There is an old management adage that what isn’t measured isn’t managed. It’s so true. Something similar applies to cybersecurity. If you don’t know an asset exists, how on earth can you protect that asset from a cyber-attack or data breach?! Asset Discovery is the number one exercise a new CISO (or Virtual CISO) should insist upon when starting at a new organisation. Asset discovery is also the number one skill someone wanting to get into cybersecurity should learn. It’s not even that hard to do but even though it’s a cornerstone of any cybersecurity programme, it’s often forgotten about. In this article, we’ll look at the how and the why of asset discovery.
Why is asset discovery important
Asset discovery is exactly what it sounds like. Asset discovery is the process of finding out all the devices that form your corporate network. These assets keep your organisation operating. They are used to process data (including personal data under the scope of GDPR and CCPA). They allow data to move from one Server to another and then out through your supply chain or out to your customers over the Internet. Each asset is interconnected. Each asset is, therefore, a potential target for attack. If the security team isn’t aware of what exists on the network, there is little chance they are making sure the device – and all that is stored on it – are secure.
Security is not the only cause of concern. Organisations must also consider data protection and the rights of Data Subjects. If a Data Subject makes a Data Subject Access Request (DSAR), it will be a lot easier to fulfil the request, if the Data Protection Officer (or Data Protection Team) know exactly where personal data is stored.
What should be covered?
The short answer to this question is everything! If the business uses it to process data, it must be included. Every asset type should be covered if it is capable of being used to compromise your infrastructure or your business’s operations. If a device could allow a hacker to get into your network then you need to know about it. This includes virtual devices too. Organisations must also ensure they cover their cloud environments such as, but certainly not limited to, AWS and Azure. Make sure you include network devices such as switches, routers and firewalls. Desktops, laptops and mobile devices. If it has an IP address, a MAC address, then it’s in scope!
How often should asset discovery be conducted?
In an ideal world, the process of asset discovery should be real-time but this is not always possible for all devices. A full scan of your network should be done at least once a week. Some may think that is too frequent, others may think it’s not frequent enough. Ultimately, it’s down to your risk appetite and infrastructure profile. Be cautious about running scans at exactly the same time of day or at a particular time of the month. Any kind of routine could then be anticipated – and avoided!
Asset Discovery Good Practice
Asset discovery starts with ensuring your organisation implements good practice in terms of general asset management.
Naming Conventions
Ever conducted a penetration test or found that an incident report has come through from the Service Desk stating that there is an issue on a particular host only to then have to ask:
“What is on host GBPROD003578?”
Sure, we can safely assume this host is a production server located somewhere in Great Britain (at least they have eliminated the possibility it could have been in Northern Ireland!!). But other than this, it’s not really much help in quickly assessing what we are dealing with. Consider working with your IT department to document a naming convention that has the following components:
- The convention should be instinctively easy to work out i.e. DC1-PROD-FWC1-FOVR1 for Failover 1 Production Environment Firewall in Firewall Cluster 1 of Data Centre 1. Similarly, DC1-PROD-WINSVR-APP001 should be pretty easy to figure out.
- Your first few characters will form your default sort group so choose them wisely
- Include “gaps” in your identification method for things you haven’t thought of yet
- Be consistent with the convention i.e. only use PROD or PRD but don’t mix
Asset Discovery Scanning Quartet
The four ways main ways to discover assets on your network are the holy trinity (plus one) of SNMP (hopefully v3), Ping, ARP and WMI. The first three are for general network discovery and WMI is specifically for Window machines. It’s also very important to run scans from locations where your scanning machine will have access to devices (i.e. on the same subnet) AND has the appropriate permissions to interact with devices on the network. Don’t stick to just one method or try to scan the network from one single device – things will be missed!
There are many tools to conduct asset discovery scanning. So many that it would be a book in itself to go through each tool. That said, two free tools are pretty much all you need to conduct a comprehensive asset discovery exercise – NMAP and WMI Tools. Both of these tools have comprehensive documentation so it shouldn’t take a reasonably competent person too long to get scanning!
Controlling what can join the network
When considering your own infrastructure, ideally, you should restrict what can and cannot connect to the network. This can be achieved by implementing Network Access Control (NAC), NAC should minimise the challenges associated with maintaining a live asset inventory and is also quite handy in keeping the network secure so win-win! If this is not in place and if devices connect to the network via DCHP you should still be able to set up alerts when a new device attempts to connect. At least that way, even though you don’t have NAC, you can quickly investigate what the device is before it causes too many problems. But trust me, NAC is the way forward!
The Cloud
The cloud, as you will no doubt hear many say, is just “someone else’s data centre”. As such many of the same principles apply. That said, your job is often a little easier because AWS and Azure have tools to aid in discovery built into their offering. AWS has AWS Systems Manager Inventory and Azure has Resource Manager. Get familiar with how to find devices in your cloud environments because you may soon find that everything is being done in there. Without keeping on top of cloud asset discovery, you could find that you’re sat back thinking all is quiet in your DC whilst the world is on fire somewhere else!
Metadata and enrichment
Now you have conducted your asset discovery, it’s important to enrich that data. Typically this enrichment forms part of the asset metadata contained in a Configuration Management Database (CMDB) or Service Management Tool. The metadata should contain things such as System Owner, Cost Centre, Departments, Physical Location, Software & Firmware Versions, Data Stored, PROD/DEV/UAT/DR. Above all this useful information, the asset must have a risk rating. This risk rating will be defined by means of a pre-defined, repeatable and consistent scoring methodology. It will be this key piece of information that will be used to triage all manner of information security tasks from patch management to change management, from backups to access management reviews. Essentially the higher the risk score of the asset, the more attention that asset gets…
…but there is never going to be a risk score for an asset you don’t know about! Get an asset discovery done ASAP. Once you have a process for asset discovery, keep you asset inventory up to date. Don’t rely on the IT department – but do make sure they are keeping their data up to date too! The Cybersecurity department needs direct access to the organisation’s asset inventory and everyone in cybersecurity must know how to perform an asset discovery. If you need help with asset discovery – just get in touch!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso
