Bob's
Blogs
Getting
to know you
Well,
I'm in a mood to cause trouble and disagreement today, so Iet's
explore how to learn the structure of an organization. Not the
Org chart structure, the real working structure. I touched on
this briefly in my blog about CERTs, but let's jump in with all
four feet.
The
scenario here assumes that you've just joined a new organization
as the security (or network) person and have been tasked with
getting a handle on all network/computing resources both for
your own familiarity. Because there have been reorganizations,
layoffs, moves, acquisitions and such, and much of the existing
documentation on the subject is out of date.
To
start with, get a copy of whatever documentation does exist on
the network and where/what the organizations are/were and how
they fit into a picture of the network. Then, get a copy of the
latest org chart (some places, these are regarded as confidential),
the company phone book, a complete list of routing tables from
the local network and the last two years' worth of press releases.
Go
through the contact list one by one, call up each person, introduce
yourself, provide your contact information, explain why you are
calling and request that, for security's sake, they call you
back through an identifiable organization phone number. This
way, you are not only learning people, you're enforcing good
security practices and leading by example. This process will
be called the "Identification Script" further down
for convenient reference.
If
you get a disconnect recording or some such, make note of it
and move on. If you get the wrong person, then, after properly
identifying yourself, explain what you're trying to do and whether
or not they can direct you to the proper person. Take notes,
and move toward any clues provided.
Go
over the routing table entries with someone knowledgeable at
your end. If you've also got a Visio diagram, so much the better.
Identify all known end points, and correlate them with the initial
pass of the contact information.
Now
we get to the fun part. For all networks for which you don't
have contact info, get an SNMP query utility (I like and use
the SolarWinds.net suite of tools, but there are many others
out there) and query all IP addresses with the "PUBLIC"
and "PRIVATE" SNMP strings and wait for results. These
results will contain a large number of printers and the occasional
Windows, Unix or Linux machine. Create a full-page document that
says "IF YOU FIND THIS PRINTOUT, PLEASE CALL SoAndSo at
(111) 222-3456 (Printer IP Address)" in the largest font
that will fit on one page. Install appropriate printer drivers
as necessary.
Configure
at least one printer for each remote office; send the printout
there. Sometimes you'll get a call back (sometimes irate) within
minutes, sometimes not for days and occasionally never. Once
you get hold of someone, ask them who does their IT support,
and go through the rest of your Identification Script.
If
your organization sells goods or services, see if the main Web
site lists all sales offices. If so, call up each of them, go
through the Identification Script and find out where their IT
support comes from. Then call those people and do the same thing
again (assuming you haven't already come across them already).
Now,
start going through all of the press releases looking for signs
of acquisitions, shutdowns, moves, divestitures, etc. If any
of them appear on your lists, great! If not, call them up (or
better yet, the organization's spokesperson) and go through your
Identification Script.
Some
folks are going to get upset at my tactics, saying that it looks
too much like social engineering (which it is, to some extent),
but I maintain that it's perfectly OK, as long as you are careful
to stick to your Identification Script, allow people to get back
to you after checking you out (some will, some won't), as opposed
to pressuring for an immediate result (a common characteristic
of social engineering).
I'm
not bothering with the details of record keeping because every
situation is different. What's important here is that each of
you have more resources than you might think you have. In areas
where the organization is physically close enough, I've done
office and cubicle wandering as well. You'd be amazed at some
of the things you learn that way, too! The key message is to
ask lots of people lots of questions (don't forget the Identification
Script), and even when direct answers don't provide what you're
looking for, a lot of pieces (just like a jigsaw puzzle) will
start falling into place and form a more complete picture. |