dark matter of your network

!

!

!!!!!!!!!!!!!!!!!!!!

!

!

!

!

!SECURE!THE$DARK$MATTER$OF$YOUR$NETWORK(WITH(OPPORTUNISTIC(SCANNING!

!

!

!

!

!

!

!

iScan&Online,&Inc.&19111&N&Dallas&Parkway&

Suite&200&Dallas,&TX&75287&

www.iscanonline.com&+1.214.276.1150&

!

!

!

Securing!The!Dark!Matter!of!Your!Network! ! !Copyright!©!2013!iScan!Online,!Inc.!

2!

Introduction*Scientists!believe!that!as!much!as!80%!of!the!universe!is!made!up!of!dark!matter!that!we!currently!know!little,!if!anything!about.!We!can’t!measure!it,!see!it,!and!don’t!know!its!properties.!We!know!that!accounting!for!80%!of!the!mass!of!the!universe,!it!must!be!important;!but!how,!what,!and!why!is!beyond!our!present!grasp.!!In!today's!networks!there!are!probably!a!similar!percentage!of!devices!accessing!the!network,!which!are!also!"dark".!We!know!these!devices!access!our!networks,!but!they!are!virtually!invisible!to!our!efforts!to!perform!security!assessments!on!them.!Consequently,!we!don’t!know!their!security!posture,!vulnerabilities,!compliance!status,!or!what!data!and!apps!they!may!contain.!

Existing!methods!of!scanning!devices!on!the!network!are!very!good!at!discovering!and!finding!vulnerabilities!on!devices!that!they!can!see.!However,!they!can!only!see!devices!that!are!on!the!network!at!the!moment!in!time!the!scan!is!executed.!Historically!this!has!been!enough.!However,!network!security!scans!can!take!a!long!time!to!complete.!Concerns!about!network!and!device!utilization,!as!well!as!latency!force!organizations!to!perform!scans!during!off!hours.!!Initially!this!approach!did!not!present!an!issue!as!the!majority!of!servers,!network!devices,!and!even!desktops!were!always!plugged!in.!These!devices!were!considered!static!and!reachable!whether!the!scan!happened!at!3am!or!3pm,!or!anytime!in!between.!!

Today!the!status!quo!has!changed.!We!live!in!a!world!of!branch!offices,!remote!workers,!BYOD,!transient!and!mobile!users.!!Microsoft!Windows,!while!still!representing!a!large!portion!of!the!market,!is!no!longer!at!95%!market!share.!In!fact,!PCs!themselves!represent!a!smaller!share!of!the!devices!on!our!network!than!ever!before.!!Today!we!have!a!wide!array!of!smartphones,!tablets!and!devices!of!many!shapes!and!sizes!accessing!our!network.!All!of!these!different!devices!access!our!network!from!different!locations!and!at!different!times.!!Since!a!large!percentage!of!devices!that!access!the!network!are!no!longer!available!to!scan!during!offZpeak!times,!a!traditional!network!security!scan!is!essentially!ineffective!for!those!devices.!These!unZscanned!devices!are!the!dark!matter!of!your!network.!They!are!there,!!they!are!important,!but!there!is!no!visibility!into!the!risk!they!pose!to!the!organization.!

The!dark!matter!on!your!network!is!a!considerable!risk.!!With!today's!targeted!attacks!via!spear!phishing,!APTs,!and!drive!by!malware;!attackers!need!only!target!and!infiltrate!one!device!to!get!inside!your!network!and!wreak!havoc.!The!overwhelming!majority!of!security!incidents!are!due!to!a!known!vulnerability!being!exploited!on!a!single!device!to!gain!access!to!the!larger!network.!

!


3!

If!only!there!was!a!way!of!actually!scanning!these!dark!matter!devices.!A!network!could!be!made!much!safer!and!more!immune!to!attack.!Unfortunately,!current!trends!indicate!that!attacks!targeting!these!devices!are!on!the!rise!as!increasing!numbers!of!disparate!devices!access!the!network!from!locations!out!of!scope!for!traditional!assessment!technologies.!Today!there!is!a!significant!blind!spot!in!the!vulnerability!management!solutions!that!many!organizations!have!spent!precious!security!budget!dollars!implementing.!More!than!a!blind!spot,!this!is!a!significant!risk!that!organizations!cannot!manage!due!to!a!lack!of!insight.!

Regulatory!compliance!schemes!recognize!this!risk.!The!PCI!Council,!for!instance,!has!mandated!that!internal!scans!of!devices!be!conducted!regularly!and!discovered!vulnerabilities!and!risk!should!be!prioritized!for!remediation.!!Likewise!in!health!care,!HIPAA!has!mandated!security!scanning!of!devices!for!health!related!PII!(Personally!Identifiable!Information).!

For!most!organizations,!having!such!a!large!number!of!dark!matter!devices!accessing!their!networks!without!visibility!is!no!longer!acceptable!!

A*New*Kind*of*Security*Scanner*–*Opportunistic*Scanning*Fortunately!a!new!scanning!technology!is!now!available!to!address!this!problem.!iScan!Online!introduces!"Opportunistic!Scanning”.!!Opportunistic!Scanning!is!the!ability!to!perform!security!scans!on!devices!accessing!network!resources!when!and!where!they!are!available.!This!flexible!approach!means!devices!can!be!scanned!regardless!of!the!network!connection!type!or!location,!provided!they!are!connected!to!the!Internet.!This!flexibility!allows!iScan!Online!to!shine!a!light!on!the!dark!matter!of!networks,!giving!security!personnel!unprecedented!visibility!into!the!security!posture,!data!and!applications!of!those!devices.!

iScan!Online!provides!opportunistic!scanning!by!leveraging!the!power!of!the!cloud!and!via!the!iScan!CloudApp.!iScan!CloudApps!can!perform!scanning!through!a!browser!plugin,!command!line!interface!(downloadable!executable)!or!as!a!native!mobile!app.!This!methodology!is!fast,!highly!accurate,!and!leverages!what!most!organizations!already!have!in!place;!Microsoft!Active!Directory,!Systems!Management!tools,!Web!Applications,!Internet!access,!and!a!browser.!By!combining!these!existing!architectures!with!the!iScan!Online!CloudApp,!organizations!are!now!empowered!to!assess!all!devices!throughout!the!organization.!

This!new!highly!accurate!methodology!also!delivers!very!unique!scanning!capabilities!for!today!and!tomorrow’s!computing!and!mobile!platforms.!The!cloud!is!leveraged!for!management,!analysis,!and!reporting,!while!!devices!perform!the!heavy!lifting!of!the!scan!process,!permitting!scalability!across!the!globe.!This!distributed!architecture!provides!unparalleled!scalability!allowing!hundreds!of!thousands!of!devices!to!be!scanned!in!a!matter!of!seconds.!

iScan!Online!!performs!deep!inspection!of!devices!using!a!variety!of!methodologies!including!!the!Windows!Registry,!native!file!systems,!!interrogating!system!configurations!using!operating!system!and!Application!API’s,!and!Windows!WMI!queries.!Using!these!direct!access!methods!instead!of!relying!upon!network!packet!response!and!injection!provides!highly!accurate!results,!virtually!eliminating!false!positives!which!will!save!time!and!money!for!security!personnel.!Additionally!there!are!no!requirements!

!


4!

for!modifying!ingress!firewall!routes!and!ports!or!configuring!VPN!connections!as!iScan!Online!executes!on!the!device!and!communicates!via!standard!HTTPS!web!traffic.!

Credentials?*We*don’t*need*no*stinking*credentials!*One!of!the!biggest!challenges!with!assessing!connected!devices!is!that!network!administrators!typically!don’t!have!credentials!to!scan!the!device.!This!presents!a!number!of!challenges!for!proper!risk!assessment.!First,!security!personnel!must!be!given!administrator!credentials!to!the!device,!which!is!extremely!problematic!in!BYOD!environments.!Second!it!creates!an!additional!security!risk!by!trusting!a!cache!of!administrator!level!credentials!to!be!stored!and!used!within!systems,!which!may!not!have!been!designed!as!secure!authorization!and!authentication!brokers.!Without!administrative!credentials,!network!scanners!can!only!provide!an!outside!view!of!the!device,!typically!a!port!scan.!With!iScan!Online,!the!need!for!credentials!is!eliminated!because!the!scan!runs!on!the!host!as!the!current!user.!One!of!the!dirty!little!secrets!of!current!vulnerability!assessment!solutions!is!that!administrative!access!is!NOT!required!to!properly!assess!vulnerabilities!on!a!device.!Administrative!access!is!only!required!because!of!the!remote!access!nature!of!network!vulnerability!solutions.!!

Regardless!of!how!scans!are!delivered,!speed!and!scalability!is!key.!!Because!iScan!Online!performs!scanning!directly!on!the!device,!there!is!no!network!congestion!or!latency!introduced.!!There!are!no!worries!about!exhausting!the!amount!of!threads!the!scanner!can!spawn.!!It!makes!no!difference!how!many!devices!are!being!scanned!at!a!time.!!Scan!one!device!or!thousands!of!devices!at!a!time!through!iScan!Online’s!distributed!cloud!architecture!and!all!scans!are!completed!within!a!fraction!of!the!time!of!traditional!vulnerability!scanning!solutions.!

Scan*From*Web*Apps*Scanning!can!now!be!easily!integrated!into!existing!web!applications.!!Utilizing!the!iScan!Online!CloudApp!for!Web!Browsers!organizations!can!now!leverage!their!growing!base!of!web!applications!as!scanning!catch!points!for!devices!accessing!corporate!resources.!

Consider!a!highly!distributed!organization!with!a!large!remote!sales!force.!Typically!these!users!are!accessing!sales!and!order!processing!

applications!via!the!web,!they!rarely!access!the!corporate!network!using!VPN!access!and!are!always!on!the!move.!How!do!you!assess!these!devices!for!security!risk?!

At!iScan!Online,!we’ve!made!it!as!simple!as!adding!a!“PayPal”!button!or!web!analytics!service!to!your!web!application.!!Simply!include!a!small!JavaScript!snippet!into!any!web!application!and!all!users!accessing!the!web!application!will!be!scanned!for!security!issues!in!a!quick,!efficient!and!nonZobtrusive!manner.!!Scans!can!be!performed!as!often!as!desired!(daily,!weekly,!quarterly!etc.)!based!on!the!user!accessing!the!web!application.!Results!from!the!assessment!can!be!analyzed!automatically!by!the!web!application!in!order!to!make!decisions!regarding!the!users!web!application!request.!For!example,!the!web!application!could!decide!to!deny!access!or!to!limit!available!functionality!to!the!user.!!As!with!all!iScan!Online!scans,!scan!results!are!available!for!reporting!and!analysis!from!iScan!Online’s!Cloud!Console.!

!


5!

What*are*we*scanning*for?*iScan!Online!provides!scanning!solutions!that!meet!today’s!requirements.!Most!organizations!have!regulatory!compliance!mandates!that!require!scanning!of!all!connected!devices.!!!

Since!July!2012,!the!PCI!Council!has!mandated!that!all!merchants!perform!regular!internal!vulnerability!scans!and!prioritize!detected!vulnerabilities!for!remediation!to!manage!risk.!The!ability!to!conduct!these!internal!scans!onZdemand!is!a!compelling!use!case!for!iScan!Online.!!As!a!Participating!Organization!in!the!PCI!Council,!iScan!Online!delivers!the!internal!PCI!scan!mandated!by!section!11.2!of!the!PCI!DSS.!!iScan!Online’s!PCI!scan!compliance!report!is!the!proof!a!merchant!needs!to!show!compliance!with!this!requirement.!

The!same!is!true!of!HIPAA,!as!well!as!other!compliance!mandates.!iScan!Online!can!be!configured!to!run!the!various!types!of!scans!required!to!demonstrate!compliance!with!multiple!regulations.!

Vulnerability!and!compliance!aren’t!all!that!iScan!Online!can!scan!for.!Another!valuable!feature!is!iScan!Online’s!ability!to!perform!data!discovery.!!An!example!of!this!is!the!PAN!scan.!PAN!stands!for!primary!account!number!and!in!PCI!parlance!refers!to!a!credit!card!number.!!Under!the!PCI!DSS,!a!merchant!must!be!aware!of!unencrypted!PAN!data!being!stored.!iScan!Online!can!quickly!scan!a!device!and!discover!any!PAN!data!stored!in!various!file!formats!including!Microsoft!Office,!Outlook!and!compressed!formats.!

PAN!is!just!one!example!of!data!discovery.!!iScan!Online!can!also!be!configured!to!scan!for!other!PII!(personally!identifiable!information)!such!as!social!security!numbers!or!other!organization!specific!intellectual!property!such!as!customer!lists.!!

iScan*Online*Cloud*Console**iScan!Online’s!ability!to!perform!opportunistic,!on!demand!scanning!is!truly!a!game!changer!in!dealing!with!today’s!modern!network!and!users.!!But!some!things!don’t!change.!!One!thing!that!almost!every!organization!requires!is!the!ability!to!manage!and!organize!security!assessment!results.!iScan!Online’s!Cloud!Console!fulfills!this!need.!!!

The!iScan!Online!Cloud!Console!provides!multiZtenancy,!roleZbased!access,!scan!configuration,!reporting!and!analysis.!!It!allows!administrators!to!

!


6!

specify!how!scans!are!initiated!for!example!via!a!web!browser,!mobile!app!etc.!!The!Cloud!Console!gives!administrators!insight!into!devices!compliance!and!vulnerability!posture!across!the!entire!organization.!!

Imagine!being!able!to!not!only!scan!the!dark!matter!devices!accessing!your!network,!but!also!chart!the!device!location.!iScan!Online!provides!geoZlocation!of!devices!as!they!are!scanned!which!allows!security!personnel!to!pinpoint!devices!on!a!map!via!the!iScan!Online!Cloud!Console.!

The!iScan!Cloud!Console!provides!RESTful!API’s!and!data!results!in!JSON!format!so!that!it!can!be!easily!integrated!into!a!wide!variety!of!3rd!party!solutions!including!Log!Management,!SIM/SIEM,!Remote!Monitoring!and!Management,!Web!Content!Filtering,!Network!Devices!and!Managed!Service!Provider!tools.!!!

Illuminating*The*Dark*Matter*We!are!living!in!exciting!times.!We!are!in!the!midst!of!a!sea!of!change!in!how!organizations!conduct!business!and!the!technologies!and!devices!they!use.!!These!changes!will!render!some!older!technologies!and!methods!obsolete.!Technological!Darwinism!dictates!that!new!technologies!and!methods!will!rise!up!to!take!their!place!and!fill!the!niches!that!organizations!need!solutions!for.!iScan!Online!is!one!of!these!new!breed!of!solutions;!with!the!right!approach!and!technology!to!tackle!the!challenges!that!today’s!technologies!and!organizations!require.!!

You!can’t!afford!to!have!a!majority!of!your!network!as!dark!matter.!With!iScan!Online!gain!the!insight!you!need!to!shine!the!light!on!every!section!and!device!in!your!network.!

!

CONTACT!US!

iScan Online, Inc. 19111 N. Dallas Pkwy

Suite 200 Dallas, TX 75287

214-276-1150

[email protected]

http://www.iscanonline.com

!

dark matter of your network

Technology