Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/12/2020
02:00 PM
Kevin Kurzawa
Kevin Kurzawa
Commentary
50%
50%

Stop Defending Everything

Instead, try prioritizing with the aid of a thorough asset inventory.

What is your information security program defending?

This is a deceivingly difficult question for most. When I ask this at typical organizations, the answer is often disheartening. The standard response is "everything." The word everything causes my skepticism radar to start chirping like a Chernobyl Geiger counter.

The claim being made here is that all of the systems and all of the data created and stored by the organization are defended. These companies, and the "everything" claim, do not make distinctions between high and low levels of protection. To lump all systems and data into one category causes equality across the board, which is a recipe for inefficiency at best and disaster at worst.

Fredrick the Great said, "He who attempts to defend everything, defends nothing." If we attempt to defend everything, this means that we are not prioritizing. In this scenario, the same security controls and effort to defend a critical system storing the organization's crown jewels are going to also apply on a noncritical system. This would lead to either underprotecting a critical system, overprotecting a noncritical system, or potentially both.

The concept of opportunity costs is important here since we all have limited resources. No department is given a blank check for all the tools, training, and expert staff that one could desire. The opposite is more likely to be the case, where departments are being asked to do more with less.

In a reality with limited resources, every dollar spent on a tool also represents a dollar that could have been spent on a different one. Every staff member hired with a particular skill represents a candidate that got passed on who had a different expertise. Every hour spent researching a solution is an hour that could have been dedicated to various other projects.

Opportunity costs are why prioritization needs to occur. Without it, an organization is guessing as to what to protect and how best to defend assets. This prioritization begins with an asset inventory.

Collect Everything
What constitutes an effective asset inventory from which to prioritize information security? In a word, details. "No details" means no value. An inventory is a listing of detailed attributes that can serve as an authoritative and consolidated resource. It is the one-stop shop for everything that is relevant to information security regarding an asset.

It must also be detailed in the sense that it must be all-inclusive. It's every system that touches your network or handles sensitive information. It's everything that's wired, wireless, or even capable of either of those. It's printers, IP phones, kiosks, marquees, and Internet of Things devices. It's bare-metal hypervisors like ESXi. It's firewalls, routers, wireless access points, and switches. It's everything.

Understand Everything
Once all the assets are inventoried and information about them is collected, we begin to understand the big picture. Most of the asset details in an inventory play a supporting role to the system's criticality ranking. This ranking is derived from attributes, such as the purpose of the system, type of data it generates and stores, user community, and business function it supports. From this criticality attribute, the security controls to protect it can be determined in order to bring the risks in line with the business's risk tolerance.

Integration
Now we return to the asset inventory to reconcile those determined controls and provide assurances that they are in place and working as expected. Confidence in the functioning of a security program cannot exist without a complete asset inventory.

The various tools in the environment are typically tuned to determine what is working. Asset management, on the other hand, is used to determine what is not working. Assurance is a significant function of information security. Move past the assumptions that something should be working as advertised to a place of objective confidence that it is working.

A quality asset inventory allows a reconciliation process to occur. Comparing each tool's list of registered systems with an authoritative and all-inclusive inventory provides a clear and objective list of discrepancies. One can, at that point, put aside assumptions and actually know which systems are being protected or monitored by a tool — also, more importantly, which systems are missing and thus unprotected.

A Neglected Control
It is very rare that I see an organization with an accurate inventory. Why is this foundational control so often ignored?

For one, there isn't a tool to automate the process. We're conditioned to searching for a tool to solve our problems. A nail needs a hammer and a squeaky wheel needs oil. Asset inventory tools are basically repackaged spreadsheets. None readily automates a method to collect the type of information needed to understand the security posture of an asset and to ensure that each one has the controls that it should have.

It's also an indirect control. While firewalls and anti-malware tools can directly show the bad that they protect you from, asset management is a control that provides the assurances that your other controls are actually functioning as expected. It's not just a "helper" control, though, but more of a foundational control on which to build the entire program.

Asset management isn't sexy. It doesn't result in pretty graphs or quality filler for PowerPoint slides. Quite the opposite — it highlights the gaps in a security program. Asset management presents information that can be difficult to swallow. However, it will also help you achieve the next maturity level in your security program.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "From 1s & 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide"

Kevin Kurzawa has a background in a variety of environments, with each having its own unique business drivers. His experiences in IT and information security have ranged from Department of Defense contractors large and small (including Lockheed and Harris) to traditional ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kratiw
50%
50%
kratiw,
User Rank: Strategist
2/14/2020 | 7:44:56 AM
Re: Accurate Asset Inventory - Just Way Too Easy to Say
Thanks for the reply. I agree that they're missing the point. The interpretation of NIST's asset management recommendation reminds me of Steve Martin's sketch "how to be a millionaire and not pay taxes, first, get a million dollars, second ..." I also agree with your main point regarding of prioritization through the inventory, however, I would also strongly recommend the use of technology rationalization which is the business justification for the asset and a bullet proof acquisition process which is the gatekeeper for how assets enter the organization, and not just through vendor purchases. Thanks again!
hucklesinthedark
50%
50%
hucklesinthedark,
User Rank: Author
2/13/2020 | 12:57:15 PM
Re: Accurate Asset Inventory - Just Way Too Easy to Say
Good points. Thank you for reading and commenting.

In regards to frameworks and asset management I'm a bit torn. Most of the infosec standards put asset management right at the top. For instance NIST's cybersecurity framework (CSF) has identify as their first function, with asset management (ID.AM) as the first category within this first function. And then there's CIS's critical security controls (CIS CSC) which lists the inventory of devices as the first control category (CSC 1). While identification is at the top of these lists, by the time this gets interpreted by the implementing organization it does seem to become translated into merely "counting things", as you put it. The final implementation rarely ever seems to match the spirit of the control.

I'll also second your comment about an asset management program having many benefits to different stakeholders. Yet, unfortunately for all, these benefits are so often overlooked.
kratiw
100%
0%
kratiw,
User Rank: Strategist
2/13/2020 | 10:36:09 AM
Accurate Asset Inventory - Just Way Too Easy to Say
I agree, an accurate inventory is essential to security. As the saying goes, you can't secure what you don't know you have. But IT security and the frameworks such as NIST's sell ITAM way, way too short. There are so many benefits ITAM can bring to IT security but yet the IT security community seems to have relegated it to inventory management – counting things. No wonder it's not sexy. Until IT security, and companies, embrace the full function of an ITAM program and its many benefits to different stakeholders such as finance, compliance, and the business, IT security will continue to control what they think they have and try to control way too much. Inventory isn't static and ITAM is the right solution for managing the company's technology portfolio.

BTW, to prove my point, ITAM isn't even a "keyword" to tag this response.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
'Unkillable' Android Malware App Continues to Infect Devices Worldwide
Jai Vijayan, Contributing Writer,  4/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Digitized COVID-19 Prevention
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-21034
PUBLISHED: 2020-04-09
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
CVE-2020-1895
PUBLISHED: 2020-04-09
A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128.
CVE-2020-5263
PUBLISHED: 2020-04-09
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the er...
CVE-2020-9499
PUBLISHED: 2020-04-09
Some Dahua products have buffer overflow vulnerabilities. After the successful login of the legal account, the attacker sends a specific DDNS test command, which may cause the device to go down.
CVE-2020-9500
PUBLISHED: 2020-04-09
Some products of Dahua have Denial of Service vulnerabilities. After the successful login of the legal account, the attacker sends a specific log query command, which may cause the device to go down.