|
|
|
Features
< Back
Sarbanes Oxley : Technology : Sarbanes Oxley
Network Discovery:
The Logical IT Starting Point for the Sarbanes-Oxley Compliance Process
By
Ofir Arkin
|
|
Ofir Arkin
CTO
Insightix
|
The Sarbanes-Oxley Act of 2002 makes corporate executives explicitly responsible for establishing, evaluating and monitoring the effectiveness of internal control over financial reporting. For most organizations, the role of information technology (IT) is crucial to achieving this objective. IT is the foundation of an effective system of internal control over financial reporting.
Since IT is a networked environment, any device attached to the network can interact with either the financial reporting systems or the systems that feed the financial reporting systems. Therefore, securing your IT infrastructure is as critical as deploying effective user access controls. But in order to do that, you need to know what you have on your network. How can you secure what you don't know about? Accordingly, a discovery solution that is complete and accurate is essential.
Accessing complete and accurate network information is not as straightforward as it seems. While most organizations have invested in traditional discovery tools over the years, there are key trends that are reducing their effectiveness:
(1) Workstations are going mobile - notebook computers are replacing desktops. This means that the asset location information collected using the traditional periodic network scans becomes quickly out-of-date due to the movement of these mobile devices.
(2) Deperimeterization is driving firewalls and other security software directly on to workstations and servers. This prevents traditional discovery scanning from identifying systems because the firewalls cloak the devices. As a result, a wide range of elements, including any common laptop and desktop computers running Windows XP Service Pack 2, are not identified by traditional discovery tools.
(3) Virtualization - organizations are embracing server virtualization tools like VMWare in order to reduce operating costs. Traditional discovery tools do not provide an accurate representation of a server's base and guest operating systems.
The result is that at any point in time, the information you have about network-attached elements obtained by traditional discovery tools can be anywhere from 20% to 40% out-of-date or incomplete. This means that traditional discovery tools cannot provide the network visibility needed to support Sarbanes-Oxley compliance initiatives.
Network discovery solutions need to significantly expand beyond their current limitations to contribute to Sarbanes-Oxley compliance efforts. These are based on two fundamental changes.
First, a network discovery solution should be based on an automated balance between active and passive discovery methods. The technical limitations of active discovery are well documented ? active discovery is a one-time scan that results in incomplete discovery and is based on a packet flood that degrades network performance. At the same time, passive only discovery is dependant on network traffic and fails to identify those devices with limited traffic patterns.
The correct approach to discovery should intelligently combine passive and active network analysis. A majority of network inventory and associated parameters for each device can be obtained by passively analyzing network traffic. Based on the network information gathered passively, the limited amount of missing network information should be gained automatically by directly polling the network elements. This intelligent combination of active and passive discovery ensures that the entire network is covered, providing the complete and accurate inventory needed to serve as the baseline for Sarbanes-Oxley compliance initiatives.
The second change requires network discovery solutions to move beyond IP-based discovery and utilize MAC-based discovery. This is important because in DHCP environments, IP addresses are dynamically allocated. Subsequently, there is no relationship between IT assets discovered by multiple IP-based discovery scans performed at different points in time. Alternatively, MAC-based discovery correctly identifies and associates IT assets with their historical information, which is an essential aspect for complying with internal control requirements.
In summary, comprehensive network visibility and is the logical starting point for Sarbanes-Oxley compliance initiatives. The baseline network information obtained by a complete and accurate discovery is an absolute requirement for any risk assessment, internal control procedure, real-time disclosure or any other IT initiative to cover the entire IT infrastructure and produce results that contribute to achieving Sarbanes-Oxley compliance.
Ofir Arkin
CTO
Insightix
Ofir Arkin cofounded Insightix and acts as the company's CTO. Ofir is a leading security researcher on the subjects of information warfare, VoIP security and remote OS fingerprinting.
Before cofounding Insightix, Ofir consulted to numerous multinational companies in the financial, telecommunications and pharmaceutical markets, leading various security projects.
He is the author of a number of influential papers on information warfare, VoIP security and network discovery. Ofir is a member of the prestigious HoneyNet Project and was elected to the board of directors of the Voice over IP Security Alliance (VoIPSA) as the Security Research Committee Chair and sits on the organization's Technical Board of Advisers.
Ofir also served as the CISO (chief information security officer) of 012 Golden Lines, a leading ISP and long distance carrier in Israel.
|
|
|
|
|
