Data Watch: Cover Your Assets

Next Article

Eco-Friendly Festivities

Article | Stuart Walsh, Chief Information Security Officer at Blue Stream Academy

Identifying and managing the assets in an organisation is important for effective information security. Good asset management can allow organisations to avoid security incidents by providing opportunities to undertake remedial actions before incidents have the potential to develop.

What is an Asset?

An asset is anything that provides value to an organisation. Examples include customer data, intellectual property, technology, physical locations, financial capital and people.

In the context of cyber security, it’s important to focus on assets in the organisation that:

• Must be configured or managed to achieve security outcomes.

• Could be affected by a cyber incident.

Shadow IT

‘Shadow IT’ refers to the information technology assets (such as personal mobile phones, tablets, USB drives) that an organisation uses for business purposes but are not accounted for as part of the processes for managing assets and risks or corporate IT processes. These devices are concerning because they are unlikely to align with the organisation’s security or data governance policies, constituting an unknown risk.

Why Is Asset Management Important for Cyber Security?

Good asset management involves identifying and maintaining accurate information about an organisation’s assets. This information provides the basis for many other essential cyber security processes, including:

Managing risk

Understanding and managing cyber risk depends on assets being accounted for. If assets are allowed to slip under the radar, it will not be apparent if appropriate security controls are missing, resulting in unmanaged risks.

Managing legacy (outdated) technologies

All software and hardware eventually becomes out of date. Continuing to use products beyond that point involves increased risk, or increased costs to mitigate those risks. Asset management can help organisations identify when systems will reach end of support and plan ahead.

Managing identity and access

Being able to identify users and devices is necessary in order to implement an effective identity and access management system. Asset management can help ensure all users and devices have unique identities and can also help identify resources that need access controls applied.

Managing and patching (fixing) vulnerabilities

One of the best defences possible for cyber systems is ensuring they don’t contain known vulnerabilities as these are easy attack points. Having accurate information on hardware and software assets provides the basis for ensuring available updates are applied and knowing where to scan for vulnerabilities.

Monitoring

Some threats cannot be prevented, so it’s important that you have the ability to detect and investigate potential compromises, subsequently mitigating any threats. An effective monitoring capability depends on having access to the right data. Asset management can help you identify relevant data sources and enrichment information that may be needed for your monitoring capability.

Managing the organisation’s response and recovery if a security incident happens

Knowing your assets and determining which are most critical to your organisation helps you plan for, respond to, and recover from incidents. By ensuring nothing important is missed and having the right information available, you will be able to act quickly and minimise disruption.

Who Should Be Involved?

Asset management must be co-ordinated across the whole organisation. It isn’t just about the technology; other functions, such as procurement, also need to be involved.

That means it’s essential to get buy-in from the senior management and to make an ‘owner’ responsible for the whole asset management system. Having an owner makes it easier to co-ordinate the system and ensure that the organisation’s assets are effective.

What Should I Consider?

When designing an asset management system that promotes cyber security, consider the following:

Discovering Assets - Implement tools that scan your environment for new, modified or removed assets on a regular or continuous basis.

Maintaining an Authoritative Source of Information - Maintain an accurate, up-to-date record of assets that reflects the environment. Consider normalising and consolidating asset information to avoid duplication and make it more accessible.

Making Asset Information Available - Ensure that asset information is available to the people in your organisation who need to use it.

Accounting for Human Factors - The asset management process should accommodate the needs of users across your organisation and account for human factors, such as usability and accessibility. You might need to take a pragmatic approach to avoid too much bureaucracy.

Ensuring Completeness - Ensure all assets are accounted for by the asset management process. This should include physical, virtual and cloud resources, along with your organisation’s Internet presence, in the form of social media accounts, domain name registrations, IP address spaces and digital certificates.

Comprehensive Visibility - Identify how your organisation will use asset information and collect sufficient details about your assets to support this use. For example, knowing the versions of all software installed on your machines helps identify a much wider range of vulnerabilities than just knowing the operating system version. If certain details are difficult or costly to capture, consider whether these could be captured less frequently, after first use or retrospectively, while putting in place other measures to reduce risk (for example, separating networks).

Detecting Changes - Ensure that changes in asset information are recorded. Use multiple data sources to identify inconsistencies; for example, a new device on the network that has not been added to device management systems.

Automating Processes - Whenever practical, use automated systems to update asset records. Ideally, these tools should record asset information in response to changes in the environment, instead of detecting changes after they’ve happened, for example, scanning to pick up changes as they happen as opposed to periodically.

Maintaining Confidentiality - Consider the sensitivity of the asset data collected. Protect data and restrict access where appropriate, but make sure the right people can access the relevant data when they need to use it.

For example, all users should be able to look up the assets they are responsible for, but arbitrary bulk queries should be prevented. Consider monitoring access to asset data for possible signs of reconnaissance, preventing inappropriate access.

Registering Information Before Use - Asset information should be collected before, or at the time of, first use. You may be able to enforce this through processes and detection capabilities.

For example, certificate identities should only be issued for registered assets, so that unregistered devices cannot join other systems.

Classifying Assets - Define categories for the organisation’s assets in alignment with your approach to risk management. For example, you could group systems based on the sensitivity of the information they process or whether they support critical business functions.

What Data Sources Should I Use?

Consider using a combination of active and passive data sources to give you full visibility of the assets in your organisation.

Active Data Sources

Examples include:

• Procurement Records

• Mobile Device Manager or System/Device Management Tools

• Logging and Monitoring Platforms

• Vulnerability Management Platforms

• Manual Entry

• Information from Development and Engineering Teams

• Public Key Infrastructure

Ideally, you should use active scanning techniques. If active scanning is an issue, such as when there are difficulties in detecting new assets, network limitations or where there is potential device instability, use passive scanning tools.

Passive Data Sources

Passive data sources can provide extra visibility by looking for side effects, which could include network sources (DNS and DHCP logs or traffic captures) or application access and authentication logs, which may identify devices attempting to communicate with other systems, instead of interrogating assets directly.

Passive sources will not generate as much detail as active sources but can used to validate existing asset data or detect changes in the environment.

How Can I Validate an Asset Management System?

Validating your asset management process can give you the confidence that you aren’t inadvertently overlooking any assets.

Consider whether assets could be added or changed without being detected. For example, if a user connected a new laptop to your network, would you be able to detect it and its configuration? Or, if a new piece of software was installed on a device, would it be check for vulnerabilities?

To validate your asset management process, you can also:

• Include the identification, addition and modification of devices within the scope of penetration tests (authorised simulated attacks performed on computer systems to evaluate security).

• Look for anomalies in log data, such as network traffic from unidentified devices.

• Identify ‘stale asset’ records. These may indicate that a device hasn’t been updated or has been repurposed.

• Reconcile procurement records and cloud billing with asset records to identify assets that have been purchased, but not captured by the asset management process

This information is licensed under the Open Government Licence v3.0. To view this licence, visit www.nationalarchives.gov.uk/doc/open-government-licence. © National Cyber Security Centre 2022

Source: www.ncsc.gov.uk/guidance/asset-management

As the Chief Information Security Officer (CISO) for Blue Stream Academy, Stuart provides an article for each issue of BSA Today to highlight how we strongly believe that promoting better information security practices improves the threat landscape for all organisations that work alongside us.