AAaaaannnnnnd....We're back

OK, three years ago I moved, thought I was going to be without a job for a while, and started a Security blog to help me learn network and computer security. Immediately after starting the blog I got a job that took ALL my time and focus. And now I moved again, but am maintaining my job. In the intervening years I have learned a great deal about computer and network security. I'm going to attempt to keep a regular blog for the purpose of gathering my thoughts on the subjet. So let's start: 1) DO NOT go to security conferences until you have the basics down. (basics to be covered next time) 2) DO read and listen to topic specific news on the subject daily. 3) NEVER assume or even think that your done. In the end, the basics are simple but HUGELY important and ridiculously time consuming. I do not claim to have them down perfectly, I do not claim to have them fully understood. I am working on them and I invite you to work along with me. Step one: INVENTORY Do you know what you have in your environment? Do you know what it does? Whats on your network? What does your network even look like? All these things and more go into your inventory. Why? Because you can't fix or secure what you don't even know you have. Here is how I did my first (yes, I have more than one) inventory. I happen to have a system for end point management already in place, but you can use something like SpiceWorks ( http://www.spiceworks.com/ ) if you have nothing else to help with all of this. It does not replace a physical inventory but it speeds up much of the software legwork. 1) Grabbed a simple IP scanner (angryIP at the time http://angryip.org/ there are better/more complete tools out there but for a first effort, its not bad) and scanned my known network (lets say 10.0.0.1/24) and then because I had the sneaking suspicion I a) Scanned the entire block (10.0.0.0/8) in pieces b) Scanned common blocks (eg 192.168.0.0 and 172.16.0.0) as well Those steps wont necessarily provide useful information for everyone, but I did find items on the network that were not known to have connectivity before this. I exported all of it to Excel, more for the mac addresses than the IPs which I knew would change. 2) I did a walkabout. I walked from room to room, noting machines, network drops, equipment, APs and anything else that fell into my world. This data went into the same spreadsheet. 3) I started matching up data where I could so I could see what holes were left in my Knowledge. Which MAC addresses did I not have? Which ones did I have that I could not place? 4) Servers came next, specifically what software did I have on them? What Ports did each piece of software use? 5) Then I returned to the desktops, using my management tools, I collected a list of all installed software. 6) Switches and APs were then plotted: what connects to what, in which building and room, drop and port? What firmware versions? What OSes? 7) Firewall Rules: I listed them all out and made a data flow diagram showing what inspections are made to data coming in and going out. 8) Collate and report: turning the spreadsheet and diagrams into usable data is hard and time consuming. For one thing, at this point you don't even know for certain what is important. For me, I made an install count of software. I found that certain items were installed everywhere, others in only some places and others were one-off installs. Those lists made it much easier to find issues and make changes later on. I made sure to list all my hardware with as much data as possible on a single sheet, then I used VLookups to create lists of hardware based on specific criteria in other sheets. This meant I only needed to update one list to get updates data in all lists. I did much of the same for software. All of this took the better part of two weeks to do properly, while handling support and maintenance duties at the same time. Now I have given you a taste of step one. Next time I will list out all the basics as I see them. Then we will continue to talk about how I approached it, what tools I used, which podcasts and news feeds I keep an eye/ear on and where it all goes next. Your comments and constructive criticism are very much welcome.