- 1 Overview
- 2 Ensure That the Software Used to Examine Systems Has Not Been Compromised
- 3 Monitor and Inspect Network Activities
- 4 Monitor and Inspect System Activities
- 5 Inspect Files and Directories for Unexpected Changes
- 6 Investigate Unauthorized Hardware Attached to the Network
- 7 Look for Signs of Unauthorized Access to Physical Resources
- 8 Review Reports of Suspicious System and Network Behavior and Events
- 9 Take Appropriate Actions
- Chapter 6 Checklist
6.6 Investigate Unauthorized Hardware Attached to the Network
Unauthorized hardware may include computers connected to network segments or hubs and peripheral communication or input/output equipment such as modems, terminals, printers, and disk or tape drives.
Intruders actively attempt to circumvent network perimeter defenses. If they can gain physical access to your organization's internal network, they can install their own equipment and software. Alternatively, intruders may learn of insecure (unauthorized) equipment added by users that they can use to gain access to your organization's network. For example, users might install modems for the purpose of remote access to their office computers from home. Intruders often use automated tools to identify modems attached to public telephone lines. If the configuration of the dial-up access and the traffic through it is not secured, intruders may use such back doors to gain access to the internal network, bypassing preventive measures that may have been put in place to restrict external connections to your organization's network. They may then capture network traffic, infiltrate other systems, disrupt operations, and steal sensitive, private information.
Access to other peripheral equipment may also facilitate intrusions. Unsecured output and removable media devices, such as printers and disk drives, may give intruders the opportunity to generate copies of sensitive information that can be physically removed from your organization's premises.
In addition to periodically inspecting hardware as recommended below, you may need to conduct inspections in response to suspected intrusions. Watch for evidence of activities that indicate unusual access to your network, as described in Section 6.3.
6.6.1 Audit All Systems and Peripherals Attached to the Network Infrastructure
Periodic (for example, monthly) visits to physically examine equipment attached to the network should not be announced, so that unauthorized equipment cannot be hidden before the auditors arrive.
Using your documented hardware inventory, described in Section 5.3.12, identify any hardware that is missing, not in its designated location, unexpected, or extra.
6.6.2 Probe for Unauthorized Modems
Conduct a daily probe for unauthorized modems attached to your organization's telephone lines. You can do this using daemon dialer tools.5 Because this process causes all dialed telephones to ring, we recommend that it be done outside normal working hours. However, even this approach will cause telephones that have been forwarded to ring.
6.6.3 Probe All Internal Network Segments to Identify Unauthorized Hardware
Examine daily (1) unauthorized devices attached to your network, (2) any new or unexpected IP or MAC addresses, and (3) any new or unexpected network ports on switches.
You can do this using public domain tools such as ARPWATCH6 and a variety of commercial network management software packages.
Identify any hardware that is missing, not in its designated location, unexpected, or extra.
6.6.4 Look for Unexpected Routes Between the Organization's Network and External Networks
Daily, examine the network traffic logs for connections that originate outside your network and are destined for addresses outside your network. Traffic that moves in this way could indicate that an unauthorized computer is connecting to one of your hosts.
If possible, compare the network traffic logs from individual hosts/workstations with network traffic logs from the firewall host(s). Discrepancies or mismatches could indicate that traffic is being routed through unsecured connections or gateways directly to the individual host, bypassing your organization's firewalled Internet connection.
6.6.5 Policy Considerations
Your organization's networked systems security policy should do the following:
Require the maintenance of documented hardware inventories
Require the maintenance of a documented network topology
Specify the authority and responsibility of designated security personnel to (1) perform physical audits of installed hardware and software and (2) establish network connections and routes
Specify what kinds of hardware and software users are permitted to install on their workstations