Welcome to the 27th edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.
The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.
Inventories of Assets are Overlooked
Which Risk gets ignored most?
Enterprise Risk Management is designed to
enumerate and manage the risks that are a part of enterprise operations. The ISO 27001 standard specifies 114 controls needed for a secure information technology (IT) shop. Many of these controls are highly technical and hard to administer.
After performing a large number of risk assessments for revenue-critical business operations, JW Secure found that the number one unmitigated risk is the lack of a clear inventory of the assets that are required for the service to function. That is a surprise! Intuitively, it seems like the first step in deploying a new IT capability, once functional goals are set, is to inventory the resources needed to accomplish the goal. Reality is much different. Too often the needed resources are assumed to be present and static. Later, the risk assessment proceeds from that basis.
Read on to see how simple lists and automation help keep your enterprise function safe, secure and reliably delivering value to the business. (“Simple” is the key word here: this is not about compliance with yet another mandate. Instead, we’re describing a fast way to mitigate cyber risk using asset inventory lists. Many risk analyses result in overly complex and expensive mitigations. But what we have found is that the simplest issues are often overlooked.)
Categorize the Resources
The first item of business in any risk evaluation is an agreement on the scope of the investigation. Again, that is intuitive, but often overlooked. Business continuity is the core rationale for any risk assessment so any categorization needs to focus on those assets and resources that are business-critical.
Here are the categories of resources that we start with. You may find a different list of categories works better for you, or you may need to use the categories as listed in ISO 27001. Whatever list you use, double check against the categories listed here.
- Assets and resources to be protected – these are the core reasons that the business uses IT in support of its revenue goals. Note that data is generally thought to be the critical asset, but that revenue-generating services must be inventoried and protected as well.
- Roles – since users come and go while the business continues, the best way to control access is to assign roles that characterize who interacts with the service, and how. Typical roles includeread-only user and administrator. For more sophisticated functions, several levels of access will be supported.
- Users – are the individual people that are authorized for each role. Software processes should use service accounts in order to distinguish them from the user accounts that are issued to interactive human users.
- Services – include both the services exposed to users and the services that operate entirely within the function (for example, in a three-tier application architecture, end users typically don’t interact directly with the storage tier, but system administrators and attackers do). A favorite hiding place for attackers is a rogue or altered service.
- Applications – similar to software services, applications and scripts can be installed by attackers anywhere on the network and be scheduled to run at specific times.
- Server hosts and virtual machines (VMs) are the computing infrastructure. In an age of virtualization, the attacker can easily appear to be ephemeral, using compromised resources that come and go. Enforcing strong authentication and segregated domain trust throughout the network environment is critical.
- Operating systems and configuration are easy to set and easy for an attacker to reconfigure once they have access to the internal network. Enforcing real-time configuration baselines is beyond the current state-of-the-art of most commercial tools. A more cost-effective approach is to apply the principle of least privilege, to enforce strong authentication, and to implement systematic auditing.
- Network appliances – have access to all packets within the function and could be copying or redirecting traffic.
Actions on the Lists
After the lists of assets are complete, the next step is to distill out of them the areas of (1) the known problems and (2) the gaps in knowledge that the lists expose.
Action 1 – Responsibility Assignment and Sanity Check
Each function or part identified in the lists needs to have a responsible owner(s) that can determine what changes are permitted and what roles should have access. It is best if each business unit has its own risk manager that can parcel out the responsibility for the asset lists created above to the operations engineers from the business unit.
Action 2 – Security Information and Event Management (SIEM)
The lists of users and machines should be in such a form that they can be imported into SIEM tools. That does not mean that any update to the list of user or machines should automatically be processed into the SIEM approved list. When a new user or machine appears on the incident report it should be approved by the business team before the SIEM list is updated.
Action 3 – Incident Creation
Completing the lists of assets and resource is a great first step and a valuable contribution to good management all by itself. The real value of the process comes from the next step: a gap analysis of the desired state of each item on each list with the reality of your current (or planned) deployment.
Action 4 – Health Validation
As we noted above, automatic system “health” enforcement is a stretch-goal, but nevertheless a goal that every critical IT operation should have. This action will turn any data center into a world-class, secure operation.
While the two areas above form the initial bases for action, there may still be unidentified problems, what Donald Rumsfeld called “unknown unknowns.” Even after the known risks have been mitigated, there probably are remaining problems that experts have identified in other environments. New cyber threats appear on a daily basis. Thus, it is critical to engage with a fresh set of eyes to update the risk assessment annually.
Call to Action
JW Secure has been performing enterprise risk assessments for many industries since 2006. We can help any enterprise set up and operate an internal threat analysis process.
Contact JW Secure at firstname.lastname@example.org to learn more about our extensive experience creating actionable security assessments for revenue-critical business functions.
Data classification for cloud readiness – helps with classification of the data to be protected
How to handle Asset register (Asset inventory) according to ISO 27001
ISO 27001 – Information technology – Security techniques on Wikipedia – shows the scope of controls