Tuesday, October 20, 2015

Port scanning apocalypse

Last week while teaching Enterprise Incident Response (FOR508) for SANS, I stressed the need for device inventories while performing IR.  How can you investigate that which you don't know about?  One of my students asked me how to get a device inventory if they can't run discovery scans.  Don't forget, hardware inventory is #1 on the SANS 20 Critical Security Controls.

Discovery scans (a flashy name for port scans) are often used to identify endpoints, but some folks are concerned that they will cause problems in the network.  Over the last decade, I've heard horror stories from clients about how a single errant SYN packet will cause their extremely sensitive devices to fall over. 

Some of this is hyperbole.  Some of it is reality.  I've worked with devices where total failure is the outcome of a half open scan.  The device simply doesn't recover and the service is stuck in a half open state until someone power cycles it.  Others can't handle a SYN to closed port or a full connect scan.  This is unfortunate and certainly makes a great case for not doing discovery scans at all.  After all, we can't cause a denial of service just to get inventory data.  Makes perfect sense.  Or does it?

It tuns out that's a false position.  If you have devices on your network that can't stand a port scan, get them identified and segmented today.  You shouldn't use the threat of device failure to argue against a device inventory.  It's a virtual certainty that sooner or later an attacker will get on your network, and when they do, they'll port scan to find new hosts to pivot to.  The difference is that they won't care about how many devices fall over in the process.

2 comments:

Note: Only a member of this blog may post a comment.