivity?

a. What systems or functions are permitted to communicate with other systems by policy?
b. Where is your policy? Do you train employees to follow policies and procedures?
c. Is your policy enforced? How?
d. How do you authorize and manage exceptions to policy?

3) How do know when someone (or something) gains unauthorized access to data?

a. What data is most sensitive and how is it protected?
b. How do you manage identities and provision system access across disparate networks?
c. Who is looking at the logs, monitoring traffic and managing security alarms?
d. What processes and procedures explain how to declare that a security incident has occurred that needs to be investigated? Who owns these functions (name a person or two)?
e. Can you account for 100 percent of the network traffic? If not, how do you resolve the traffic not accounted for?

All done. So how did you do?

If you answered all these questions successfully, you can take the rest of the day off. :)

Yep. You can go home right now – but only if you have complete, correct answers for 100 percent of these questions for the entire enterprise and not just your small piece of your department’s network. Oh, and you need your management team as well as external and internal auditors to agree and sign-off that everything is in good shape and consistently updated perfectly.

Dreaded Risk Assessments, E-Discovery and Enterprisewide Audits of IT

The truth is that no large public- or private-sector enterprise can answer these questions accurately 100 percent of the time for every one of their networks, systems, people, processes and all data. The questions may even seem like an unfair anchor around the necks of CxOs nationwide, and just going through the questions may bring back negative memories.

If these questions looks familiar, that's not surprising. I basically summarized key audit questions along with the typical opening checklist to enterprise-wide risk assessments that CIOs and CISOs see in your traditional “As Is, To Be, Gap Analysis” sessions every few years.

In my experience, your team is above average if you can answer more than 80 percent of these questions accurately. The Deloitte-NASCIO Cybersecurity Study published last year identified major gaps in knowledge about network and security protections in place with many government leaders feeling uncomfortable in offering specific numbers. (Note: Oftentimes, technology teams can answer questions for their specific role or group or network – but not for their wider enterprises.)

Another difficulty to overcome is that hardware, firmware and application software is changing constantly in large complex networks that are evolving. Answers are given for a moment in time, but gaining a true picture of all the moving parts is very difficult – even for the best technology teams with years of experience.

Exceptional network management requires a robust ITIL framework that is working well, along with pros that really understand their strengths and weaknesses in each core discipline. For example, you need database experts, network experts, system administration experts, security experts, great project managers, programmers who test code well, secure applications, tools from competing vendors that all work together as a united team.

And yes, there is a lot at stake. As Steve Riley pointed out in Virtual-Strategy Magazine a few months back,

CIOs are often forced to make mission-critical infrastructure decisions without insight into which applications are being successfully delivered, which aren’t, which personnel are using them, and over which network paths. If they can collect and analyze that data, they can more easily identify the causes of performance issues, and address them more quickly and efficiently.

In addition, the security implications are huge. If you don’t know “what is normal” how can you possibly identify dangerous hackers, unauthorized applications or concerning behaviors of insiders? How can your team restore systems or get data back to “normal” after system or network outages like the big halt experienced on Wall Street a few weeks ago? The challenge is immense, especially when you consider that a hacker only needs to be right once.

This video describes one of the related challenges faced by technology infrastructure teams that often reveal infrastructure weaknesses in people, process and technology – e-discovery. Even though this is an IBM video – the same challenges are faced across multiple vendors, governments and platforms.

Three Red Flags to Watch Out for in 2015

In addition, there are some recent warning signs that raise additional red flags. Sadly these challenges are increasing the network management stakes to even higher levels in mid-2015, whereas the items spoken up to this point can be traced back decades. Nevertheless, it is true these items have always been with us – especially in hot tech markets with skills shortages.

1) Staff turnover problem is getting worse amongst technology staff. While every organization needs fresh blood and young talent, the number of veteran technology professional changing jobs, leaving companies and governments or retiring right now is a major concern. In this hot security job market, many experts are looking for greener pastures. Also, baby boomers are seeking second careers and taking their years of experience with them.

TIP: Make sure that cross-training occurs and clear roles and responsibilities are documented – along with clear policies and operational procedures.

2) Shadow IT is growing along with rogue cloud computing usage that the tech team knows little about and may be out of control. As this GCN article points out:

Many organizations and government agencies have not made the move to cloud yet, or have done so only hesitantly. And perhaps they are fooling themselves in thinking they have this transition under control, and that they’ll be able to manage the security implications.

Skyhigh Networks took a look at this, using anonymized, actual usage data collected from public sector organizations in both the United States and Canada. In its Cloud Adoption and Risk in Government report for the first quarter of this year, Skyhigh discovered, among other things, that government on average was underestimating the use of cloud services by its employees more than ten-fold.

When they asked government IT officials what services they thought employees were using, they’d come up with anything in between 60 and 80, he said. The Skyhigh study found the average public sector organization uses 742 separate and unique cloud services.

TIP: Solutions to this issue include increasing visibility with a cloud access security broker (CASB).

3) Excellent vendor and contract management skills are lacking in government. Government CxOs who face extreme challenges in these infrastructure areas often like to bring in private-sector partners as an "easy fix." Of course, there’s nothing wrong with the expert from out of town coming in to help or using contractors.

But while partnering with external solution providers can certainly help, remember that accountability and responsibility for results and outcomes always live with the data owners and CxO involved. Simply stated: You can outsource the function but not the responsibility.

Keep in mind that your acquisition team’s skills and abilities are key in technology partnerships. Here’s an excerpt from a January 2015 article from GovExec.com Magazine:

The buyers of products and services across government are not receiving the fresh training or modern skill sets needed to innovate and acquire the complex technology called for in today’s agency missions, according to a survey of federal acquisition employees released on Thursday.

“The acquisition workforce’s skills in areas such as business acumen, negotiation, risk mitigation and understanding complex information technology fall well short of what acquisition professionals say is required,” said Stan Soloway, president and CEO of the Professional Services Council. PSC and Grant Thornton prepared the seventh edition of a biannual survey titled “A Closing Window: Are We Missing the Opportunity for Change?”

Another recent article from Enterprise Technology Magazine points out that contractors often do not have the same long-term perspective regarding infrastructure, with many operational contracts written from a standpoint of “if the equipment isn’t broken, leave it alone.” This quote from the article is telling:

Networks in the Americas are among the most vulnerable and dated, the solution provider’s annual Network Barometer Report said. Almost three-fourths cannot support organizations’ expanding reliance on mobility and 79 percent do not support IPv6, it found. Of these, 48 percent require a simple software upgrade to become IPv6-ready, Dimension Data found. Unlike other nations, which saw security vulnerabilities drop, the percentage of devices with at least one vulnerability rose to 73 percent from 67 percent this year in the Americas, Dimension Data’s study found.

Final Thoughts

While this blog may seem somewhat depressing, there is certainly hope for the future.

Recent breaches and the international emphasis on critical infrastructure protection is helping to raise awareness of the importance of technology infrastructure improvements. Many organizations are currently building “next-generation” networks with new projects that are well funded.

There are numerous frameworks, checklists and solution providers to help. The recent OPM breaches in the federal government are causing new thinking and a higher priority to these essential network architecture topics.

What’s my main point? Don’t waste any opportunity to reinvent your network or infrastructure when you get the chance.

And, in the meantime, get to know your network a little better – right now.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso