Every IT administrator has a nightmare about discovering an unknown, rogue device in a server room or attached to a network point, so why do we only rely on the IT manager to be on the lookout for this?
I’ve seen it at numerous clients, we slot in a new device in the server room – such as a temperature sensor or a Raspberry Pi handling network-wide ad blocking, only to have the IT teams not notice (or at least not raise a concern) that there is a new device in the server room, and they have no idea what it does.
Late last year, a post on Reddit garnered quite a lot of attention for a strange Raspberry Pi (a credit card sized computer) connected to a corporate network. In short, the device was placed there by an ex-employee, and it was logging data – whether this was for a sanctioned reason or not is up to the authorities to decide.
The scary part about this is that the device was picked up well after the fact that it was plugged in (almost a year later).
What Can You Do?
Education and Asset Management
It is important that IT teams, particularly those that are outsourced, are aware of what devices should and shouldn’t be in place at a client or in their organisation. Asset registers detailing what devices are where are key for passing on knowledge to new or rotating staff members.
Intrusion Detection Systems (IDS)
Many solutions, both open source and proprietary exist to detect rogue devices on networks. These can either be on the edge of the network, detecting strange traffic leaving, or within the network itself, analysing all the internal traffic. When a new device is plugged in that is not known, an administrator can be alerted and the offending device can be automatically blocked from communication.
Physical Network Segregation
Or a fancy way of saying that network points in public and vulnerable areas should be separated from the internal network in much the same way as a DMZ. If someone plugs a device into a point in the canteen area, it should not be able to traverse the network to your internal financial database. For an even more robust solution, take note of where your network points are, and physically disconnect them from your switches if they are not in use or are for future capacity expansion.
Most Importantly – Ask Questions
In short, IT teams should be vigilant and encouraged to raise concerns about something they are not sure of, even if the device is labeled. A strange device installed in a network labeled “Production Directory Server – do not touch!” is still a strange device. Get inquisitive, and raise it with decision makers.
As Alex Irvine said, “It’s better to tell someone something they already know than to not tell them something they needed to hear.”