Network Protection through Asset Inventory Control

Understanding and managing device access to your network is an essential safety control for the ongoing security of your network. According to the Center for Strategic & International Studies (CSIS), asset inventory control tops the list of 20 critical security control that can help agencies and business block the most frequent attacks. [1]

Established in 2008, the CSIS brought together leaders from the NSA, CIA and Department of Defense to determine the top critical cybersecurity threats facing our national infrastructure. They developed a public-private consortium of top cybersecurity experts in the nation and were commissioned to develop a list of the top critical controls that can stop or mitigate attacks.

For now, I want to highlight Asset Inventory Control. This includes processes and tools that the organization utilizes to detect and manage all devices accessing the network such as computers, tablets, printers, and anything with an IP address. It is essential to track, control access, prevent access, and correct network access by all possible devices.

Without Asset Inventory Control, your network is vulnerable. Would-be attackers scan targeted organization continually, looking for vulnerable devices attached to the network. For instances, they are searching for hardware (laptops, etc) without the necessary patches or security updates. This form of attack may be part of a multilayered attack. If they already penetrated network, they may seek to compromise a device that has not been properly secured. Then they may install “backdoor tools” on the device with the intent of launching further internal attacks and data breaches. If you consider the number of out-of-date devices or BYOD devices (that may already be compromised), the critical role of Assent Inventory Control becomes clear.

The CSIS recommends the following 10 steps for implementing this control:

1.Quick wins: Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization’s public and private network(s). Both active tools that scan through network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.
2.Quick wins: Deploy dynamic host configuration protocol (DHCP) server logging, and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information.
3.Quick wins: Ensure that all equipment acquisitions automatically update the inventory system as new, approved devices are connected to the network. A robust change control process can also be used to validate and approve all new devices.
4.Visibility/Attribution: Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network.
5.Configuration/Hygiene: Make sure the asset inventory database is properly protected and a copy is stored in a secure location.
6.Configuration/Hygiene: In addition to an inventory of hardware, organizations should develop an inventory of information assets that identifies their critical information and maps critical information to the hardware assets (including servers, workstations, and laptops) on which it is located. A department and individual responsible for each information asset should be identified, recorded, and tracked.
7.Configuration/Hygiene: Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized versus unauthorized systems.
8.Configuration/Hygiene: Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access.
9.Configuration/Hygiene: Create separate virtual local area networks (VLANs) for BYOD systems or other untrusted devices.
10.Advanced: Utilize client certificates to validate and authenticate systems prior to connecting to the private network.

Integracon offers a comprehensive security inventory with a recommended plan for long-term security management. Our team of experts addresses the critical security controls with a plan of action that includes tools, processes, and governance strategies. To learn more about how our security professionals can help you, chat with us on Integracon.com or call us at 865-330-2323.

[1] See “A Brief History Of The 20 Critical Security Controls.” <http://www.sans.org/critical-security-controls/history.php>