If you’ve ever moved to a new home, imagine the chaos and extra time spent unpacking if boxes weren’t labeled and room-specific items weren’t packed together. Setting up in a new home is no easy feat, but a proper, organized approach makes a world of difference when it’s time to unpack your belongings.
The same holds true for vulnerability management.
In order to properly manage and classify risk on a network, you need an organized and accurate asset inventory. Otherwise, how can you ensure your network is secure if you’re unclear what’s on it?
Shadow IT and the advent of BYOD has introduced headaches and heart-stopping moments for many system administrators and vulnerability management engineers. As an example, in June 2019, the Office of Inspector General (OIG) released details about a breach of NASA’s Jet Propulsion Lab network. The attacker used an unauthorized Raspberry Pi device attached to the network to gain access and steal information related to the Curiosity Rover on Mars and other projects. The OIG stated the attack went undetected for nearly a year.
This attack emphasizes the importance of not only creating an accurate inventory of systems on your network, but also maintaining it with regular vulnerability scans.
Three Steps to Get Your Asset House in Order
Getting started with asset organization can be very straightforward.
Step 1: The first step, like everything else in IT, is proper documentation and governance. If compliance documents do not dictate a naming convention, your team should develop one that, at a minimum, answers the following questions:
- Purpose – what function does this asset perform?
- Is this a production, development, or test asset?
- Location – is this a physical or virtual asset?
- If it’s physical, what is the general location?
- Type – is this a server or client asset?
Step 2: Next, decide how the assets should be organized. Does it make sense to segment assets by location? This might work well for organizations that are customer-orientated and require low-latency connections. Another method is to organize by purpose. Should all databases be grouped together? This might make sense from an organizational perspective, but it’s not an ideal placement from a security point of view. At a minimum, assets should be separated by type. Servers and clients run vastly different programs and serve discreet purposes. Your organization must decide what makes sense for its assets.
Step 3: Finally, create asset tags or groups. Asset tags and groups make it easier to segregate data for remediation teams, ensuring they only receive app data that is relevant to them. This is also a popular feature in some vulnerability scanners that makes it incredibly easy to search and identify different assets on the network and quickly perform precise scans when required.
Asset Management Does More Than Keep You Organized
Part of a successful Vulnerability Management program is to perform regular vulnerability scans. However, vulnerability scans can be invasive and require considerable bandwidth and time to complete, depending on the scanner’s settings and reach. With a well-organized asset inventory, scans can be conducted in a more precise, surgical manner.
For example, assume “Vulnerability X” only affects machines currently operating Windows 2012 R2. If your assets are organized efficiently, the Vulnerability Management team can perform a vulnerability scan only on those specific machines. If a scan is needed of servers that run critical services, those assets can be scanned during off-hours, reducing self-inflicted downtime.
In addition, an accurate inventory enables your engineering team to very quickly inform management and the remediation team of how many and what type of systems are affected by “Vulnerability X.”
If you feel like you and your team are ready to dive in, here are three important components you’ll need to ensure your efforts pay off.
How to Ensure Your Asset Management Activities are Successful
Buy In: Any successful venture must have complete buy-in from upper and middle management. Upper management provides sponsorship and the necessary budget for tools and resources. If current practices do not meet the needs of expected goals, sponsorship and budget from upper management will help to bridge that gap. And when the Vulnerability Management team needs to engage with other parts of the organization, upper management should help facilitate communications between internal teams, as well as clear administrative and practical obstacles that impede the organizational objectives.
Getting this buy-in can be problematic if your organization is one that resists change and/or if the organization has been even somewhat successful with its current approach. Often, consultants are brought in by upper management to recommend changes to improve an organization, only to be met with resistance from middle management or the actual engineers. Many engineers fear for their jobs when outside help is brought in believing that if the “old way” isn’t working it’s a reflection on their performance. This can lead to conflict and passive aggressive behavior towards management, the consultant, or both.
Education: The education of the engineers making the changes is extremely important as well. They must become subject matter experts (if they aren’t already) on the vulnerability scanner and be able to show management a proof of concept as to why a comprehensive asset inventory is foundational for a highly effective Vulnerability Management team.
Sometimes this can be an obstacle for an organization, particularly when new tools are acquired during a merger or acquisition. If your organization revamps its asset management team, engineers can quickly get very defensive. This can cause conflict and create an unstable work environment. C-level executives must emphatically create an environment that enables engineers to work effectively without fear for their jobs.
Documentation: Documentation is essential to everything in IT. Continuous updates and communication between the remediation and Vulnerability Management teams are required for a successful Vulnerability Management program. Both teams also need to continuously update the asset inventory. When changes occur, on either end, each team must document and communicate with each other to ensure that an accurate inventory is maintained.
Ready to transform your Vulnerability Management program?