I am often called to a network where a new administrator has taken over and is feeling overwhelmed. Managing a new network can be daunting. With so many unknowns to consider, it can be hard to know where to start. Many administrators new to a network often become so overwhelmed that they end up without a productive path toward a better-protected network. In such situations I am often asked “Where would you start?”
In my experience the most essential first step to take is to have a solid inventory of the network. Not just a network map, not just a list of important servers, but a full inventory. All systems on the network, the IP addresses, the open ports, the operating systems, the installed software, the patches, and the versions of each.
This might seem basic, but this is the root of a well-protected network. No matter the budget, no matter the nature of the network, you can and must have an accurate inventory to defend and protect the network. This inventory can be accomplished without buying expensive tools and in fact are accomplished best by free tools or even scripts using commands built into the operating system.
A favorite tool to gather a network inventory is the open source tool Nmap (https://www.nmap.org), which is available for almost every operating system possible. Nmap is a very powerful tool and much more than just a network scanner, getting good with the tool’s many features is a very good use of time. Nmap is able to gather IP addresses, ports, and even detect operating systems in basic scans. More advanced scans with Nmap can detect known vulnerabilities. Once a network inventory is collected and known IP addresses, open ports, and operating systems of those network attached devices are tracked attention can be paid to the software loaded on each system.
Knowing the software installed on each system on the network can help prevent virus outbreaks and even ransomware, which might take advantage of known vulnerabilities in installed applications. Collecting the list of installed applications on each computer can easily be done via a script in windows. Examples of such scripts can be found on the MSDN web page ( https://msdn.microsoft.com/en-us/library/aa394588(v=vs.85).aspx ). Once a list of known applications is collected, make it a priority to standardize upon specific applications and keep those standard applications updated. The privilege of installing applications comes with the responsibility to keep those applications up to date.
This is especially important with software which interacts with the web browser or handles attachments from email messages. Common targets of malicious software typically include web browser plugins and common office software. Allowing the use of the software dictates the need to keep such software up to date. If the organization cannot afford to continuously buy upgrades for a specific commercial application then it might be best to seek an alternative that the organization is able to support maintenance costs to keep updated. Allowing an old application to be installed because the newest version is too expensive opens a door for trouble to enter the network freely.
Another good tool to run on all systems is Autorunsc ( https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ) to gather software which runs each time a computer is booted or logged into. This tool runs at the command line and can be scripted to be run on multiple machines and to save data to a central location. When malicious software such as a virus gains a foothold on a system, use of this tool will make the malicious software more recognizable. Look across all systems for unique entries which might indicate something only running on one system on the network. Malicious software often attempts to hide and blend into the infected computer but in a unique way such as with a unique misspelling of a Windows system file.
Finally, network administrators need to know the patch level of each system on the network. This applies to all systems, not just the obvious Windows systems but also firmware on printers, network appliances, video conference and telephone systems, and even network equipment like routers and switches. The method to detect the patch level might be as simple as a script on windows or Linux, or more complicated manual check on an appliance. But, any system could be the target of an attack and software patches correct known vulnerabilities. Keeping installed software up to date and patching all of the systems on the network must be a top priority. Knowing the patch level of each system can at least inform management when a known issue is discovered such as with Heartbleed or the more recent WannaCry ransomware. Knowing a system might be vulnerable can help direct response efforts to limit potential damage.
No matter the tool or technology it is important to use the tool regularly and consistently. Store the output and track changes between uses of the tools to understand the changes to the network over time. Be curious and investigate each change that seems strange because it could be a crucial clue to discover an intrusion.