A Wake-Up Call
A recent, much read and passed around blog post from cybersecurity expert Daniel Miessler detailed many of the issues regarding lax cyber security asset management. Miessler wrote: “Asset management is arguably the most important component of a security program, but I know of virtually zero companies that have a single person dedicated to it.” He goes on to point out that, “Companies pay hundreds of thousands a year to keep snacks in the break rooms. They pay to send people to train and conferences that usually have very few tangible benefits … But pay 100K a year to have a list of what we’re defending? Nope.”
The Life Cycle of IT Assets
An IT asset life cycle refers to the stages that an information technology asset goes through during its time of ownership. Determining the current life cycle stage for each IT asset is a necessity for effective cyber security asset management and may look like this:
- Procurement. It should be a matter of course that, whenever an asset is purchased, it is recorded in your organization’s asset management system, and your IT devices and software should be no exception. Information should include model numbers, serial numbers, name of manufacturer and the department the equipment was purchased for.
- Distribution of assets. Recording to whom the assets are distributed, or redistributed, is the next necessary step to take for cyber security asset management. Many organizations lose track of who has what devices, and this can only get more muddled as employees leave, shift departments and so on. You’ll also want to tightly control what devices run which software assets; employees who have access to programs they won’t use or don’t need may only needlessly impair security.
- Maintenance and Upgrade. Software and hardware updates often have security patches (see our earlier post about the importance of patching). Each update or patch should be recorded and verified. An organization should also record the last time a device was scanned or antivirus software run, or antivirus schedules.
Be thorough. In 2014, JP Morgan Chase overlooked one of their network servers when providing a security update. Hackers were able use this exposed server to steal data from roughly 83 million customers.
Maintaining devices also means making sure employees aren’t uploading or using unauthorized or unmanaged software. This software may be benign, or it could be an entry point for a hacker to invade
- A list of log-in users for each device. Even if a device is assigned to one specific employee, a device may be shared or passed around. Keeping a list of every user for each device can help protect them, especially when a staff member leaves, as a reminder their log in should be deleted.
- Disposal/Retirement. When a piece of equipment has run its course, don’t forget to verify that all the information on it has been wiped clean, so that company data is not vulnerable to hackers. You also may want to cancel or transfer licenses.
Keep in mind that cyber security asset management cannot be a one-time only chore; it’s success hinges on its continuity. You must know when each asset changes hands, becomes outdated, needs updating and so on.
As cybersecurity company Compuquip says, “IT asset management is a lot of work—which may explain why so many companies fall behind on this critical task. But, the importance of asset management for your company’s IT components cannot be overstated.”
Let’s Get Started with Your Cyber Security Asset Management
Our recent blog post on cyber security monitoring stressed the importance of being proactive in keeping your organization safe form cyber threats. Cyber security asset management is a critical component of proactive security and can be the difference between rebounding quickly after a cyberattack and not recovering at all. Understanding the importance of an active cyber security asset management system is a first and proactive step, but you also need to put that understanding into action. DYOPATH can help. We offer a wide selection of security offerings including infrastructure patch management, 24/7/365 network monitoring services, proactive desktop and server security and more.
Let us help get your asset management program started. Contact us for more information.