Asset Management: Is It Worth Doing?
Do you know where your most valuable assets are? No, not your car or your house – we’re talking about your company’s cybersecurity assets. Without knowing where these are and what risks they face, you can’t protect them properly. Cybersecurity asset management can help you do just that. But is it worth the time and money? Let’s take a look.
Asset Management is a fundamental part of Cybersecurity because it provides the ability to see what's going on across the entire organization. This is essential when it comes down to preventing cybersecurity incidents, understanding them and mitigating their impact.
Asset Management Security and the importance of it in Cybersecurity.
What good are you Cybersecurity professionals if you only get alerted about problems that have already happened? You need to keep abreast of everything on your network so you can see issues before they arise. This is where Asset Management starts to become essential.
Asset Monitoring keeps track of changes across the company, alerting you to potential problems and allowing you to get ahead of them or at least ensure they don't lead to more issues.
There is little use for an iPhone if iPhone doesn't have any apps on it. How is that phone going to be useful? Likewise, without Asset Management, there is little use for your Cybersecurity team.
The benefits of Asset Management in the Cybersecurity field and why it's important
Asset Management is the term used to describe systems that track and monitor information technology (IT) or (CNI) assets, including hardware, software, security vulnerabilities, current configuration items (CIs), logs of changes in CIs, etc. These systems provide continuous monitoring along with sophisticated reporting capabilities which are essential for effective cybersecurity defense. Even when an organization doesn't have an asset management system implemented, the IT department usually has some knowledge of what is being used by their network, whether it be for licensing purposes or to determine how old software may need updates. However, this knowledge is typically limited to knowing what was purchased and installed without actually knowing where it's located on the network or if its current configuration is still secure.
Asset Management is an integral part of a comprehensive cybersecurity program and the National Institute of Standards and Technology's (NIST) Special Publication 800-128, Information Security Continuous Monitoring for Federal Information Systems and Organizations recommends that agencies use an automated tool to perform continuous monitoring in order to meet requirements for security effectiveness, compliance, and efficiency.
This is important because attackers methodically probe networks looking for unguarded entry points that will allow them to bypass perimeter defenses. They even anticipate that organizations have asset management systems in place and try to discover vulnerabilities by leveraging these systems against an organization's blind spots instead of testing where they know there are strong controls in place. Because of this, the lack of a continuous monitoring system can create significant blind spots for an organization and allow attackers to exploit vulnerabilities that have been overlooked.
By implementing asset management on a continuous basis organizations can stay ahead of attack methods and keep their network secure without devoting large amounts of time and resources towards maintaining legacy tools which
Effective measures to audit your Assets for Vulnerabilities
According to the GAO, organizations are not effectively implementing security programs that provide reasonable assurance that they are managing their information security risks. This is largely due to poor asset management because without knowing what assets you have exposed your organization to risk.
The report illustrates this point by using the following analogy:
Imagine an unkempt home with a broken front door and windows, where anyone can walk in at any time. This is the equivalent of an organization with poor security controls, such as having a default username and password on a company laptop. Now imagine that same house with all of its windows boarded up from the inside, but the front door unlocked and inviting people. This is the equivalent of an organization with poor asset management because they know what assets are exposed but haven't done anything to secure them.
So how do you go about performing effective measures for auditing your Assets?
First, you should create a complete inventory of all IT assets and record each asset's unique identifier, description, owner, location, value, security categorization, and make/model. All critical components should also have a current configuration baseline to ensure any changes are documented and authorized before being implemented. Once you make all of your assets visible through this inventory system it becomes much easier to manage risk because you will be able to see if any devices are missing.
Next, you should make it a priority to maintain current configuration baselines for all assets with critical components by using automated tools that run on schedule or when changes are made. Always follow standard change management procedures and document any deviations in order to maintain your IT asset management system's integrity.
Keep in mind that the lack of effective IT asset management is part of the reason organizations struggle to implement strong security measures, such as continuous monitoring. Fortunately, with the right tools and procedures in place an organization can manage risk and continuously monitor their assets when threats arise.
Conclusion
The challenges faced by organizations in terms of Asset Management and the management of Cybersecurity risks are two separate but highly intertwined events. In many organizations, security is a subset function to an organization's IT department – where IT takes care of the technology infrastructure necessary to support business operations – while cybersecurity is a function that sits within both the IT and Security functions.
For further support or help in discovery, asset labelling & identification and risk evaluation, why not reach out to our team to understand how we can support your Cybersecurity risk management and your Asset Management.