Shared Responsibility of Asset Management Reflects Patching Perspective

Asset management is a topic of conversation for many industry professionals due to several factors, including continuous diagnostics and mitigation, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and other conversations around breaches and vulnerability threats.

Most organizations focus on one of two areas: hardware or software. Most people have participated in a hardware asset inventory by reporting which desktop or laptop they have, its serial number and where it is physically located. That is only the surface of that inventory process, however, and most times, it is not done very well or thoroughly. Software asset inventories are usually only done to true up license management practices.

Improving Asset Management

For security and data breach protection, you need a much more in-depth set of inventories, as illustrated by the IBM X-Force Threat Intelligence Quarterly. While conducting both the hardware and software asset inventories, both from an active, on-the-network aspect and the passive, what-is-installed-on-the-asset-itself aspect, we need to know the OS, the application and patch levels, the configurations and what the state of known vulnerabilities are to develop a truer picture of the threat and the risk picture we are willing to take on.

Here is where the X-Force discussion on Heartbleed has more meaning. Although patch rates for OpenSSL have increased, do you know every place in your network that uses OpenSSL? Do you have a risk assessment of the danger? Do you have compensating controls, either technical or operational, to limit or mitigate the dangers?

Asset management is all about providing the baseline for risk assessment and control. Management (not security management or information technology management) should be given the ability to know and assess risk and to assign means (resources and priorities) to mitigate that risk for the business and operations.

Setting a Security Risk Management Framework

The challenge in the Heartbleed example is in the number of vendors and internal, home-built systems that are incorporating third-party software. This is where the combination of asset inventories (hardware, software, configuration management and vulnerability management) set the baseline in any security risk management framework. The key is an established, frequently updated inventory that is pre-existent and quickly actionable for verification within several hours. It should be pre-existent so you know your assets and quickly actionable so you can verify certain parameters and risk strategies are in place.

A good asset management strategy has the following elements:

  • Endpoint reporting (servers, desktops, laptops and mobile)
    • Hardware is inventoried upon attaching to the network.
    • Software is inventoried for all logical and virtual installs.
    • Configurations are logged and enforced to organizational standard(s).
  • Network reporting
    • Records and logs from all traffic
    • Notification records of new equipment being attached to the network, correlated to endpoint reporting
    • Baseline activity
    • Scan of all systems for known vulnerabilities
    • Assignment of risk and remediation priorities

While we will never have the luxury of a completely secure environment from all manners of attack methodologies, we can gain a measure of success in dealing with the ever-changing flow of vulnerabilities and attacks we face. The assurance is in having the means and tools to do so quickly, have sure answers to the state of our domain and to flex for the changing risks we will face in the future.

Download the latest research from IBM X-Force

More from Risk Management

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…

Container Drift: Where Age isn’t Just a Number

Container orchestration frameworks like Kubernetes have brought about untold technological advances over the past decade. However, they have also enabled new attack vectors for bad actors to leverage. Before safely deploying an application, you must answer the following questions: How long should a container live? Does the container need to write any files during runtime? Determining the container’s lifetime and the context in which it runs is critical, especially when hosting an internet-facing service. What is Container Drift? When deploying…