Maintaining current inventories of all hardware devices, software applications, operating systems and firmware applications on your networks is listed as Job #1 in cutting-edge information security guidance. This is true for a number of reasons, but today I want to discuss the paramount importance of good inventory control processes in mounting trackable and effective security maintenance and configuration control programs.
In a recent Threatpost report on top threats for2018, it was reported that exploit kits were still the top web-based threat. Exploit kits are very good at uncovering missing patches, misconfigurations, default passwords and the like, and they are most assuredly not limited to Windows systems only.
In the work we do, it is very common for us find networks that are obviously being generally well administered. We see that most systems are well configured, that Windows patching is very good and that most access controls are strong. But on these same networks, we almost always find glaring anomalies that don’t fit the overall picture. Maybe we’ll find a couple of hosts with factory default credentials in place, or a firewall that is running an exploitable firmware version, or maybe it will virtual machine software that is missing security patches. The list is extensive. But they all have one thing in common; these are systems and hosts that have somehow fallen through the cracks.
This is where good inventory control comes in. Most of the organizations I referred to above have inventories in place, but they are just there to be there; nobody seems to use them for anything. I think this is mainly because most infosec programs are driven by compliance, and compliance means you have to be able to check the “inventories in place” box. What a mistake! Those inventories are useful!
Inventories should be central to all security maintenance and configuration control efforts. All hardware devices, software applications, operating systems and firmware applications should be included in IT inventories. Security maintenance and configuration control administrators should ensure that all entities on these lists are included in their efforts. Those in charge of these processes should also always ensure that they are communicating and coordinating their efforts, and that everything is kept up-to-date. In fact, I’ll go one step further.
An effective information security program, although made up of many different processes, needs to work together like a single entity. It’s very much like our own bodies. We have a brain, a heart, limbs, bones, eyes, skin and numerous other individual parts, but they all cooperate together to function as a single entity. If you don’t leverage each part of your infosec program to feed and enable all of the other parts, then you are wasting a lot of time and money!