SAN Control 1—”Inventory and Control of Hardware Assets

The Core Principle

There are only six controls in the Top 20 list that are designated “Basic,” and an inventory of your hardware is number one.

I actually would like to rephrase this control slightly, so it better fits the core principle I wanted to highlighted: if there was ever a Golden Rule in enterprise security, it’s this: know what you have. If you don’t know what you have, how can you protect it? This is exactly how attackers win: they find (or install) devices where they won’t be seen, and since these unseen devices almost by definition have gone under the radar, the device is unprotected and they get in.

This is exactly how the Target hack happened: Target didn’t realize that they had an HVAC system connected to their entire network, and of course it had a backdoor, insecure connection to one of their vendors. Once the attackers realized what they had access to, they had all the time in the world to exploit their access to its full.

Transcending the Control

This control is typically a pitfall for CISOs because getting it right is a lot harder than it sounds.

At the technical capability level, this is what this control means:

Given any IP address on any device in your enterprise, I have a way to instantly know (a) where logically on my network this device resides (b) for on-premises systems, where physically on my enterprise this device resides (c) the function and access of this device in the larger enterprise picture (i.e. if it were to go down, what would be the impacts?).

I highlighted the words “any” and “instantly” to indicate the two greatest problems CISOs have with fulfilling this control. Generally, an enterprise has a well-curated, centrally managed network that has some degree of network monitoring (a slightly out of date list is on wikipedia). But chances are, your enterprise has many, many more devices that aren’t part of this centrally managed core: mobile devices, maintenance laptops used by IT staff, isolated or remote facility LANs, forgotten AWS accounts or EC2 instances outside your default region.

These are the weak points where attackers get in. “Any” means you have to take care of all the corner cases: 95% coverage of your devices is a failure. You have to know 100%, all the time.

As a CISO, you should eventually be spending 80% of your organization’s asset inventory efforts creating initiatives designed to uncover “unknown unknowns”, and the other 20% converting “known unknowns” to “known knowns.”

Too many CISOs fall into the trap of purchasing new asset management tools that simply help them manage their core assets better rather than help them find unknowns.

Why instantly? I once worked at an enterprise where I spent nearly 4 months trying to track down devices that no one at the company knew anything about: the information the IT staff had was either out of date or factually incorrect because it had been collected by hand. Granted, it was a very large network, but the company had invested millions on security.

This is where “instantly” comes into play: it’s essential to have a centralized, highly automated system in place which updates and records comprehensive information on each device you own.

The payoffs of having an inventory system that is both comprehensive and automated are enormous, since the other 18 controls depend on it. It takes hard, grinding work to track down everything and to get the proper monitoring in place, but it’s well worth it!

The next article will talk about the second core principle: Inventory and Control of Software Assets.