Steps to Secure Non-PC Devices
Applying the standard of complete mediation to non-PC/non-server devices requires some planning.
1. Retain a mandate from highest level of management, ideally the CEO or the CFO, to secure these devices. Although it may seem obvious, without a high-level mandate, it will be more difficult to achieve complete mediation. A plan without the proper mandate will inevitably be bypassed by a staffer somewhere along the line, and you could end up the scapegoat in a serious security incident.
2. Perform a complete physical inventory audit of all authorized network-connected devices. Have a policy about how to deal with authorized and unauthorized devices. Your organization's security policy must require all staff members to seek written permission before any new devices can be connected to the network, and that includes IT! The policy must also state that all unapproved devices that are discovered on the network will be disconnected and confiscated.
3. Conduct a network scan to discover all devices and identify known vulnerabilities. You can use open-source network scanning tools or commercial tools. Be sure to deploy a scanning tool that can fingerprint operating systems by observing the response to queries. This is important because some device makers will alter the OS banner to display the vendor's name rather than the true OS. Some scanners do not probe deeper than the OS banner, thereby missing critical vulnerabilities in the underlying operating system. Make sure you get written permission prior to testing, and provide a second written alert to decision makers just prior to running your scan. After you identify unauthorized devices, locate them, disconnected them, and confiscate them.
4. Review the documentation from the manufacturers on how to access these devices. Document all factory-default user names and passwords. Many Web sites, including www.cyberpunkcafe.com, provide this information. Conduct Web searches for back doors on the devices you have on your network. Again, with proper written permission prior to testing and a second alert to decision makers, test the default passwords and back doors against the devices on your network to see if you can penetrate them.
5. Determine how to patch and update your non-PC devices. You'll probably need to discuss this with your device vendors and do research online. Patching non-PC devices is not as simple as updating Windows patches. Some require special cables that need to be hard connected to the device. Some devices will have a vulnerability in the underlying operating system, but the vendor will not have provided a “branded” patch. The time to research and test your own patching of, say, Apache on a printer is before a critical vulnerability is discovered, not the day that the vendor tells you “we don't have a patch yet for that.”
6. Make sure your logging infrastructure is capturing the logs from these devices. Many non-PC devices have logging capabilities, but due to limited memory, they do not store the logs for long periods of time. Many can send logs to a logging server. Add procedures to your security policies that require, whenever possible, the forwarding of all non-PC device logs to a logging host that is well-hardened.
Yet just having logs is not enough. Your policy must also have provisions for reviewing the logs on a daily or weekly basis. There are software tools that assist in managing logs of all types, and these tools are an important element in protecting confidential information. Your policy should also include off-site backup of these logs, as they are part of your critical backups in the event of an incident.
7. Create a process for the introduction and auditing of all new non-PC devices that are added to the enterprise. That process needs to also include periodic scanning of the existing devices and checking for unapproved new non-PC devices added to the network. Vendors like Qualys and Core Security offer free and easy-to-use tools that are bundled with their scanning solutions that will let you make unlimited mapping scans of all network segments, so you can identify all network aware devices on your network.