If you look at modern information security guidance such as the Center for Internet Security Top 20, the NIST Cybersecurity Framework or MicroSolved’s own 80/20 Rule for Information Security, the first controls they recommend implementing are inventories of hardware and software assets. There are several good reasons for making IT asset inventories job number one.
First and foremost, you can’t protect a network asset that you don’t know exists. I would be hard put to tell you how many times we have compromised network security by exploiting forgotten devices or software applications during penetration testing engagements using this vector.
Second, how can you tell if a device or software application is supposed to be on the network if you don’t have an approved inventory list you can check it against? An employee or service provider could install unauthorized devices or applications on the network and you would be none the wiser.
Another reason I don’t hear much about, but think is at least as important as those mentioned above is that you can leverage your inventories to enable and improve other information security processes on your network. I will cite specifically configuration control and security maintenance programs.
When most people think of configuration control, they immediately think of firewalls, switches and routers. This is understandable, since misconfiguration of these devices can have immediate and far-reaching security implications. But really effective configuration control should extend far beyond networking devices. In fact, we counsel our clients that all network entities should be securely configured according to an accepted baseline security scheme. For example, we often see applications or devices that are still configured with their default administrative passwords. We also see other configuration problems such as FTP systems that are not configured with proper access controls, systems that are configured to accept the use of weak cryptographic protocols and systems that are configured with verbose error messages just to name a few. But if you tie the configuration control program to your network inventories, you can systematically ensure that each and every device, operating system and software/firmware application is configured correctly and securely.
The same thing applies to the security maintenance program. We are able to exploit out of date or unpatched network entities on a regular basis to compromise network security or elevate our privileges on the network. A lot of organizations now not only use WSUS, but employ some kind of service to help them deal with their security maintenance woes. But we have found that even with such mechanisms in place, there are applications or devices that just slip through the cracks. But if you couple your inventories with the security maintenance system, you can ensure that none of these network “orphans” will come back to bite you.
And think of the other processes you can tie in with network inventories? How about access control and change management for instance? Constructing and properly maintaining full network inventories is a difficult task. Why not get all the benefits you can from all your efforts?