In part 1, the importance of knowing your system was discussed, in this article, the importance of properly managing and auditing these assets will be discussed. Proper management of ICT assets from an information security perspective involves knowing what properties of the assets are expected, being able to respond to new vulnerabilities quickly and knowing when unauthorised assets are present on your network.
When maintaining a hardware inventory, the key pieces of information that need to be captured are:
- The purpose of the hardware
- The system the hardware belongs to
- The network zone the hardware is connect to
- Business functions the hardware supports
- The support/warrantee period
- End of Support (EoS) and End of Life (EoL) dates
- Firmware version
- Third party contacts
Capturing this information will help the security team to determine the impact of new vulnerabilities, exploits and intrusions. For example, if a new vulnerability was released affecting your firewalls, the patching could be prioritised quickly by pulling up a list of Internet facing firewalls and patching those first. The business units to contact regarding the patching could be easily identified and notified. The CAPEX budgets for replacing the hardware can be planned if the EOL is recorded and the risk of running unsupported hardware is reduced.
In addition to the points above, the following information should form part of a comprehensive software inventory:
- Version of the software
- Third party libraries used by the software
- Operating system (type and version)
- Hardware/server where the software is installed
- How often the vendor releases patches for different levels of vulnerability criticality
A well-managed software inventory will allow the organisation to prioritise patches, updates and determine organisational impact of vulnerabilities.
Once the data that needs to be collected is determined and the general process around adding and maintaining assets is created. A suite of tools should be selected that fits the business’s workflows to make managing the inventory smooth. Having a smooth process will increase the productivity of the security team, allowing the business to extract more value from the security function.
Once both inventories are populated in the relevant tool or database, processes, procedures and tools should be implemented to ensure the inventories remain accurate and up to date. To verify the correct information is captured in the inventories, table-top exercises can be undertaken with the operations and system administrators to test the response time to determine the impacted systems when a critical vulnerability is reported. It is important that an organisation can respond quickly to vulnerabilities as many recent breaches where internal intrusion was involved were due missed or slow patching.
The other benefits of having a well-defined inventory is the configuration of security devices can be audited against the inventory to ensure the network access controls are appropriate. Monitoring systems can be more efficient at detecting and blocking unauthorised devices. The quality of the inventory will impact the effectiveness of the security controls the organisation implements.
This article has discussed some basic steps around the creation of an inventory, the important things to remember are;
- Put effort into deciding what data should be in the inventory;
- Make sure the tools selected fit the business workflow, not the other way around;
- Implement plans to verify the effectiveness of the inventory;
- The inventory underpins the whole security architecture - ensure it is kept accurate and relevant.