CISO December 23, 2014
By Martin McKeay 3 min read

What sounds like more fun than spending the start of the new year by taking inventory of all your systems? Unless you’re really odd, just about anything, to be truthful. But it’s something you should be giving serious thought to as 2014 draws to a close and 2015 begins. Even though we rarely think of it as a security function, a valid, up-to-date and accurate counting of our systems is one of the underlying building blocks that are absolutely necessary in having a successful security program.

It’s tempting to say throw out your old spreadsheets and start over from scratch to build a new inventory, but that’s not necessarily realistic for most organizations. On the other hand, we do need to realize that many of the inventories we have in spreadsheets scattered around the network are either old, inaccurate, just plain wrong or a combination of all three. An inventory has a half-life, a certain amount of time between when it’s created and when half of the information it contains is superseded. Depending upon your organization, this time period could be a couple of years, or it could be the end of the same day the inventory was created. In either case, relying on the old inventories is problematic, so use them as a starting point, with the understanding that you’re trying to create something new that’s more accurate.

Many inventories rely on the people working in the departments responsible for systems to self-report. If you’ve been in security for any length of time, you realize that this type of self-reporting just doesn’t work. Even people with the best of intentions often forget about one or two systems that have been used by the department since time immemorial. Or they’ll forget about a box running under someone’s desk because that person isn’t available the day the inventory was taken. Or maybe they’re trying to hide a system from the security department because it’s running something that’s against policy and they’re afraid it’ll get shutdown. Finally, there’s always the apocryphal story of a server that was walled away when a remodel happened, but continued running for years.

Network discovery tools make for a great way to start off your count, but never pretend they’re going to find everything on your network. Some systems are not going to respond to network discovery in a manner that will be recognized by many tools, and in some cases won’t respond at all. Look beyond these tools and start mining some of the other tools and data stores you have, especially DNS. When you start looking at the hosts that are making requests to your DNS servers, interesting patterns might start to emerge. The responses to those requests can be interesting as well.

This brings us to two of the hardest parts of creating a valid and accurate inventory: BYOD/IoT and the Cloud. Every day our coworkers, our executives and even our own teammates are bringing more of the technology we use at home into the office. After the Christmas holiday there’s going to be an influx as all the new toys and gadgets people received as gifts flood into the office. Making an inventory of these systems on your network is a sensitive proposition, but one you have to decide how your company is going to deal with. You already have a set of policies and procedures to deal with that, right?

Cloud brings its own set of problems for inventories. Begin with an inventory of the approved Cloud services, but be aware that it’s just a starting point. Just about anyone with a credit card can set up a server on AWS or Microsoft and have services that contain your corporate data up and running in just a few minutes. There are many organizations that have shadow IT infrastructures in the Cloud that the official IT and security teams have no idea exist. This is another reason mining your DNS logs is so vital; those departments might not tell you they have shadow servers, but they still have to make DNS queries in order to connect to their servers. Another great resource is to work with your accounting departments to see whose expensing credit card receipts for Cloud resources. Between DNS and expenses, you might be surprised how many external resources you find.

Inventories aren’t exactly anyone’s idea of fun, but there’s an old adage that if you don’t know it exists, you can’t secure it. Yours might be one of the companies who have a recent and accurate inventory of resources that make up your business and your network. But even the best companies could be well served by double-checking their inventory to make sure they haven’t missed anything. Or that a new system hasn’t been added in the time it took you to read this post.

 | 
Martin McKeay
Security Advocate

More from CISO
August 3, 2023

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

July 24, 2023

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

July 10, 2023

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

June 2, 2023

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature