Categorization of Assets

An IT asset is classified as any organization-owned information, system, software, and hardware used in the course of the organization's business activities. The most important question is: What information technology assets do you want to scan? The simple answer is everything you can get your scanners to reach and is within the scope of your VA.

With today's blended organizations, a threat can attack almost anything running within a UDP or TCP environment. The common set of devices that might be included within your VA include workstations (laptops, desktops, thin clients, and kiosks), servers (Windows, Unix, Linux, Solaris, etc.), network gear (routers, switches, access points, load balancers, video conference units, etc.), and miscellaneous equipment (network-enabled printers, standalone webcams, facility HVAC controls, shipping equipment, electronic door controls, fire alarms, audio/video gear, industrial control systems, etc.).

Once you have defined a list of assets that are within your VA, you must then categorize where these assets fit within the organization. What are the most critical assets to the organization that are within the scope of the VA? What assets might have a cascading effect on other assets and make them vulnerable? These questions and many others need to be answered to get as clear a picture as possible of the organization's IT vulnerabilities; then, you can conduct your VA and, one hopes, give the organization mitigation solutions that enable them to harden their IT systems. The main objective of a VA is to find vulnerabilities and patch them before they can be exploited by an attacker.

Discovery of Assets

Several methods will allow you to discover company assets. The first, and the least painful, method is to obtain network diagrams from the IT staff and management team in the organization for which you are conducting the VA. Network diagrams should give you a head start in discovering the network ranges and boundaries and will definitely help in identifying the network's equipment.

Second, meeting with the IT staff and management team will aide greatly in understanding the scope of where the assets will be found. It should be noted here that if you point your VA scanner at devices that are not within your scope of work, you could find yourself in legal trouble. As you should know, most organizations you have the potential to work with do not like a foreign entity scanning their devices without their express permission. Be sure you document what network information you discover. All subnets that are controlled by the organization should be documented as well, as long as those subnets are within the scope of your VA.

Third, utilizing the mapping you have created might help your VA. The term "mapping," when referring to vulnerability scanners, typically implies a very simple TCP, UDP, or ICMP scan to discover devices on the network. With these details in hand, you should be able to glean a clear picture of the organization's IT infrastructure that might surprise you, as well as the organization you are assessing.

Most Internet protocol-enabled devices when sent a TCP SYN packet will respond and thus identify themselves as an active device. Sections of any network divided into parts can be mapped effectively in a reasonable amount of time. You could find in certain scenarios that this discovery method will not identify all devices. Some network-based devices do not respond to ICMP ping sweeps, will not have common TCP ports open, could be blocked with firewalls, or have a combination of these conditions. Be aware of these devices because they can still be susceptible to network-based attacks and should be included in your assessment.

Whether mapping networks or querying staff is used, you should begin to see where the assets within an organization can be found on the network. The type of assessment will determine many of the factors above. Will a foreign partner actively contribute to the VA or will they rely on you? The organization for which you are conducting the VA needs to be viewed as a partner in this endeavor.

Precautions

Potential threats caused by the scan process itself can pose risks to IT systems by, for instance, crashing an already vulnerable server if all "plugins," including high-risk ones are enabled, for example, a denial of service (DoS) scan. Therefore, risk assessment and careful planning are necessary before scanning. Usually, for a preproduction system, it might be acceptable to enable all plugins; however, for ongoing, continual scans on a production system, administrators should consider disabling certain high-risk plugins.

Additionally, when scanning with a network-based scanner, a large number of system requests and a great deal of network traffic are generated. The administrator should note any deterioration in the system and network performance of the target groups during scanning.