Notes from the Field: CIS Control 01 – Inventory and Control of Enterprise Assets
The Center for Internet Security released Version 8 of its CIS Controls document in May 2021. If you are not familiar with the Center for Internet Security, it’s a non-profit organization dedicated to making “the connected world a safer place…” The Controls document includes 18 information security controls that all organizations and information security professionals should understand and implement to protect their data, networks, systems, and other resources.
The clients I work with often don’t have mature information security programs in place. They may have some good controls but are overwhelmed from trying to understand all the different things they need to do to protect their systems and data. There are so many resources out there that are hundreds of pages long for specific topics. They don’t have the time to read them or the expertise to understand them. Vendors try to push them into buying products they don’t need or don’t have the resources to manage. Where do they begin?
I recommend they start by reading the CIS Controls. It’s a concise, high-level document about information security that executives can understand and also has specific control details that experienced information technology and security staff can run with to properly secure their environments.
Let’s start with Control 01 – Inventory and Control of Enterprise Assets. The CIS overview for this control is – Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
Control 01 includes 5 sub-controls or safeguards, as the CIS Document refers to them. They are:
1.1 Establish and Maintain Detailed Enterprise Asset Inventory
1.2 Address Unauthorized Assets
1.3 Utilize an Active Discovery Tool
1.4 Use Dynamic Host Configuration (DHCP) Logging to Update Enterprise Asset Inventory
1.5 Use a Passive Asset Discovery Tool
Why is Inventory and Control of Enterprise Assets important? Understand that enterprises can only defend the assets and data they know about. Organizations need to know what they have, where they are, and how they are protected. Newly deployed systems may not be fully secured and are subject to attackers gaining a foothold in a company’s environment.
When I meet with clients, they all say how important information security is and that they take it very seriously. They may have advanced tools to protect their networks. But when we dig in and take a look at their network and systems, often they don’t have an accurate inventory. They may use one tool for cloud systems, another tool for on-premises servers, another for network gear. They may have yet another for tracking laptops and desktops. Different people are responsible for the different tools. One staff member may be very diligent about maintaining an accurate inventory, another person may not consider it important and a waste of time. Each person follows different processes. Often no one is coordinating and overseeing their activities.
I recently conducted a gap assessment for a client that does not have a mature information security program in place. The IT Manager was particularly concerned about ransomware attacks as he knew people at other organizations that had been hit by them. He said the fear of a ransomware attack kept him awake at night. Reviewing their documentation and processes, I observed they didn’t maintain a definitive system inventory. The IT Manager stated that maintaining an inventory wasn’t a priority as the IT team was focused on sophisticated security tools, such as an intrusion detection and prevention system and a SIEM for logging and alerting.
It soon became apparent how their lack of an inventory process left their systems and organization vulnerable. Without a definitive list of servers, laptops, workstations, we had to rely on Active Directory but it contained many systems that were no longer in use. The company also had stand alone systems and Linux servers that were managed by various individuals, independent of the IT department. They didn’t know how many. In a conference room with the IT Manager and IT staff, we reviewed the Windows Server Update Services (WSUS) console to determine the patch level of Windows servers and desktops. We compared the list of systems in WSUS against the systems listed in Active Directory. I identified a number of systems in Active Directory that we could not find in the WSUS console. Not a good sign. I could see why the IT Manager had insomnia. A lack of inventory results in serious control gaps.
I asked the lead systems administrator to use RDP to connect to one of the servers not listed in WSUS. It was a member of a HyperV cluster on which many of their production virtual machines were running. We looked at the Windows Update history. The server had not been patched since 2015. Six years had passed since anyone installed security patches on it. That’s really bad but not the first time I’ve seen something like this. Just as concerning is that no one had noticed in all that time. The IT Manager was visibly upset and incredulous. He stammered and said it was some sort of mistake. He looked around the room. He and his team are on top of these things, right? They patch their servers regularly or so they thought.
We also found the server did not have anti-virus installed on it. The systems administrator RDPd to the second server in the HypverV cluster. Same results – last security patch was six years ago and no anti-virus installed.
The IT Manager said “they are only HyperV hosts, not a big deal.” I replied that it was as big a deal as it could get as many of their production virtual machines were running on the HyperV hosts. The hosts were a prime target for ransomware gangs. If the HyperV hosts had been compromised, the company wouldn’t be able to do business for days or weeks until the IT staff could recover the systems from the attack – if they could recover them. They’d likely need to bring in security consultants at great expense to secure their environment and do a forensic analysis.
Many of the company’s hundreds of employees wouldn’t be able to get any work done during that time. A ransomware attack could have a huge impact on productivity, cost, and company reputation. For all the IT Manager knew, the systems were already compromised as there were no security tools installed on the hosts that could alert the IT staff of potential attacks. We were just getting started with this audit and the first two systems we reviewed lacked controls. What else would we find? How could they install their IDS/IPS and SIEM tools on systems they didn’t know about? The IT Manager agreed that a solid inventory of systems is important in support of an organization’s security posture.
So what do the IT Manager and the IT staff need to do? They need to require in policy and implement procedures to maintain a definitive inventory of all assets – on premises and in the cloud, as well as remote end user systems. They should review and update the inventory at least quarterly, preferably monthly. They need to know about every system and network device so they can protect them. That means following Control 01 and its sub-controls, using automated tools to inventory their network and systems. They must manually verify their inventory is accurate as automated tools can fail or be misconfigured, returning incorrect results. The IT staff need to compare their inventories against the results of assets identified in NMAP and network vulnerability scans. This company needs to assign owners to these processes and to the assets to verify the inventories are current and continuously updated.
Once the company has an accurate inventory, they can determine how to properly protect the systems. They can make sure that the systems have the latest security patches, have antivirus installed, and a host intrusion detection system installed. They will need to do periodic status checks of the security tools on all systems. The IT Manager can then sleep better at night, knowing all of the company systems are accounted for and secure as that’s the first step in protecting company and customer data.
To learn more, contact a KirkpatrickPrice information security specialist today.
About the author
Greg Halpin has 25 years of experience in information technology and security. He has a Master’s in Information Sciences – Cybersecurity and Information Assurance from Penn State University, and he has earned the CISSP, CISA, and CCSP certifications. He enjoys working with people and organizations to help them secure their networks and systems. Greg lives in Happy Valley, PA.