Control 1.6: Address Unauthorized Assets¶
Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner
Category¶
Procedural
Purpose¶
This Sub-Control is meant to ensure that a list of authorized assets can be compared against the list of devices actually connected to an enterprise network. The difference between the devices on this list should be investigated and will likely include phones, tablets, and laptops. It is possible that a device under investigation is actually authorized to be in place, and in this case, it can be removed from the list. If a device is not meant to be on the network, it should be removed from the network and thoroughly investigated. Unauthorized devices may be accessing enterprise network traffic, including proprietary or sensitive information. They also are in position on the network from which to launch attacks and hack into organizational systems.
This Sub-Control helps to prevent unauthorized eavesdroppers on a public network. Attackers might be able to view enterprise traffic, or change it while it is being sent. Eavesdroppers can be listening on the wired and wireless network. Physically finding a device can be a difficult task, as it is often hard to associate a device name (e.g., John’s Android) or hardware network address media access control (MAC) address to a particular device by sight. Device names and MAC addresses can provide hints to the type of device, but they can also be faked to fool anyone trying to find the device. Changing a wireless fidelity (WiFi) network password may be a useful step to take if a specific device in question is unable to be identified, although this will only apply to wireless devices.
Automation¶
This Sub-Control is automatable, but will require someone with a higher than average level of network know-how in order to install, configure, and regularly use the right software packages.
Guidance and Tools¶
Many modern wireless access points and routers have a feature that will show a network map of all devices currently connected to the access point. It is often possible to click on any device in question and remove it from the network.