Building a Cybersecurity Strategy: Asset Management
Asset Management is Fundamental
The first, and arguably most important, fundamental component to ‘Building a Cybersecurity Strategy’ is Asset Management. The reason is simple:
It is impossible to secure something if the organization is unaware it exists.
The importance of this principle can be seen when retroactively studying the impact of the Log4Shell vulnerability. Successful exploitation allowed for complete control of a system through remote code execution and existed in a widely used programming library across thousands of systems world wide.
Organizations were quickly tasked with with identifying assets that utilized the library and then updating to secure versions. All the meanwhile, attackers rapidly exploited the vulnerability to carry out ransomware attacks and deploy crypto-mining software on unpatched systems.
Organizations with poor asset management quickly found themselves struggling to identify instances of Log4Shell vulnerabilities. The same issues will be faced when the next major vulnerability arises, can a management be confident every asset is known and cataloged correctly?
The Benefits of Asset Management
In simple terms, asset management is the practice of keeping track of what systems and software an organization owns and operates. An asset can be though of anything the organization owns ranging from license keys to physical devices and everything in between.
Strong asset management allows for an organization to quickly access a centralized catalog of their assets providing critical information. When properly managed, asset inventories can prevent theft, allow for quick response to vulnerabilities, as well as assist in software and license management.
Strong asset management allows a catalog of the highest priority assets
There are numerous asset management software suites on the market. Many modern solutions allow for asset discovery, domain integration, and connectivity between other IT and security applications to streamline asset management.
If affordability is an issue, it is still worth tracking assets in a spreadsheet or another form of makeshift catalog until a proper suite is deployed. There are two main goals regarding asset management, regardless of the solution:
Keep it centralized
An asset list should include everything from every location in one spot. It defeats the purpose if management must make a decision based on the asset listing yet has to track down several different catalogs.
Keep it up to date
Asset entry into the catalog should be backed into the deployment and disposal phases of the asset lifecycle. Organizations should not need to worry whether the asset catalog is up to date when making decisions.
Key Attributes in Asset Management
When deploying an asset tracking solution, the solution should include but not be limited to the following key attributes:
Device Name
Serial Numbers
Operating System Version
Software Version(s)
Assigned User(s)
Criticality / Classification
Department
Locations
Security Solutions (AV, EDR, DLP)
Asset management should be tailored to the organization, so be sure to include any other attributes that can assist the organization. It is important to include any attributes required to maintain compliance such as encryption or whether a device contains a certain type of data (i.e. Payment Card Information or Personal Health Information). It should also be noted that properly tracking criticality will return dividends when performing business impact analysis and putting together response plans.
Some modern solutions will automatically populate these fields. If an organization must manually populate the catalog, it is important a checklist is developed to ensure the proper data is recorded. Management should review the asset catalog regularly to ensure policies and procedures regarding asset management are being adhered to.
Leveraging Asset Management to Mitigate Risk
Once assets have been identified in the organization, the next step is to understand where those assets reside. This is important in both the physical and logical context.
Logically speaking, a publicly facing server is much more of a security concern than an analyst’s desktop in a corporate office. Asset lists should denote location and criticality. It can also be beneficial to include a field in asset tracking that denotes whether the device is publicly facing or internal.
In terms of addressing physical risk, losing data on a laptop at a construction site is far more likely to occur than a virtual machine hosted in the cloud. It is important to denote the location when tracking assets to understand the various differences in risk those assets face.
To asses current asset management capabilities, consider the following:
Does the organization know where assets are traveling and whether appropriate controls have been implemented to keep them secure?
Should a device be lost, how critical is the data on that asset? Can the device be remotely wiped?
Can the organization validate whether devices are encrypted from asset tracking tools?
Can the organization search asset listings for a specific software version? OS Version?
Understanding Asset Accountability
As a team builds an inventory of assets, it is vital to denote who will be in charge of patching or managing configurations of that asset. When a critical vulnerability is announced or the organization is adopting new technology, not knowing who will make adjustments can be not just a logistical nightmare, but a security risk.
As mentioned before, make sure asset lists include the owner, manager, or individual responsible for oversight. It will greatly speed up new projects, patching, and increase security. Another thing to consider is the internal process of procuring new assets, how they will be tracked, and how they will be decommissioned at the end of their life.
Some key questions to ask here are:
Can the organization identify who is in charge of any given system at the organization?
Which individuals or departments are going to deploy/decommission assets at the organization?
When adopting new technology, which group(s) or departments will maintain it?
Don’t Do it Alone!
Thoreson Consulting is here to help you adapt strong asset management practices. Let’s work together to figure out the who, what’s, and where’s of your organization. In doing so, you’ll be able to triage your security risk remediation efforts and become more secure as an organization.
Reach out today for a free consultation!