CISOs Need To CYA – ‘Comprehend Your Assets’

I recently went for coffee with a very interesting gentleman who had previously been responsible for threat and vulnerability management in a global bank – our conversation roamed far and wide but kept on circling back to one or two core messages – the real fundamental principles of information security.  One of these principles was “know your assets”.

Asset management is something that many CISO tend to skip over, often in the belief that information assets are managed by the business owners and hardware assets are closely managed by IT.  Unfortunately, I’m not convinced that either of these beliefs are true to any great extent.

Take, for example, Anonymous’ recent hack of a forgotten VM server within AAPT’s outsourced infrastructure. VM ‘sprawl’ is one of the key risks that Forrester discuss, and this appears to be a classic example – a virtual server created in haste and soon forgotten about. Commonly, as these devices fall off asset lists, they get neglected – malware and patching updates are skipped, and backups overlooked – yet they still exist on the network. It’s the perfect place for an attacker to sit unnoticed and, if the device exists in a hosted environment, it can also have the negative economic impact of monthly cost and license fees. One anecdote I heard was of a system administrator who, very cautiously and very successfully, disabled around 200 orphaned virtual servers in his organisation – with no negative business impact whatsoever.

A few weeks earlier I’d been chatting to the consultancy firm responsible for information security of the 2012 London Olympics; a huge task to be sure, and one it appears they accomplished well.  When chatting about asset management I was told how the IT infrastructure had been built to exacting standards – all they infrastructure was standardised, even down to keyboards and mice – all devices were identical and accounted for, and frequent asset scans would immediately alert any discrepancy. This ideal situation is a result of the ‘greenfield’ remit they were given – but think whether you know whatshould be on your network, and how that compares with reality?    

Our S&R Practice Playbook talks about ‘security as a process’ rather than a series of controls and this is just another example. CISOs need to position themselves to have oversight of the processes that IT Ops run to manage their assets (hardware and virtual), ensuring that these run regularly (i.e. it’s not the annual license clean up!) and that actions are taken to address the findings. If you are looking for a first step, why not start by asking two departments in IT to tell you how many servers your firm has – you may be surprised at the differences in their responses!