How to detect forgotten servers and services

As part of our risk management to avoid collateral damage, we require a list of IP addresses from the client before we start penetration testing, .

In one of our pentest engagements, we discovered one IP address not found in the client’s provided IP addresses list. We were pretty sure the web services running on that IP address belongs to the client as it has the client’s logo and indications show it is a system used for User Acceptance Testing. For completeness sakes, we checked back with the client to confirm they had not left out any IP addresses.

The response was startling!

I didn’t know there was an additional IP address that belonged to the company!

We received the updated IP block from the client and continued with the pentest.

What does this suggest?

Heavy workload on IT staff coupled with turnover can lead to the organisation losing critical domain knowledge while the organisation’s exposed attack surface gets dramatically increased.

Forgotten servers or services means they are not monitored, falling of the radar screen of the Chief Information Security Officer, as such, security patches are not applied on a timely basis. Further, forgotten servers consume resources in the form of electricity, a slot on the precious server rack and UPS allocation, which all leads to the organisation overpaying for IT resources.

Ways to identify forgotten assets

  1. Look through your DNS records for any unknown or unfamiliar server/service names
  2. Your DNS records may have references to decommissioned server IPs and/or services. Besides reviewing external DNS records, don’t forget to go through the internal DNS records. Keeping DNS records up to date can help to minimise accidental network exposure.

  3. Review DNS records in conjunction with business owners
  4. DNS records are usually maintained by the IT department. However, the ownership of the web service including the DNS records belong to the business. As such, it is imperative to review these DNS records together with the business owners.

  5. Check with your Internet service provider(s) for your allocated IP address block
  6. Apart from checking within the organisation or company, check with your Internet service provider. They usually allocate an IP address block along with your Internet connectivity subscription. This IP address block will belong to the company for the duration of the Internet subscription.

These are some methods you can employ in your organisation to find forgotten corporate servers/services. Don’t forget your virtual assets such as cloud instances, remote databases (ie Amazon RDS, Digital Ocean Block/Object Storage) while going through your physical assets.

We can help your organisation detect and test for forgotten server and services from our vulnerability assessment and penetration testing services.

Contact us

Leave a Reply

Your email address will not be published. Required fields are marked *