Establishing a Robust Cybersecurity Foundation Through Comprehensive Asset Inventory

A robust cybersecurity program starts with a fundamental, albeit mundane, task: gathering an inventory of assets. This foundational step, while pedestrian and often repetitive, is critical. Without a comprehensive and functional inventory, it’s impossible to secure your environment because you don’t know ?what exists in your environment.

Defining the Asset Landscape

In the context of cybersecurity, assets encompass a broad range of entities. This includes:

• End user devices, mobile computing devices, and portable devices.
• Network infrastructure such as routers, modems, and switches.
• Non-computing devices like Operational Technology (OT), Internet of Things (IoT) devices, and Industrial Control Systems (ICS).
• Servers, both physical and virtual, across on-premises and cloud environments.
• Remote sites, even those that do not connect to traditional IT networks.

There should be no distinction between physical and virtual assets, nor between on-premises and cloud resources. Every asset, regardless of its nature or location, must be accounted for.

The Importance of Asset Inventory

The Center for Internet Security (CIS) aptly summarizes the necessity of a comprehensive asset inventory: “Enterprises cannot defend what they do not know they have. Managed control of all enterprise assets also plays a critical role in security monitoring, incident response, system backup, and recovery.” Proper asset management is essential for identifying critical data and applying appropriate security controls.

Furthermore, understanding all points of ingress and egress for networks is equally critical. By discovering and inventorying network infrastructure, such as routers and modems, organizations can better manage and secure network access points.

Tooling for Asset Discovery

Manual asset inventory is neither scalable nor accurate enough to be relied upon in today’s complex environments. Automated tools are essential for this task, offering a variety of capacities and price points.

For those with limited budgets, tools like Angry IP Scanner or, for the Linux-inclined, netdiscover and nmap, can provide a point-in-time snapshot of network assets. For continuous asset discovery, active scanners like RunZero are worth considering.

However, caution must be exercised when performing scans from end user devices. It's important to avoid inadvertently scanning networks owned by others, such as home or public Wi-Fi networks, especially if the user works remotely. While organizations have the right to scan their networks and devices, scanning employees’ home devices could raise legal and ethical concerns.

Establishing and Maintaining an Accurate Asset Inventory

An accurate asset inventory provides a baseline of “normal” that allows organizations to detect and address deviations, whether they represent unauthorized assets or other security concerns. The CIS recommends the following best practices for asset management:

• Establish and maintain a detailed asset inventory.
• Address unauthorized assets.
• Utilize active and passive discovery tools.
• Leverage DHCP logging to update the asset inventory.

Leveraging DHCP Logs and Active Scanning

One often overlooked source of valuable information is the DHCP server, which logs every device that connects to the network and receives an IP address. This log serves as a record of all devices that have joined the network, allowing for the identification of unauthorized or unexpected connections. To maximize the usefulness of this log, setting long lease times on the DHCP server (90 days is recommended) can ensure a historical record of leases is maintained.

Active scanning tools provide another layer of defense by continuously monitoring the network for new devices. By scanning the entire network space daily, organizations can quickly identify and respond to unauthorized devices. While active scanning requires some technical knowledge, it is an effective and typically affordable solution.

Integrating Active and Passive Scanning

For a more comprehensive approach, integrating both active and passive scanning methods offers significant advantages. Passive scanning complements active scanning by identifying devices that may only be connected for short periods, such as those recorded in network switch logs. This approach provides a more complete picture of the network, capturing both current and recent devices.

For mature organizations, there is also the option to capture all network traffic via a SPAN port or TAP, recording all hosts that have communicated on the network. While this method offers a marginally higher level of accuracy, it comes with increased complexity and requires greater technical capabilities.

Extending Asset Management to Cloud Environments

While the focus has been on on-premises environments, it is crucial to apply the same level of rigor to cloud resources. This includes not only Virtual Machines but also Virtual Networks, Platform as a Service (PaaS) offerings, hosted databases, file shares, and integrations. Although the specific methodologies may vary depending on the organization, the importance of thorough asset management in the cloud cannot be overstated.

In conclusion, a detailed and accurate asset inventory is the bedrock of any effective cybersecurity program. By leveraging the appropriate tools and methodologies, organizations can maintain control over their assets, detect unauthorized activities, and apply the necessary security controls to protect critical data.

?