Defensive Security Handbook on Amazon.com

My apologies. I am overdue on our next chapter review and this is a good one. Asset management.  The best offence is a good defence. Let’s start here.

“You don’t know what you’ve got til it’s gone.” Ain’t that the truth, especially in light of the growing blight of the Equifax breach: all that data, all those victims. Simply put, you can’t secure what you don’t know.  This applies to both tangible and intangible assets, specifically data. While this seems like common sense, for what is a basic fundamental, people do a terrible job or don’t do it at all.

We are told to remember these two things: “ensure there is one source of truth, and that it is a process, not a project.” In addition, classification and ownership play key roles in the success of this process. One source of truth means that whatever software or system you use to keep track of things, there are no conflicts or discrepancies with anything else. This is understood to be the single, definitive source of truth about assets.  Engage a sense of responsibility throughout the company to detect when “one of these things is not like the others”. BYOD is a thing, and unmanaged, it’s why we can’t have nice things. Ideally, get some executives involved to champion the ongoing cause. Because this is a process, not a one-time project.

Let’s talk about classification.  We live in the age of big data. As we keep learning breach after breach, it’s harrrrd to safeguard the ephemeral. Data is our most valuable asset, in digital form.  You need to know what you have, and ensure that this is understood by everyone inside and outside your organization. Most importantly, know what your crown jewels are and where they are. Your critical assets should be as prized by you as they are by attackers. Just ask the guys at Equifax and OPM about that.

Steps to classify data:

1. Identify the sources to be protected: what they are, where they live, who are the owners.
2. Identify the information classes: make sure the labels assigned have the same meaning for everyone. There should be no questions around critical or sensitive.
3. Map protections to set information classification levels: Authentication, authorization, security controls, encryption.
4. Classify and protect information
5. Repeat as a necessary part of a yearly audit: Nothing stays the same. That’s why this is a process, and not a project.

Let’s talk about the 4 steps in the asset management process:

1. Define the lifecycle: easier said than done. There are a lot of stages between delivery and death. It’s new, it’s old; it’s mine, now it’s yours; repair or replace it. Here is a simple set of stages: Procure, deploy; manage; decommission. And that does not mean it just gets thrown out. You need to permanently and responsibly remove all data and its traces.
2. Gather information: how do you collect all the details on all the stuff? You could use:
   ARP cache or Address Resolution Protocol from routers and switches for a list of all the IP and MAC addresses connecting to the network.
   DHCP or Dynamic Host Configuration Protocol has all IP address reservations and may even have hostnames.
   NMAP is a comprehensive scanning tool of networks that can yield a lot of results.
   SNMP is Simple Network Management Protocol and can provide a lot of information on networked devices. Netdisco is a free automated scanning tool to help you do this.
   WMI or Windows Management Interface can get most the information from a device.
3. Powershell is a powerhouse command line solution to get information about AD users.3. Track changes: How do you manage all the changes, the additions and deletions that affect your hardware and software inventories, and your personnel? When someone leaves, does something leave with them?
4. Monitor and report:  You need to track updates and license renewals, or warranty expiration. It can also alert you to the addition of new and potentially unauthorized devices.

Automation: this is your helper. It works for you, with your supervision.  And ensures that routine tasks and monitoring get done consistently. Find ways to put it to work, like barcodes on items.