The Center of Internet Security (CIS), www.cisecurity.org, is a nonprofit that publishes globally recognized best practices for securing IT systems and data. CIS released its latest security controls, CIS Critical Security Controls version 8.1, in August 2024. Since the controls are in priority order, let’s look at the first control, Inventory, and Control of Enterprise Assets.
Each control is broken down into additional sub-sections called safeguards. Section 1 has five safeguards. Again, I want to talk specifically about the first safeguard, number 1.1 “Establish and Maintain Detailed Enterprise Asset Inventory”. Why is asset inventory the most crucial of all the controls? Why is it so important that it is the first control and the first safeguard?
Let’s review a fictitious story to see why it’s so important. Dave, the CEO, walks into the Security Operations Center (SOC) and asks Bob, the SOC lead, how his company has been attacked with ransomware. “Just two days ago, you said everything was secure,” Dave yells at Bob. “It was,” Bob yells back. And then with his voice softening, “at least, I believed it was. We found an extra wireless network access point we were not aware of before. We are trying to track down the owner now…” As you can see from this illustration, you can’t protect what you don’t know about. That is the key reason this control is the first of the eighteen CIS controls. A friend I used to work with always said,
“Know what you own. Own what you know.”
Data breaches: As noted in the example above, one of the risks of operating uncontrolled assets is the risk of data breaches. Each device on the network needs to be protected, patched, and have the right firewalls and security products installed and configured properly. How do you install a Data Loss Prevention (DLP) agent or an Endpoint Detection and Response agent if you do not know the device exists? The bottom line is… you can’t.
Improperly configured devices may present weak points in the network. Additional pieces of the attack surface are exposed that the security team isn’t aware of and therefore, isn’t tracking so no mitigations were put in place. If an adversary gained access to an unprotected device, they could quickly gain a foothold and take over the entire network.
Regulatory compliance: Beyond the risk of data breaches, there are also legal ramifications to consider. This may not be relevant to all businesses in all industries, but if you have a requirement to maintain certain records for compliance with legal obligations; for example for Health Information Technology for Economic and Clinical Health Act (HITECH) and the Health Insurance Portability and Accountability Act (HIPAA). Businesses can be held legally accountable if their actions cause injury or loss of income to another person or party.
Operational disruptions: The last risk I want to mention is the risk to business operations. If a segment of the network must be isolated and taken down, it is out of production and cannot be used for its intended purpose. Productivity decreases and business continuity may be impacted.
CIS Control 1: Inventory and Control of Enterprise Assets plays a pivotal role in ensuring comprehensive and accurate asset inventory. Here are three specific ways in which CIS Control 1 contributes to effective asset management:
In 2015 the United States Office of Personnel Management (OPM) was hacked. OPM is responsible for conducting security clearance investigations for the US Government, including the Department of Defense. The hackers stole the personal (names, birthdays, social security numbers, addresses, family relationships, etc.) of over 21.5 million Americans. There are an exhaustive number of reports by everyone from news outlets to the official congressional report. I did find that Thu T., a writer for CISCO at duo.com, summarized the 241-page congressional report very well on her blog here.
You guessed it! Right there, about halfway down the page, it says “No Insight, No Inventory.” She continues talking about the congressional report saying, “The report also found that OPM does not maintain an accurate centralized inventory of all of their servers, databases or network devices that reside within the network. Without insight into this basic data, it’s pretty hard to ensure OPM data is secured.”
So, what is the real-world impact? With a lack of asset management and eight other issues Thu identified, the lives of 21.5 million Americans changed forever. Those impacted will always have to maintain credit watches and identity theft protection services. Any of their family and friends who were interviewed as part of the security investigations also had their information compromised. It is something those folks will have to pay attention to for the rest of their lives. Never knowing when the information may be sold on the black market or used for nefarious purposes.
So, what are the best practices for asset inventory? I am a fan of the National Institute of Standards and Technology (NIST) Special Publication 800-53 Rev5. It has an entire section talking about how to implement the System Component Inventory. They recommend that however you track your inventory, in the end, it should do the following:
To the NIST list, I would like to add the need for regular updates, automation of asset inventory, and integration with other security tools.
The bottom line is that you cannot protect what you don’t know about. We must understand every device on our networks, how it is configured, and who owns it. The only way to do that is through a well-planned and executed asset management strategy. With all the guidance out there, I recommend implementing the CIS Controls exactly as they recommended in the CIS Critical Security Controls Version 8.1 documentation.