Getting Control of Your Hardware Assets
Blame the Sound Technician
You’ve probably never considered this before, but the job of a CISO is much like that of the sound technician at your favorite concert. Think about it: both are highly-skilled technicians that make sure that all of the equipment operates according to plan and that the users (musicians) can make use of the devices do their job (make music). If everything works as intended, most people won’t even notice the sound technician huddled in his booth at the back. However, at the first squeak of a microphone or muted instrument (aka devices), all eyes spin around to the sound booth with a glare regardless of whether it was the musician at fault.
So it is with the CISO. As long as everything operates as intended the CISO’s work goes largely unnoticed, but at the first sign of a breach all eyes turn to the CISO to ask why. This analogy holds up best when considering the inventory and control of devices within a CISO’s responsibility. Devices are the instruments used by the wider organization to perform meaningful (and sometimes meaningless) activities within the organization.
The One that Got Away
It goes without saying that devices usually contain an inherent value which leads them to be the target of run-of-the-mill theft, with confidential information simply going along for the ride. This was the case with the theft of various laptops, cameras, and external drives from a Washington State federal building in early 2016, when a thief broke in to “steal anything he could grab that was worth selling.” It just so happened that many of those devices also included 2 to 5 million records related to child support audits. Healthcare data seems particularly prone to this sort of breach, according to the 2018 Verizon DBIR report, with “laptops and other portable devices, and paper documents consistently [going] missing from healthcare organizations each year.”
In some cases, the device may be issued by the organization, but the situation becomes more complex when you consider the need to allow access to personal devices such as Bring-Your-Own-Devices, IoT devices, and guest users. In this case, the devices hitting the network at any given time are far more dynamic.
Perhaps this explains why CIS lists “inventory and control of hardware of assets” as the first control in their list of top 20 critical controls. As you might expect from the previous comment about Healthcare breaches, Asset Management also figures prominently in the HIPAA Security Rule to ensure the security of workstations, devices and electronic media. In addition, NIST CSF includes Asset Management within its second control category, Identify. Maintaining control of assets might be a difficult proposition, but it is one of the first stops on many of these controls because so many other controls depend on it.
Regardless of the control, they all agree that two key aspects are necessary: Inventory and Classification of assets. For organizations that have not yet undertaken either of these two tasks, it might seem like the equivalent of herding cats to understand what devices exist (inventory) and how they are being used (classification). But herd cats you must and thankfully there are tools that can help you finish the job. The following tools, asset discovery and asset classification, help organizations to manage the security of their assets.
Active Discovery Tool
A device inventory provides a comprehensive view of every asset or device that has the “potential to store or process information”. An active discovery tool helps you uncover these by scanning for devices associated with the network and updating these devices to an inventory. This follows from the maxim stated by CIS that “you can’t control what you don’t know you have.” An active discovery tool helps you monitor and maintain an inventory of devices that have the potential to introduce adverse vectors into your network. However, apart from printers and networks phones where usage can be inferred, these active discovery tools won’t help you understand how the majority of these devices are being used or what information they contain; hence the need for a second tool.
Asset Classification Tool
Where active discovery tools help build an inventory of what devices on your network, an asset classification tool tells you why the devices are there and how they are being used so that appropriate controls can be in place. The classification of assets on your inventory provides greater visibility into the usage of the device so that you don’t treat a laptop with access to medical records the same way you would a surplus network phone.
Here too the analogy of herding cats holds since collecting information on the usage of a device—such as the presence of PII (personally identifiable information) or criticality of the device to the organization—often requires some human input from the user of the device. Asset classification tools take the inventory a step further and allow further categorization so that devices that pose a greater risk can be flagged for greater diligence and security controls.
For smaller organizations with minimal volatility within devices, perhaps a spreadsheet paired with a free survey tool will give you all the information you need. In fact, many security teams start with spreadsheets to organize all of the meta-data on devices and might even employ Google Forms or Qualtrics to integrate device/data usage information– viola! Unfortunately, as an organization grows this method becomes cumbersome while the risk of outdated or incorrect information becomes untenable. At this point, a purpose-built tool for asset inventory and classification becomes necessary such as SaltyCloud’s risk assessment workflow tool, ISORA.
Getting a Handle on Your Hardware Assets
If you haven’t taken both of these steps, Inventory and Classification, across all your devices that sit (or have the potential to sit) on your network, it’s time to take some steps to enact this critical control at your organization. 1) Create a dynamic inventory through an active discovery tool; and 2) control the risks associated with that inventory using an asset classification tool.
Whatever method you choose to fulfill the inventory and classification of assets, managing the hardware devices in your organization satisfies the first step toward achieving a secure device ecosystem and ensures that all instruments and devices in use are in tune with the inventory and security controls for your organization.
Regulations can help direct our efforts to where work might need to be done, but risk assessments give us advance notice of exactly where those gaps might be. Using a variety of applicable regulatory frameworks, anyone can shore up their compliance through the use of questionnaire-based risk assessments.