I want a "Red Teaming"
Michael Schneider
This is how you make Asset Inventories sexy again
This makes no sense to me. Any reputable IT security guide or standard starts out with an asset inventory that at least includes hardware and software assets. And rightly so. Aside from that, it is a logical and rudimentary concept that IT security requires a foundation. Without some sort of general framework, it’s impossible to be certain that efforts will actually be effective across the board and that nothing falls by the wayside.
So what is the foundation, or how do you begin to systematically implement IT security controls once you have identified and ideally defined which of the countless potential cyber risks you are exposed to?
By documenting your hardware and software assets.
Starting with the network and its users, the question is who is using the network and do they actually have the appropriate authorization to do so? It is not just intruders with malicious intent who are unauthorized – but also any infected personal devices belonging to staff. After a certain period of time, all known devices are flagged as authorized in the hardware inventory, and any unknown devices will be detected relatively quickly and can be investigated. This is the first reason why it makes sense to implement automated mechanisms, which take an inventory of the population of devices operating on your own network.
Then you have the OS and software that are installed on the devices. On which devices? Yes, on those devices found in the hardware inventory. This explains the second good reason for having a hardware inventory.
The software inventory therefore comes next. It essentially consists of two lists: one describing the required and authorized software, i.e. a list representing a sort of ideal state, the other collected from the devices to determine what is actually installed, i.e. the current state. The discrepancies between the two should then be eliminated as appropriate.
In addition, the following security tasks are based on the HW and SW inventory or depend on them in one form or another:
If you do not have a HW and SW inventory yet, focus on the following items, which will in any case make it easier to get started with the task.
HW and SW inventories are tightly interwoven, which is why it is helpful to first take inventory of the hardware and then enrich the data in a second step by taking inventory of the installed software.
It also helps to begin with a few relatively simple tasks, particularly if you have little or no experience in this kind of undertaking.
But first let’s examine the following requirements rationally.
This list is not exhaustive, but it is a good starting point. Certificate-based Network Access Control (NAC) can be implemented here in the next step.
This list is not exhaustive either. The next step is to address the issue of application whitelisting. Microsoft’s own solution AppLocker can be used for this purpose.
But let’s return to the topic of tools. Simple methods might include:
If adequate scripting capabilities are available, implementing these measures can be an interesting task. It should be noted that known data formats are used and that script maintenance should not be underestimated.
But ready-to-use open source or freeware solutions can be quickly deployed as well. For instance, these projects offer appropriate solutions:
Large and usually expensive suites from well-known software makers should only be considered later on – if at all. The requirements for taking an initial asset inventory are relatively manageable. If vulnerability management and other issues need to be addressed later, there are additional requirements that have to be met and a certain degree of dynamism and flexibility are helpful.
Successes should be reported. The information collected in the course of managing a simple asset inventory is an excellent source of data that can be presented to management:
Ideally, the many companies that are increasingly confronted with cybersecurity risks without having established a proper, systematic foundation for security will begin addressing the problem by carrying out a basic asset inventory. It’s a relatively inexpensive way of getting good results, or systematically improving the security of your own IT infrastructure in the long-term.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!