What sounds like more fun than spending the start of the new year by taking inventory of all your systems? Unless you’re really odd, just about anything, to be truthful. But it’s something you should be giving serious thought to as 2014 draws to a close and 2015 begins. Even though we rarely think of it as a security function, a valid, up-to-date and accurate counting of our systems is one of the underlying building blocks that are absolutely necessary in having a successful security program.

It’s tempting to say throw out your old spreadsheets and start over from scratch to build a new inventory, but that’s not necessarily realistic for most organizations. On the other hand, we do need to realize that many of the inventories we have in spreadsheets scattered around the network are either old, inaccurate, just plain wrong or a combination of all three. An inventory has a half-life, a certain amount of time between when it’s created and when half of the information it contains is superseded. Depending upon your organization, this time period could be a couple of years, or it could be the end of the same day the inventory was created. In either case, relying on the old inventories is problematic, so use them as a starting point, with the understanding that you’re trying to create something new that’s more accurate.

Many inventories rely on the people working in the departments responsible for systems to self-report. If you’ve been in security for any length of time, you realize that this type of self-reporting just doesn’t work. Even people with the best of intentions often forget about one or two systems that have been used by the department since time immemorial. Or they’ll forget about a box running under someone’s desk because that person isn’t available the day the inventory was taken. Or maybe they’re trying to hide a system from the security department because it’s running something that’s against policy and they’re afraid it’ll get shutdown. Finally, there’s always the apocryphal story of a server that was walled away when a remodel happened, but continued running for years.

Network discovery tools make for a great way to start off your count, but never pretend they’re going to find everything on your network. Some systems are not going to respond to network discovery in a manner that will be recognized by many tools, and in some cases won’t respond at all. Look beyond these tools and start mining some of the other tools and data stores you have, especially DNS. When you start looking at the hosts that are making requests to your DNS servers, interesting patterns might start to emerge. The responses to those requests can be interesting as well.

This brings us to two of the hardest parts of creating a valid and accurate inventory: BYOD/IoT and the Cloud. Every day our coworkers, our executives and even our own teammates are bringing more of the technology we use at home into the office. After the Christmas holiday there’s going to be an influx as all the new toys and gadgets people received as gifts flood into the office. Making an inventory of these systems on your network is a sensitive proposition, but one you have to decide how your company is going to deal with. You already have a set of policies and procedures to deal with that, right?

Cloud brings its own set of problems for inventories. Begin with an inventory of the approved Cloud services, but be aware that it’s just a starting point. Just about anyone with a credit card can set up a server on AWS or Microsoft and have services that contain your corporate data up and running in just a few minutes. There are many organizations that have shadow IT infrastructures in the Cloud that the official IT and security teams have no idea exist. This is another reason mining your DNS logs is so vital; those departments might not tell you they have shadow servers, but they still have to make DNS queries in order to connect to their servers. Another great resource is to work with your accounting departments to see whose expensing credit card receipts for Cloud resources. Between DNS and expenses, you might be surprised how many external resources you find.

Inventories aren’t exactly anyone’s idea of fun, but there’s an old adage that if you don’t know it exists, you can’t secure it. Yours might be one of the companies who have a recent and accurate inventory of resources that make up your business and your network. But even the best companies could be well served by double-checking their inventory to make sure they haven’t missed anything. Or that a new system hasn’t been added in the time it took you to read this post.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…