You Can't Protect What You Don't Know
By Justin C Miller
Imagine you're placed into a crowd of people at a park and asked to make sure that none of the peoples' PII they have on them escapes the park. The problem is you don't know which people have PII with them and which don't. And you also don't know what types of PII they might be carrying (drivers license? Credit card? Medicare card? Social security card? A post-it note with their bank pin #?). And you don't know where they've stored their PII (in a purse? On their iPhone? Rolled up in a ball in their pocket?). And for that matter of the people in the crowd you don't even know who are the good guys and who are the bad guys.
Welcome to the world of information security! Protecting stuff you don't know or understand is messy, perhaps impossible.
In order to protect your environment you need to know it inside and out, better than any other person or department in your company. You need the big picture understanding of what you have, how important each thing you have is, and how at risk each item is.
I've built a starter list of 10 lists of things to know in order to protect adequately protect your environment. I encourage you to dig deeper and collect even more information, but this should be a good start for you ... Also it's worth noting that if you're doing ITIL and Change Management correctly then you should already have a beautiful CMDB that has a lot of this information. But if you don't, here are some places to start ...
1.) Subnets - what does your network topology look like?
2.) Servers - in each subnet what servers exist?
3.) Applications - what is each server used for, what applications are running?
4.) Network devices - what devices exist that allow your servers to talk?
5.) Workstations - what user devices exist
6.) Users - what users login to your systems?
7.) External Entities - what other applications, users, servers, etc play a role in your environment but exist outside your realm? (Examples: external hosting, cloud services, business partners)
8.) Public Knowledge - recon yourself from the outside and determine what information is already public knowledge (Examples: google search results, public records, externally exposed devices)
9.) Enemies - know who might have a non-positive attitude towards you, including competitors, political foes, past employees, etc
10.) Vulnerabilities - using all the information above such as application versions, server operating systems, and also vulnerability scans of your environment to determine a list what vulnerabilities exist in your environment
Having information like the 10 lists above will become crucial reference points as you attempt to manage your next incident or socialize your next policy or perform your next risk assessment. You can't protect what you don't know ... So get out there and start KNOWING :-)
Copyright © 2014, this post cannot be reproduced or retransmitted in any form without reference to the original post.