Inventory and Management of Hardware Assets - Top 20 Security Controls

December 2020 | Michael Wetherald

Top 20 Critical Security Controls Series

This is the beginning of our blog series on the industry standard top 20 critical security controls -- sometimes referred to as the SANS top 20 or CIS Critical Security Controls. These controls provide your organization a collection of best practices for protecting your organization from the most common attacks from all around the world facing organizations just like yours.

POSTER | SANS 20 CRITICAL SECURITY CONTROLS - DL & Print crucial info for defending your org. http://t.co/MbpeDjiwRz pic.twitter.com/nqWx9oRl5t

— SANS Institute (@SANSInstitute) July 3, 2015

Basic Security Controls

Controls 1-6 are considered the basic controls every organization should employ to have a solid foundation to build from:

• Inventory and Management of Hardware Assets
• Inventory and Management of Software Assets
• Vulnerability Management
• Controlled Use of Administrator Privileges
• Secure Configuration for Hardware and Software
• Maintenance, Monitoring and Analysis of Audit Logs

#1: Inventory and Management of Hardware Assets

This control is a critical first step for securing your organization. You must identify all of the assets in use by your organization, regardless of whether they are currently connected to your network. All hardware assets which have the ability to store, access, or process data pertaining your business need to be considered when implementing the remaining security controls, and this is only possible with an accurate and up to date inventory of hardware assets.

Why Is This Control Important?

How can you protect your environment if you don’t know what devices are in it? Even if you pull a list of devices which are on your secure network, without some type of inventory how do you know which devices are authorized? Which assets contain the most sensitive information? Which assets must remain active for your business to continue being operational? All of these questions are critical for developing a security program and can only be done with an accurate and up to date inventory of hardware assets.

How to Implement This Control

This control boils down to maintaining some sort of inventory list of all of your hardware assets. If you are a small team, this might just be a spreadsheet. Organizations with more than a handful of assets should use IT Asset Management software which can meet the requirements outlined as follows:

Maintain Detailed Inventory of Assets

Inventoried assets should contain at least the following information:

• IP Address(es)
• MAC Address
• Hostname
• Asset Owner
• Physical Location
• Is asset authorized to be on the network?

Asset Discovery

Asset discovery is the process of determining which assets are on your network. There are two categories of asset discovery, active discovery and passive discovery. In order to implement this control in your environment:

Use an active discovery tool which can identify devices connected to the organizations network. This can be done by scanning the network for all active hosts and updating the hardware asset inventory list with the results.

Use a passive discovery tool which can identify devices sending traffic on your organization's network. This can be done by parsing logs generated by network devices and updating the hardware asset inventory list accordingly.

DHCP Logging

Utilize DHCP logging to update your hardware asset inventory. DHCP is the protocol used to automatically manage and assign IP addresses as hosts leave and join your network. This is a perfect place to detect assets joining and leaving your network and help keep your hardware asset inventory up to date.

Advanced Steps

Take this control to the next level by utilizing port level access control. This involves authenticating hardware assets as they join the network. When you implement this control, make sure you integrate it with the hardware inventory system to ensure only authorized assets can connect to the network.

Another advanced level of protection is the use of client certificates, instead of or in addition to credentials, to authenticate hardware connecting to the network. Just as we mentioned with port level access control, make sure the system is tied into the hardware inventory list to ensure only authorized assets connect to the network.

Address Unauthorized Assets

A crucial part of implementing this control involves developing policies and procedures for addressing assets in your environment which weren't previously authorized. How do you want to handle this situation in your environment? Do you allow bring your own device(BYOD)? When an unrecognized device connects to your network, who is responsible for what actions to address this?

Conclusion

Be sure to check out the next article in our series, where we cover security control #2 Inventory and Management of Software Assets

Inventory and Management of Software Assets is a crucial control for developing the security program at your organization. Viam is here to help guide you through implementing this control at your organization. Contact us today if you’re ready to take steps to reduce the cybersecurity risk in your organization.