Dealing with "Untouchable" Systems
An untouchable system is one on which you cannot install software (such as agents) or apply security fixes regularly. I have come up with several different examples of such systems, and tried to use examples here from my own experiences to define why they may fall into the "untouchable" category:
- Select SCADA systems - This is a broad category, but it boils down to computers that are used in control systems networks. While many may be considered to be "air-gapped" (physically disconnected from any other types of systems), that may not actually be the case since connectivity is required to manage the devices (especially those deployed in the field). I was once approached to perform a vulnerability assessment against one such system. I was told that network access would be provided, but that the system in question was responsible for providing power to thousands of people. This is a scary endeavor, as not only could you put thousands of people in the dark, but potentially damage infrstructure if the power is turned on and off too quickly. This situation requires a different approach than a traditional network vulnerability assessment or penetration testing.
- Traveling Laptops - It can be difficult to control the software and patches on systems that rarely connect to the corporate network. The concern is what happens when a laptop that has been connected to airport, hotel and other potentially hostile networks comes back to home base and plugs into your network. It may already be infected, and may not be up-to-date with patches. You can try to force users to connect back to your network via a VPN, but not all users may do this on a regular basis. During the user’s travel, the system is "untouchable".
- Network Devices – Let’s face it, no matter how redundant your network is, you just can't blast out a firmware update to your network gear at will. This leaves a good percentage of network systems that are "untouchable" for certain time periods. Routers have a bit more flexibility, but the physical switches that your systems are connected to cannot be taken down at will, or users will lose connectivity as flashing the device with new firmware requires that the system become unavailable for short time period (or longer time period depending on the device and software).
- Highly sensitive systems - For example, systems used to conduct scientific experiments or medical equipment. When I worked for a university I discovered several systems of this type. Researchers were working on various experiments, with the goals of the research being far outside of the computer technology (cures for disease, physics, engineering and more). The experiments would sometimes take years, which is more than enough time to render operating systems and software obsolete. However, stopping the experiment to apply patches or updates was out of the question. Even putting an agent on the system could disrupt the accuracy of the experiment, leaving these systems "untouchable".
- Systems that you do not have permissions to patch or install software on (university students, VAR provided systems, visitors) - There are two scenarios that are commonplace and leave systems “untouchable” in this category. Sometimes systems need to connect to your network, but are not your property and cannot be touched (in a logical sense). One example is the university student, whose computer you don't own, but who needs to connect to the network and access resources. In the corporate world, this manifests itself as contractors who have their own computers and have the same needs. Systems that will need to be connected for longer periods of time, but that you still do not own, are VAR provided systems. Many VARs provide services that are beneficial to the business, but the contract states they will own the systems and be responsible for keeping them up-to-date.
Tenable offers several products that can help you manage “untouchable” systems:
- Nessus - Credentialed patch checking and configuration auditing can help quite a bit in many circumstances. There has already been a great deal of research and tools provided to the SCADA community for using this technology to improve the security of SCADA systems without disrupting operations. You may be able to negotiate with your IT department to obtain credentials on the target systems. Then you will be able to gauge the patch levels and overall security of mission critical systems.
- Passive Vulnerability Scanning – Tenable’s Passive Vulnerability Scanner (PVS) really shines in this scenario. Think of PVS as a complement to Nessus. It has the ability to discover vulnerabilities and compromised systems, but it discovers targets on its own, without you having to feed it information. Using a SPAN port on your network, PVS will listen for vulnerabilities without agents, and without sending any packets. This is perhaps the most useful tool in your arsenal when it comes to untouchable systems. On an ongoing basis, PVS allows you to find vulnerabilities in SCADA systems, identify network gear that is out-of-date and fingerprint vulnerabilities in any software that communicates on the network that may be installed on sensitive systems, VAR provided systems, or student laptops.
- Log Correlation Engine (LCE) - If a system can produce syslog messages, the LCE can collect the logs, identify behavior, and use SecurityCenter to correlate those results with vulnerability data. When performing penetration tests, the “untouchable” systems are high up on the list of targets. You can have the best patch management strategy in the world; however attackers are going to go after systems that fall outside the scope of your patching. By collecting the logs from all of these systems, you can use LCE to identify behaviors that indicate compromise.
- SecurityCenter - SecurityCenter is the piece that can tie all of the information from Nessus, PVS and LCE together, allowing you to effectively communicate the state of security of your organization to both management and system owners. It’s one thing to identify shortcomings in your security strategy, and another to start doing something about it. Every security practitioner I speak with knows that there are some underlying problems, and using alerting, dashboards and reporting in SecurityCenter gets the information to the appropriate people. For example, you may know that there are student systems, VAR systems and traveling laptops that are creating gaps in your security. Using SecurityCenter, you can create reports that highlight these shortcomings so you can begin to create solutions.
Systems may always show up on your network, or in your "domain", that are just beyond your control. There are several tools that will help you identify the problems and manage the security of these systems, even though they are "untouchable". Hopefully, this leads to an improved security program, which includes good communication with management and system owners.