Getting to know you

Well, I'm in a mood to cause trouble and disagreement today, so Iet's explore how to learn the structure of an organization. Not the Org chart structure, the real working structure. I touched on this briefly in my blog about CERTs, but let's jump in with all four feet.

The scenario here assumes that you've just joined a new organization as the security (or network) person and have been tasked with getting a handle on all network/computing resources both for your own familiarity. Because there have been reorganizations, layoffs, moves, acquisitions and such, and much of the existing documentation on the subject is out of date.

To start with, get a copy of whatever documentation does exist on the network and where/what the organizations are/were and how they fit into a picture of the network. Then, get a copy of the latest org chart (some places, these are regarded as confidential), the company phone book, a complete list of routing tables from the local network and the last two years' worth of press releases.

Go through the contact list one by one, call up each person, introduce yourself, provide your contact information, explain why you are calling and request that, for security's sake, they call you back through an identifiable organization phone number. This way, you are not only learning people, you're enforcing good security practices and leading by example. This process will be called the "Identification Script" further down for convenient reference.

If you get a disconnect recording or some such, make note of it and move on. If you get the wrong person, then, after properly identifying yourself, explain what you're trying to do and whether or not they can direct you to the proper person. Take notes, and move toward any clues provided.

Go over the routing table entries with someone knowledgeable at your end. If you've also got a Visio diagram, so much the better. Identify all known end points, and correlate them with the initial pass of the contact information.

Now we get to the fun part. For all networks for which you don't have contact info, get an SNMP query utility (I like and use the SolarWinds.net suite of tools, but there are many others out there) and query all IP addresses with the "PUBLIC" and "PRIVATE" SNMP strings and wait for results. These results will contain a large number of printers and the occasional Windows, Unix or Linux machine. Create a full-page document that says "IF YOU FIND THIS PRINTOUT, PLEASE CALL SoAndSo at (111) 222-3456 (Printer IP Address)" in the largest font that will fit on one page. Install appropriate printer drivers as necessary.

Configure at least one printer for each remote office; send the printout there. Sometimes you'll get a call back (sometimes irate) within minutes, sometimes not for days and occasionally never. Once you get hold of someone, ask them who does their IT support, and go through the rest of your Identification Script.

If your organization sells goods or services, see if the main Web site lists all sales offices. If so, call up each of them, go through the Identification Script and find out where their IT support comes from. Then call those people and do the same thing again (assuming you haven't already come across them already).

Now, start going through all of the press releases looking for signs of acquisitions, shutdowns, moves, divestitures, etc. If any of them appear on your lists, great! If not, call them up (or better yet, the organization's spokesperson) and go through your Identification Script.

Some folks are going to get upset at my tactics, saying that it looks too much like social engineering (which it is, to some extent), but I maintain that it's perfectly OK, as long as you are careful to stick to your Identification Script, allow people to get back to you after checking you out (some will, some won't), as opposed to pressuring for an immediate result (a common characteristic of social engineering).

I'm not bothering with the details of record keeping because every situation is different. What's important here is that each of you have more resources than you might think you have. In areas where the organization is physically close enough, I've done office and cubicle wandering as well. You'd be amazed at some of the things you learn that way, too! The key message is to ask lots of people lots of questions (don't forget the Identification Script), and even when direct answers don't provide what you're looking for, a lot of pieces (just like a jigsaw puzzle) will start falling into place and form a more complete picture.