September 23, 2014 By Peter Allor 2 min read

Shared Responsibility of Asset Management Reflects Patching Perspective

Asset management is a topic of conversation for many industry professionals due to several factors, including continuous diagnostics and mitigation, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and other conversations around breaches and vulnerability threats.

Most organizations focus on one of two areas: hardware or software. Most people have participated in a hardware asset inventory by reporting which desktop or laptop they have, its serial number and where it is physically located. That is only the surface of that inventory process, however, and most times, it is not done very well or thoroughly. Software asset inventories are usually only done to true up license management practices.

Improving Asset Management

For security and data breach protection, you need a much more in-depth set of inventories, as illustrated by the IBM X-Force Threat Intelligence Quarterly. While conducting both the hardware and software asset inventories, both from an active, on-the-network aspect and the passive, what-is-installed-on-the-asset-itself aspect, we need to know the OS, the application and patch levels, the configurations and what the state of known vulnerabilities are to develop a truer picture of the threat and the risk picture we are willing to take on.

Here is where the X-Force discussion on Heartbleed has more meaning. Although patch rates for OpenSSL have increased, do you know every place in your network that uses OpenSSL? Do you have a risk assessment of the danger? Do you have compensating controls, either technical or operational, to limit or mitigate the dangers?

Asset management is all about providing the baseline for risk assessment and control. Management (not security management or information technology management) should be given the ability to know and assess risk and to assign means (resources and priorities) to mitigate that risk for the business and operations.

Setting a Security Risk Management Framework

The challenge in the Heartbleed example is in the number of vendors and internal, home-built systems that are incorporating third-party software. This is where the combination of asset inventories (hardware, software, configuration management and vulnerability management) set the baseline in any security risk management framework. The key is an established, frequently updated inventory that is pre-existent and quickly actionable for verification within several hours. It should be pre-existent so you know your assets and quickly actionable so you can verify certain parameters and risk strategies are in place.

A good asset management strategy has the following elements:

  • Endpoint reporting (servers, desktops, laptops and mobile)
    • Hardware is inventoried upon attaching to the network.
    • Software is inventoried for all logical and virtual installs.
    • Configurations are logged and enforced to organizational standard(s).
  • Network reporting
    • Records and logs from all traffic
    • Notification records of new equipment being attached to the network, correlated to endpoint reporting
    • Baseline activity
    • Scan of all systems for known vulnerabilities
    • Assignment of risk and remediation priorities

While we will never have the luxury of a completely secure environment from all manners of attack methodologies, we can gain a measure of success in dealing with the ever-changing flow of vulnerabilities and attacks we face. The assurance is in having the means and tools to do so quickly, have sure answers to the state of our domain and to flex for the changing risks we will face in the future.

Download the latest research from IBM X-Force

More from Risk Management

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today