Light Dark
December 23, 2014 By Martin McKeay 3 min read
CISO
Risk Management

What sounds like more fun than spending the start of the new year by taking inventory of all your systems? Unless you’re really odd, just about anything, to be truthful. But it’s something you should be giving serious thought to as 2014 draws to a close and 2015 begins. Even though we rarely think of it as a security function, a valid, up-to-date and accurate counting of our systems is one of the underlying building blocks that are absolutely necessary in having a successful security program.

It’s tempting to say throw out your old spreadsheets and start over from scratch to build a new inventory, but that’s not necessarily realistic for most organizations. On the other hand, we do need to realize that many of the inventories we have in spreadsheets scattered around the network are either old, inaccurate, just plain wrong or a combination of all three. An inventory has a half-life, a certain amount of time between when it’s created and when half of the information it contains is superseded. Depending upon your organization, this time period could be a couple of years, or it could be the end of the same day the inventory was created. In either case, relying on the old inventories is problematic, so use them as a starting point, with the understanding that you’re trying to create something new that’s more accurate.

Many inventories rely on the people working in the departments responsible for systems to self-report. If you’ve been in security for any length of time, you realize that this type of self-reporting just doesn’t work. Even people with the best of intentions often forget about one or two systems that have been used by the department since time immemorial. Or they’ll forget about a box running under someone’s desk because that person isn’t available the day the inventory was taken. Or maybe they’re trying to hide a system from the security department because it’s running something that’s against policy and they’re afraid it’ll get shutdown. Finally, there’s always the apocryphal story of a server that was walled away when a remodel happened, but continued running for years.

Network discovery tools make for a great way to start off your count, but never pretend they’re going to find everything on your network. Some systems are not going to respond to network discovery in a manner that will be recognized by many tools, and in some cases won’t respond at all. Look beyond these tools and start mining some of the other tools and data stores you have, especially DNS. When you start looking at the hosts that are making requests to your DNS servers, interesting patterns might start to emerge. The responses to those requests can be interesting as well.

This brings us to two of the hardest parts of creating a valid and accurate inventory: BYOD/IoT and the Cloud. Every day our coworkers, our executives and even our own teammates are bringing more of the technology we use at home into the office. After the Christmas holiday there’s going to be an influx as all the new toys and gadgets people received as gifts flood into the office. Making an inventory of these systems on your network is a sensitive proposition, but one you have to decide how your company is going to deal with. You already have a set of policies and procedures to deal with that, right?

Cloud brings its own set of problems for inventories. Begin with an inventory of the approved Cloud services, but be aware that it’s just a starting point. Just about anyone with a credit card can set up a server on AWS or Microsoft and have services that contain your corporate data up and running in just a few minutes. There are many organizations that have shadow IT infrastructures in the Cloud that the official IT and security teams have no idea exist. This is another reason mining your DNS logs is so vital; those departments might not tell you they have shadow servers, but they still have to make DNS queries in order to connect to their servers. Another great resource is to work with your accounting departments to see whose expensing credit card receipts for Cloud resources. Between DNS and expenses, you might be surprised how many external resources you find.

Inventories aren’t exactly anyone’s idea of fun, but there’s an old adage that if you don’t know it exists, you can’t secure it. Yours might be one of the companies who have a recent and accurate inventory of resources that make up your business and your network. But even the best companies could be well served by double-checking their inventory to make sure they haven’t missed anything. Or that a new system hasn’t been added in the time it took you to read this post.

 | 
Martin McKeay
Security Advocate

More from CISO
April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

January 22, 2024

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature