We are in the midst of a technology explosion.
Whether you’re managing information technology for a small business, a large enterprise, or, your household, it’s likely that your technology inventory grows without much notice, in fact some might describe the effort as a silent technology sprawl.
What causes technology sprawl?
Inexpensive devices are certainly a driving force. Additionally, the seemingly uncontrollable fascination with connecting everything to the internet adds to the heap. Single-use devices, such as projectors, contribute to your footprint. And, we shouldn’t ignore a bit of laziness either. Before the proliferation of wireless, IT managers were more vigilant in allowing devices onto the network. After all, with wired networks, we could “see” the devices, observe the cabling and appreciate the costs.
However, with wireless, especially open wireless, scores of devices can attach to your network and without proper controls and visibility, the devices might as well be invisible: you don’t know about them.
Why should we worry about technology sprawl?
Well, inventory, in particular, is an issue. You need an inventory of your assets – what’s hanging out on your network space? What do you have on your home network, your work network?
I observe my home network. Admittedly, I am probably a bit aggressive with my home network, but, my keen interest didn’t appear suddenly. Over time, I knew the number of devices increased. Why? I bought them.
When I detected a gradual slowing of network speed, I made some changes to the network devices at my home and that’s when I noticed device sprawl within my own home.
For years I’d spoken about the need to have a solid handle on what is allowed on business networks, but, here I was in my own home and I was shocked at the number of “things” connected to my network.
After a long and tedious weekend, I verified all of the devices and was pleased that there weren’t any unwanted items lurking in my home space.
The count? Forty-two.
Yeah, that’s not a typo. Forty-two.
When I discussed the discovery with my colleagues, I must have sounded like an old man reminiscing about the single TV channel and the nightmare ushered in with the advent of cable television. “It went from as single dial-up connection to nearly fifty devices…”
You can’t protect what you don’t know about, and, conversely, you can’t defend effectively from the unknown.
Due to the explosion in the number and types of devices, two major problems arise from lack of control of network devices.
First, as I alluded to above, an inventory is essential.
But, more specifically, we need full visibility into the entire network space. What’s out there?
I read some statistics recently from a networking service provider. In their research, they observed that unknown devices account for eighteen percent of all devices in an average business network. In their tests, a full one-hundred percent of all evaluators found unknown devices on their networks.
That’s a problem.
With unknown devices, not only is the object not managed, but, its unknown state presents a risk exposure – you have no idea about the state of the device. Is the device patched? Is it good? Is it bad?
Statistically, there’s a one in four chance that the device isn’t updated or secured properly. The same networking company observed that unknown devices often fail to comply with basic security requirements and lack adequate security controls. As a result, a lurking device presents risk and waste, simultaneously.
Risk arises by virtue of the device’s existence within your environment. Since you weren’t aware of it, its state is unknown, therefore, your other resources are at risk.
Waste is an interesting issue. Perhaps the device isn’t sanctioned. Maybe its a personal device and the device is streaming movies. Not only is bandwidth being wasted, but, time to locate and isolate the device are expended.
And, let’s ramp up the risk and waste variables, suppose the device is a personal device streaming unlicensed, copyright-protected content. Are you at fault?
Secondly, unknown devices are unmanaged. As a result, it’s unlikely that you will be able to enforce your security policies on the devices. Let’s assume the rogue device is an internet-connected TV. In your company, those types of devices aren’t on the business network, because they can’t be secured and they aren’t updated by the manufacturer frequently. As a result, you create a separate network space for those unmanaged devices, in an effort to corral security risks into one space. Yet, you find one on your business network – now you have to find the device, find the owner, address the risk and waste more time.
The idea of an inventory of devices and applications isn’t something I stumbled upon by myself. The Center for Internet Security (CIS) manages a list of twenty critical controls that are designed to protect organizations against known cyberattacks. Controls one and two are considered the foundational priorities for moving towards a secure environment.
Control one indicates that you should maintain an accurate and current inventory of devices on your network. Identify all devices, document the inventory, and, keep the inventory current. The goal is simple: visibility allows greater opportunity for success.
Control two suggests an inventory of authorized software. Identify all allowed software and manage the software through regular updates. In doing so, you keep current on releases and patches, but, also observe unauthorized, unwanted software.
Watch your assets and you’ll be on the road to good security.
Fabella Security 
You must be logged in to post a comment.