A sobering statistic regarding commonly used security controls was highlighted in a recent report. “Software and hardware inventory and valuation” was the least cited control, with only 16% of CISOs leveraging it. Some may consider inventory an IT responsibility, not a security responsibility, but this is a serious oversight. Building and maintaining an accurate asset inventory is the foundation for the security team’s work. Let’s explore why.
The problem with not knowing
First, how can you get a complete picture of the risk to your organization if you don’t know exactly what you have? Risk analyses are going to be inaccurate unless you have a complete picture of your IT systems and data. Considering the problems of app sprawl and confidential data spread, risk from unprotected systems could be hidden within your network without careful examination. Furthermore, proper risk analysis necessitates a calculation of potential damages from potential breaches, but these are dependent on a complete inventory.
Second, if you don’t know what’s on your network, how can you tell when something has been surreptitiously added or altered? Consider the advice of America’s elite hacking team at the National Security Agency. Rob Joyce, NSA hacker in chief, describes their network compromise team’s technique as fully understanding what is on their target network. He adds, “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.” This knowledge gap is what is exploited by attackers.
Many breaches involve systems that defenders did not even know existed or assumed were locked down. Getting hacked is a sucker punch where you least expect it. Properly tracking your assets tells where and what you need to protect and monitor.
Third, lack of awareness of your own systems and data can lead to serious compliance headaches. Consider the General Data Protection Regulation (GDPR) which gives EU citizens new rights regarding their personal data. One of those rights is “Right to Access,” which compels controllers and processors to answer data subject requests describing how and where their information is being processed.
However, if you don’t know which systems are holding this data, you can’t respond to this inquiry. The same holds true for other compliance requirements, such as PCI DSS for payment card information, HIPAA for medical information, and SOX for financial records regarding public companies. You must have a real-time understanding of all your key data paths and storage systems to answer any regulator or auditor inquiries.
How to build the asset inventory
The first step is communicating the importance of an up-to-date inventory to the organization. A good tool for this is a security policy statement, which can state something like:
Our company recognizes the importance of maintaining an accurate inventory of applications and systems that process and stores sensitive information. We need to know where our critical information is stored and what is on our network to keep risk to an acceptable level and provide transparency to our customers and critical partners. To that end, all company-owned systems must be inventoried and continuously tracked with respect to value, information used, and importance to company operations. Both electronic and manual inventory processes will be used to accomplish this.
After you’ve communicated this policy, it’s time to roll up your sleeves and get to work. IT assets can be difficult to track, especially with virtualization and cloud computing. It’s even harder to keep track of the data itself. Visionary Kevin Kelly famously said, “The Internet is a copy machine. At its most foundational level, it copies every action, every character, every thought we make while we ride upon it… The digital economy is thus run on a river of copies.” Data can be silently copied anywhere, so you need to be vigilant and relentless in your tracking of it.
Chasing down assets in a modern, dynamic organization is a challenge, but it is a necessity. Some of the heavy lifting of inventory can be automated with DLP and system scanning tools. However, tools alone may not give you a complete picture. You should supplement the automation with manual processes like interviewing system and data owners, reviewing documentation, and examining configurations.
Be sure to look carefully at the configuration of your key systems, which can give you clues as to where the data and control processes flow. These systems include domain controllers, authentication servers, mail servers, financial processing systems, sales servers (holding customer and prospect lists), file shares, collaboration systems, and anything touching the Internet or third-party systems. These systems can all contain things that would be valuable to attackers and therefore should be thoroughly inventoried and tracked. Sometimes the asset analysis process will show data leaving your organization, which means you need a good third-party security analysis process, as well.
Strong security starts with understanding exactly what you need to protect and where it resides within your organization. It’s better for you to do an inventory of your systems than have an attacker do it as a shopping list. As Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”