This article is the first in a series in which we get “back to the basics” of cybersecurity and discuss low-cost and no-cost methods and tools that a business can use to improve their security posture. Cybersecurity is often viewed as a complex and costly part of a company’s overall Information Technology program, but I’m happy to tell you that this doesn’t (always) have to be the case. A lot of what goes into building a strong security foundation can be broken down into just a few core tenants, which we will explore in future articles. We will start the series by exploring ways that a business can take concrete steps to gain visibility into what systems and devices are connected to their networks.
Know What Is On Your Network
There’s an adage in cybersecurity that goes, “you can’t secure something if you don’t know about it”. In 2023, with the use of public clouds at an all-time high and a remote/hybrid workforce being the new normal, this has never been more true. It is not uncommon today for a business to have workloads in multiple cloud environments, leverage cloud-based email and file storage services, allow employees to work from their homes (or anywhere), and permit the use of employee-owned devices to access work resources. In short, the list of things that are now effectively “on your network” is as long as it is varied. With so many devices and workloads present across a variety of environments, how can an organization hope to maintain a high level of security?
The answer, as we’ll see several times in this article series, will depend greatly on the amount of resources (staffing and budget) that an organization is willing to dedicate to the problem, and the cybersecurity program in general. Cybersecurity professionals need to find accurate and at least semi-automated methods to keep track. This series is aimed at organizations that need to do more with less, so we will focus on low-cost and no-cost options that can address each challenge. In the rest of this article, we will look at one method to quickly identify the IT devices connected to a business Local Area Network (LAN).
Even with many employees working remotely and much of business IT infrastructure being run out in a hosted cloud environment these days, it is still common to have company offices with internal wired and wireless LAN networks. If a hacker is able to guess or steal the company Wi-Fi password, or connect to an accessible wired network port (perhaps in a company waiting room or external security camera housing), they can often bypass a significant amount of enterprise security protections. This could allow them to connect directly to on-site company servers, transit VPN connections to company data centers, or even bypass Multi-Factor Authentication (MFA) protections if they are relaxed for employees working in the office.
It is also not uncommon for employees themselves to bring in personal devices and connect those to a company’s internal network. Such might include a simple home Wi-Fi router that an employee installs covertly to boost their wireless connection strength or allow them connect personal devices to steal bandwidth. Or it could be something more nefarious, like a LAN Turtle or similar “implant” device, giving hackers 24/7 access to the company network from the comfort of their homes. Such untrusted devices can introduce any number of vulnerabilities and/or provide a backdoor into an otherwise secure company LAN. These so-called “insider threats” are a major concern for companies that have not taken steps to lock down access to internal networks and audit connected devices.
Early in my cybersecurity career, I had a coworker who had previously worked at a major Minnesota-based utility company. He was hired to help build out their cybersecurity program but, upon his arrival, he found that the company did not have a very mature security toolset. He learned that their primary method of identifying rogue devices and untrusted applications was to run regular network scans, perhaps as often as once per day, and save the results for historical comparison. If a new device or application showed up on Friday’s scan that wasn’t present on Thursday, they would open a security ticket and investigate. While this approach seemed immature and error-prone at the time, my security work at a number of other organizations since has taught me that each org has to start its cybersecurity journey somewhere, and manual network scanning is better than no network auditing at all.
Nmap: The Network Mapper
Ask any cybersecurity professional what the best no-cost network scanning tool is and you will likely get the same answer: Nmap. Nmap (the “Network Mapper”) is a free and open-source tool that has been around for decades. While it is primarily a command-line tool, Nmap also has a graphical interface (called “Zenmap”) available that can ease the learning curve for new users. Whether you opt for the command-line or graphical version, Nmap is very straightforward to use. Essentially, you just need to provide a list of network addresses (or entire networks) to scan and then indicate what type(s) of information about discovered devices you want to collect. At its simplest, Nmap can send a single “ping” request to each address on a given network and take note of which ones returned a response. Here is an example of such a “discovery” scan run from the command line:
I have highlighted the actual Nmap command in the screenshot. As you can see, there is not really much to it. We simply called the “nmap” command, added the “-sn” parameter that instructs Nmap to only try to discover connected devices but not do a deeper assessment of each, and then provided a network address range in “CIDR” notation: 172.31.2.0/24. This is a shorthand for all addresses between 172.31.2.0 – 172.31.2.255. As we can see, only two devices responded to say that they are online and available for communication across the network: 172.31.2.68 and 172.31.2.109. Thinking back to my former coworker at the power company, we could repeat this scan regularly and compare the results. If the network we were scanning was home to mostly servers and network devices (which don’t often shut down or change their network addresses) and some new devices started responding, we might want to investigate further and determine whether each new device is authorized to be on the network.
Now that we have located several active devices on our local network, we can run a follow-up scan to see what types of devices they are and what applications/services they are hosting. This requires only a small modification to our Nmap command: instead of the “-sn” parameter we used earlier to do a simple discovery scan, we now enter “-sV” instead, which will run a discovery scan and then audit each active device to try and determine what it is and what services it has available:
With the additional information in these scan results, we can see that we appear to have two Linux servers on the network. Both look to have several network services open, including a remote secure shell (SSH), a web server (HTTP), and a remote desktop session (VNC/X11). Nmap even shows us the specific application names and versions listening on each open port. While this example used a simple and small-scale network, Nmap is entirely capable of scanning thousands of network addresses at once. And Nmap is just as capable in cloud network environments as it is scanning on-premises LANs, so these same skills can be applied to a company’s presence in Amazon Web Services, Microsoft Azure, etc. Moreover, with a little time devoted to learning the command line syntax, Nmap scans can be launched from batch files, Python or PowerShell scripts, and other IT automation utilities. Nmap also supports exporting scan results to several formats that can (with a little effort) be imported into Microsoft Excel and used to create useful reports.
If this all seems a little arcane and confusing, don’t worry. Nmap has excellent online documentation with many example usage patterns to get you up and running with the tool. There is also a small army of cybersecurity enthusiasts making video tutorials for Nmap if you prefer to follow along with live examples. Even with much more user-friendly (and more expensive) network scanning applications available from commercial vendors, there is a reason that Nmap continues to be a key tool in most security professionals’ toolboxes. And for a company looking to take some initial steps into improving its network security, Nmap provides a powerful and free utility that can help them get started.
In the next installment of this series, I will explore how we can audit business systems and networks for user accounts and other types of credentials. For the same reasons that it’s important to know what devices are connected to a company network, it is equally important to have visibility into who is using company IT resources. Thanks for reading!
By Scott Rysdahl