by Dwayne Stewart
4:00 min read
The CIS Controls provide a clear and elegant, if not always simple, framework for a cybersecurity plan. From the Center for Internet Security, the top 5 in order of priority:
The device inventory
The first priority masks a simple assumption – that there is an explicit awareness of every device on a network. Without this fundamental information, it isn't even possible to track software, configurations, and access reliably. Compiling a full inventory may take some effort if starting from scratch, taking into consideration remote employees, mobile devices, and IoT devices. But there are several software tools/vendors in the IT asset management market that help expedite inventory making it much less onerous.
While the process takes a significant time commitment, it’s truly essential for being able to get the most out of your security efforts. Sometimes there are rogue devices that have gained access, usually through Wi-Fi. If there’s been a breach, an accurate inventory proves crucial for locating devices and enacting safeguards quickly.
Newer devices are generally more up to date and easier to keep secure, while older devices may have problems updating to the latest, most secure software. IT management needs to identify the devices that need special attention. At some point, they should be retired for security reasons; if this isn't possible, access to the network should be restricted.
The process needs to start with a scan of the network to identify as many devices as possible. The results should include anything with an IP address, including printers, VoIP phones, PoS devices, and network-connected devices. The first scan will most likely be incomplete, since some devices are intermittently connected, but it establishes a baseline.
The scan needs to obtain as much identifying information as possible. This includes the MAC address, device type, operating system, and version. Devices that can't be identified need additional scrutiny. The safest policy is to block access until they can be validated. If the network uses DHCP to assign IP addresses, DHCP server logging will help to track all devices.
A network that implements complete endpoint management, with a software agent in each authorized device, can take an inventory most easily. It may not be possible to install agents in all cases, but the better discovery software products can recognize many devices even without one. Where possible, they rely on queries with ICMP, HTTP, and other protocols. In addition, they can send and track malformed packets as different device models and operating systems respond to those in different ways. These techniques can identify nearly all machines that aren't intentionally disguised.
Going forward, it is then necessary to simply stay up to date. If the endpoint discovery software can recognize any new device when it joins the network, this will happen automatically. Otherwise, periodic rescanning of the network will pick up devices that were previously offline or have been added.
Matching the physical devices
While the inventory process starts on the network, the devices it lists are physical objects. Devices on the premises have to be matched up with listed network devices. Personal devices need to be matched with their owners. This establishes who is responsible for a device, where it can be found if service is needed, and whether it has an appropriate level of physical protection.
The process of acquiring and adding a device should start with confirming that it conforms to the network's requirements, including the installation of software agents if required. New devices need to be set up securely before connecting them to the network; otherwise they constitute a window of vulnerability which malicious network probing can quickly find. Devices which are added to the network temporarily, or which aren't fully under the network management's control, need to be treated with special care such as mobile devices under a BYOD policy and home computers used for telecommuting.
Checking and updating devices
Having an inventory lets the network administrator check whether each connected device meets the requirements for safely connecting to the network. This gets into control #3: configuration of hardware and software. Every device should be running a currently maintained and patched operating system. If any of them aren't, they should be updated, blocked, or at least restricted in their access to the network. Endpoint management software can keep all devices which have installed agents up to date. In other cases, the network needs enforced policies for updating all authorized devices.
How tightly an organization can control its inventory of devices will vary greatly from case to case. In all cases though, network management needs to make the best effort possible to enumerate the devices which are authorized to access the network, if only in order to identify and remediate unauthorized ones. Device inventory -- a security basic with a top priority; it makes everything that follows less complicated.