Some security controls can’t reach maximum effectiveness unless other, related controls are also in place. This is the case with system security maintenance and configuration control. If you don’t tie these controls to well maintained and updated inventories of all network assets you are bound to see vulnerabilities cropping up on your systems.
We have done many vulnerability assessments and penetration tests over the years, and we notice the same things again and again. We find that most of our clients do a good job of keeping up security maintenance on their Windows-based systems, and that most network assets are well configured and hardened. But even among the best of networks, there always seems to be hosts that are running out-of-date firmware, that were configured with their default admin passwords in place, or that have some other anomalies present that give cyber-criminals attacker surfaces to work with. And almost universally it was because these assets were simply forgotten. This is where comprehensive inventory control comes into the picture.
The first job is to ensure that every network entity is included in the inventory. This means each piece of hardware, software, firmware and operating system. If it addressable, it needs to be included. The next job is to ensure that the inventory is kept as current as possible. It should be automatic that when assets are added, dropped or change status, the inventory is updated. Unless your network is particularly small and simple, asset tracking software packages are recommended for this task.
The next task is to ensure that each network asset in the inventory is included in the configuration control process. Before the asset was deployed on the network, was it configured according to a best practices-based onboarding checklist? Were default passwords changed? Were unnecessary services disabled? It is also important for some devices such as routers and firewalls to have their configurations checked and updated on a regular basis. Have all such devices in the inventory been identified and included in the system?
The next and probably the most difficult thing to accomplish is to ensure that each asset in the inventory is included in the security maintenance program. Have vendor and security web sites providing vulnerability and updating/patching information been identified and notated for each kind of software, operating system, firmware and hardware asset in the inventory? Have network assets in the inventory that are not automatically updated via WSUS or some other updating service been identified? Once they have been identified, is there a system in place to ensure that they are manually updated? Are there any licenses that need to be kept current? Ensuring that questions such as those above are addressed and that all inventory assets are properly handled will help to keep your networks as secure as possible.