Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/12/2020
02:00 PM
Kevin Kurzawa
Kevin Kurzawa
Commentary
50%
50%

Stop Defending Everything

Instead, try prioritizing with the aid of a thorough asset inventory.

What is your information security program defending?

This is a deceivingly difficult question for most. When I ask this at typical organizations, the answer is often disheartening. The standard response is "everything." The word everything causes my skepticism radar to start chirping like a Chernobyl Geiger counter.

The claim being made here is that all of the systems and all of the data created and stored by the organization are defended. These companies, and the "everything" claim, do not make distinctions between high and low levels of protection. To lump all systems and data into one category causes equality across the board, which is a recipe for inefficiency at best and disaster at worst.

Fredrick the Great said, "He who attempts to defend everything, defends nothing." If we attempt to defend everything, this means that we are not prioritizing. In this scenario, the same security controls and effort to defend a critical system storing the organization's crown jewels are going to also apply on a noncritical system. This would lead to either underprotecting a critical system, overprotecting a noncritical system, or potentially both.

The concept of opportunity costs is important here since we all have limited resources. No department is given a blank check for all the tools, training, and expert staff that one could desire. The opposite is more likely to be the case, where departments are being asked to do more with less.

In a reality with limited resources, every dollar spent on a tool also represents a dollar that could have been spent on a different one. Every staff member hired with a particular skill represents a candidate that got passed on who had a different expertise. Every hour spent researching a solution is an hour that could have been dedicated to various other projects.

Opportunity costs are why prioritization needs to occur. Without it, an organization is guessing as to what to protect and how best to defend assets. This prioritization begins with an asset inventory.

Collect Everything
What constitutes an effective asset inventory from which to prioritize information security? In a word, details. "No details" means no value. An inventory is a listing of detailed attributes that can serve as an authoritative and consolidated resource. It is the one-stop shop for everything that is relevant to information security regarding an asset.

It must also be detailed in the sense that it must be all-inclusive. It's every system that touches your network or handles sensitive information. It's everything that's wired, wireless, or even capable of either of those. It's printers, IP phones, kiosks, marquees, and Internet of Things devices. It's bare-metal hypervisors like ESXi. It's firewalls, routers, wireless access points, and switches. It's everything.

Understand Everything
Once all the assets are inventoried and information about them is collected, we begin to understand the big picture. Most of the asset details in an inventory play a supporting role to the system's criticality ranking. This ranking is derived from attributes, such as the purpose of the system, type of data it generates and stores, user community, and business function it supports. From this criticality attribute, the security controls to protect it can be determined in order to bring the risks in line with the business's risk tolerance.

Integration
Now we return to the asset inventory to reconcile those determined controls and provide assurances that they are in place and working as expected. Confidence in the functioning of a security program cannot exist without a complete asset inventory.

The various tools in the environment are typically tuned to determine what is working. Asset management, on the other hand, is used to determine what is not working. Assurance is a significant function of information security. Move past the assumptions that something should be working as advertised to a place of objective confidence that it is working.

A quality asset inventory allows a reconciliation process to occur. Comparing each tool's list of registered systems with an authoritative and all-inclusive inventory provides a clear and objective list of discrepancies. One can, at that point, put aside assumptions and actually know which systems are being protected or monitored by a tool — also, more importantly, which systems are missing and thus unprotected.

A Neglected Control
It is very rare that I see an organization with an accurate inventory. Why is this foundational control so often ignored?

For one, there isn't a tool to automate the process. We're conditioned to searching for a tool to solve our problems. A nail needs a hammer and a squeaky wheel needs oil. Asset inventory tools are basically repackaged spreadsheets. None readily automates a method to collect the type of information needed to understand the security posture of an asset and to ensure that each one has the controls that it should have.

It's also an indirect control. While firewalls and anti-malware tools can directly show the bad that they protect you from, asset management is a control that provides the assurances that your other controls are actually functioning as expected. It's not just a "helper" control, though, but more of a foundational control on which to build the entire program.

Asset management isn't sexy. It doesn't result in pretty graphs or quality filler for PowerPoint slides. Quite the opposite — it highlights the gaps in a security program. Asset management presents information that can be difficult to swallow. However, it will also help you achieve the next maturity level in your security program.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "From 1s & 0s to Wobbly Lines: The Radio Frequency (RF) Security Starter Guide"

Kevin Kurzawa has a background in a variety of environments, with each having its own unique business drivers. His experiences in IT and information security have ranged from Department of Defense contractors large and small (including Lockheed and Harris) to traditional ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...