Solving IT Audit Findings

IT audit findings have driven many organizations to deploy Great Bay Software.  Common Audit findings include:

Audit finding:

Inability to detect and eliminate rogue endpoints such as wireless LAN access points, devices brought from home, hubs, devices added to conference rooms, etc.  Detecting rogue endpoints is central to auditors’ approach today and while this problem space is currently referred to as BYOD, the challenge is far broader than whether someone wants to bring their iPad to work.  Further, the focus on wireless networks is only the first audit finding.  As soon as this one is addressed that same auditor will submit a new finding; this time for the wired network.

                                 

Resolution:                       

Automatically generate and maintain and comprehensive database of all wired and wireless endpoints.  Detecting rogue endpoints is critical as opposed to just detecting rogues in the wireless domain.  After all most rogue access points in the enterprise network are connected via an Ethernet cable so that they can provide WLAN services to the user(s).  Devices brought from home can also be detected on the wired and/or wireless networks and can be differentiated from devices belonging to the enterprise because of membership in Active Directory, participation in enterprise services such as patch management, or registration in a Mobile Device Management system.

 

Audit finding:

Inability to detect, and defend against, MAC address spoofing. This is a favorite tactic for auditors and penetration testers; copy the MAC address of an enterprise device such as a printer (whose MAC address can be found on a test page or on the sticker on the back of the printer) and gain network access.  They might not be able to do much, but they can ‘see’ a lot.

Resolution:

Continuously monitor the behavior and machine-centric attributes of network endpoints and be able to detect changes in behavior and respond either by resetting that devices connection to the network, sending an event to a SIEM platform, or removing that device from the network entirely.  Great Bay has been helping customers cure this particular audit finding for years and in most cases the deployment of Beacon is the only activity undertaking between the issuing of the audit finding and the resolution.

 

Audit finding:

Inability to detect wireless access points and devices brought in by employees on the wired network.  Many of the most well known IT security compromises; the ones where company’s lost vast amounts of money, have one thing in common; they all involved the placement of a device in the network to perform the desired task via an Ethernet cable.  Today’s wireless networks are very commonly well secured relative to the wired network.  Conference room ports, guest cubes, ports left unoccupied as a result of upgrades or replacement of devices, there are countless opportunities to add devices without the consent of IT.  Many of these are non-malicious (gaming systems, security cameras, departmental marketing, etc) but all can result in an Audit finding when the questions commence about how you monitor and secure the network edge.

Resolution:

Differentiate enterprise-owned endpoints by aggregating information from multiple sources in the IT system such as AD, MDM, network management, and network behavior to construct a database of all enterprise endpoints.  Once established, existing change control systems and work flows are leveraged for the addition of Access Points to the network while all other WLAN endpoints are detected and either disconnected from the network or become the source of notification and event data. Importantly, this solution detects devices on the wired and wireless network and not just those that exist in the RF space.  The explosion of wireless LANs has rendered information from RF only solutions difficult to quantify and less important since those devices are not necessarily on the network.  Beacon, meanwhile detects devices that are actually on the network, which is the data required to actually differentiate between wireless endpoints that happen to share the same RF space from those that are being leveraged to access enterprise services.