Ok, so that’s not exactly what the sign typically says but you should have your own sign that says “No Approval. No Authorization. No Access!”
No one wants uninvited guests in their home/party just like no wants unauthorized, unapproved assets on their network. You need the visibility to know who/what is on your network and the ability to remove them if they’re not authorized. Those unauthorized assets can unknowingly expand your blast radius and increase your attack surface.
Whether it be someone’s personal laptop, a VM created by a developer, or even demonstration/test systems/accounts. Because no one has ever setup an account or system with a name of “Demo,” “DemoTest,” or “Test”, right?
These systems/accounts often have weak security configurations (i.e., not patched appropriately, vulnerabilities, local admin access, etc.) that can make them vulnerable to web or email-based malware. Adversaries can leverage weak security configurations to traverse the network (lateral movement), once inside to find your crown jewels.
So, walk tall, get a big stick, and ensure you have people/process/technology to find those unauthorized assets and remove them!
Here’s the CIS definition of this Control/Safeguard
CIS Control 1:
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Implementation Group 1 - CIS Safeguard 1.2
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.