Correct and reliable information on the components of a corporate network and vital data structures from the moment of their creation until their deletion is crucial for successful detection of almost any security violations. As I will show later, this data allows you to compare reference information on the status of the information system at the moment of its creation (or at the moment of the last authorized modification) with its current state, and thus detect all unauthorized modification in a timely manner. Approaches used to detect such modifications are usually based on determining the differences between the current state of a controlled object and the previously registered and expected state. Security personnel must always know what resources are present, where they are located, and what the expected states of those resources are. Without this information, it is impossible to determine if something was added, modified, violated, and so on. This is especially important for companies in which there are advanced employees who reconfigure their workstations without informing the IT personnel. A situation in which such employees have been granted administrative privileges is particularly dangerous, since such a user is not limited to his or her own workstation, and can reconfigure the whole network segment.
This step, known as creating the network map, is often underestimated or totally neglected in many organizations. This relates to the fact that the process of collecting the required information on the components of the information system is rather long and tedious. Quite often, the employees of the IS department do not have the necessary skills to obtain all such information. In some situations, they can not even access all the equipment used in the network. Because of this, the task of collecting information for creating a network map must be performed in cooperation with the IT and communications departments. This approach is the only one that will enable you to collect all the required data. Also note that, once it has been created, the network map must be constantly maintained and supported in its most up-to-date state. Only in this case will it serve as a basis for controlling and detecting unauthorized modifications.
To create a network map, it is recommended that you use various network management systems (HP OpenView, SPECTRUM, MS Visio, and so on). Such tools include the AutoDiscovery function, which allows you to maintain the network map in its most up-to-date state automatically and trace all unauthorized changes of the net-work configuration. However, network-level intrusion detection systems can also be used for this purpose. A network-level intrusion detection system used to create the network map has to allow you to identify the following parameters of the network hosts:
The role of the host and its DNS and NetBIOS names
Network services
Active service headers
Types and versions of operating systems and application software
NetBIOS Shares
User and service accounts
General parameters of the security policy (audit policy, user and password policy, and so on)