ANYONE IN THE BUSINESS of defending computer networks, which of course is all of us, knows that attackers have the advantage over the long run. To secure a network, we must secure every device and potential entry point, plus educate some challenging end users. The attackers need find only one entry point, or trick just one person. Addressing this requires both a tactical approach to security and the strategic application of carefully chosen solutions.
In this four-part series, we’ll look at strategic solutions for advanced security, the associated issues, and how Net Sciences manages each in turn. We will first cover vulnerability scanning and new device alerting here. Upcoming topics will include firewall log analysis and response services from a SOC or SIEM; providing simple, secure remote access without the exposure of open ports or the complexity of provisioning and supporting SSL VPN access; and managing in-place encryption for all devices.
Step 1: Looking for Holes
As we head into 2020, it is safe to assume that any competent MSP delivers on the basics— patching of Microsoft and other software, effective endpoint protection, and a solid unified threat management device providing defense of the gateway, preferably including content filtering. Most of us also deliver additional services such as DNS filtering (delivered both inside and outside the network by means of agent installs), user training and test phishing, and perhaps dark web monitoring as well. At Net Sciences, these are the features of our Basic Security Package that everyone gets.
But what aren’t we covering here? The answer is, quite a lot. First, we must find missing patches, deprecated protocols, and other such issues before bad actors do. New device alerting is great too. Let’s start here.
Step 2: Filling the Holes
I was looking for a way to “check on our work” by scanning for internal vulnerabilities and retired protocols. I was also looking into how to address issues related to IoT (Internet of Things, aka Internet of Threats) and realized that I wanted to go beyond isolating them by VLAN. I wanted to be alerted when new devices were added to our networks, but sought a kinder, gentler answer than angering clients by blocking new MAC addresses. Finally, I was hoping to find a way to discover default credentials on networked devices.
There was no shortage of options here, but each one was limited in scope, or by complexity or cost for SMB deployment. From solutions built into RMM tools to dedicated software tools such as Auvik, each seemed to be either too narrow in scope or not priced in a manner I could work with. Services such as those provided by Rapid7 and Tripwire were clearly too costly for smaller SMB deployments. Nothing covered all the bases and seemed to fit just right. Then I chanced across a little-known name in our space: Nodeware from Infinite Group.
Delivered as either a VM or a tiny Intel NUC-based appliance, Nodeware offers continuous internal vulnerability scanning services priced at a point that allowed us to deliver and package it very easily. Nodeware also finds default device credentials and alerts us to the addition of a new MAC on any monitored subnet. And as a final added benefit, you can schedule external vulnerability scans as well for external IPs of your choosing. These scans are no substitute for a true penetration test but are easier than running open source tools on your own.