You may think that since you have secured your network through firewalls and intrusion prevention devices, you must be secure. Not so fast! Attackers are constantly on the prowl, looking for any server or service they can exploit in your network. For example, a poorly configured web or mail server can be identified with an unauthorized external network scan. It’s not uncommon for a software package to automatically install an Apache server, for example, without the administrator or installer being aware of the fact. A hacker can access those “orphan” services and expand the initial entry into something much larger.
SANS Critical Control #1 is about the need for an asset management system. You can use an up to date enterprise asset inventory to compare the services that are actively listening on your network with the services that you actually require. To control unauthorized and misconfigured services from running on your network, you must schedule port scanning tools to run regularly. For example, if an employee unintentionally (and without authorization) installs a service that listens on the network, the port scanning tool will identify that service.
Once the port scanning tool identifies an unauthorized service running on the network, it must send out an immediate alert to the system administrators or security personnel. The administrators can either disable that service or ensure that it is authorized through official change management procedures.
You must also adopt a deny rule by default on your host based firewalls or port filtering tools, so that only explicitly allowed service and ports are used. You must also ask your business units to justify the business use across the internal network on a quarterly basis. You must ensure that any temporary servers or services for projects that have been completed, are turned off through a periodic formal verification process.