To know that we know what we know, and to know that we do not know what we do not know, that is true knowledge.
Nicolaus Copernicus
In today’s ever-evolving threat landscape, the wisdom of Nicolaus Copernicus rings true: “To know that we know what we know, and to know that we do not know what we do not know, that is true knowledge.” This insightful quote is particularly relevant in the context of cybersecurity, emphasizing the critical importance of knowing the assets and resources we are protecting. Securing an organization is protecting the components that make up an organization; a crucial step toward security maturity is knowing what resources require protection. We cannot protect what we do not know.
This point becomes strikingly evident when analyzing the infamous Equifax breach in 2017, which resulted from the lack of a complete Asset Inventory & Management. The company’s failure to maintain an up-to-date inventory of its assets led to severe repercussions in its effort to patch the vulnerability which led to the breach.
In this post, we will drill down on the importance of maintaining an Inventory to understand better what we are protecting. Doing so propels our organization towards security maturity, where every component is systematically hardened against potential threats.
What to Inventory?
In order to protect an organization and mature its security effectively, it is crucial to have a comprehensive inventory that includes all relevant components based on the Cyber Risk Mind Map. The inventory should include some essential components.
Offices & Physical Locations:
Keeping an inventory of offices and their respective security setups is essential, particularly for organizations with multiple locations. This inventory should include information about physical security measures, access controls, and any specific risks associated with each office’s location.
People:
It is crucial that organizations maintain a list of employees, contractors, and their respective roles and access levels. This list helps ensure access privileges are appropriately assigned and revoked when necessary.
Devices:
Maintaining a detailed list of all devices connected to the organization’s network is crucial. This list includes computers, laptops, servers, routers, switches, and other network-connected equipment, including details on running OS versions and software.
Third-Party Service Providers:
Many organizations rely on third-party service providers for various tasks, such as cloud services, IT support, or other outsourced functions. It is important to maintain a record of these service providers, including their roles, responsibilities, and access to the organization’s systems and data.
Infrastructure (Cloud or On-Prem):
Whether an organization operates its infrastructure on-premises or in the cloud, inventory of the infrastructure components is vital. This inventory includes virtual machines, databases, data stores, storage resources, and network configurations. Understanding the infrastructure helps identify potential weak points and areas vulnerable to attacks.
Applications:
A comprehensive list of all the applications used or managed by the organization is necessary. This list should cover both in-house developed software and third-party applications. Each application should be categorized based on its criticality and the data it processes.
Third-Party Dependencies:
Organizations often rely on third-party libraries and software components within their applications. Keeping track of these dependencies and their versions is essential, as vulnerabilities in these components could pose significant risks to the organization.
Data:
Data is one of the most valuable assets of an organization, and it is essential to have a comprehensive understanding of the types of data being processed, stored, and transmitted for designing proper security and regulatory controls. Data classification should be performed to identify sensitive and critical data that requires extra protection.
Mapping to Standards:
The importance of inventory management is recognized and emphasized in various cybersecurity standards and frameworks, including:
- NIST Cybersecurity Framework: The NIST framework highlights the need for organizations to identify and manage assets as part of their risk management process.
- ISO/IEC 27001: This standard requires organizations to maintain an inventory of assets, including information assets and physical assets.
- CIS Controls: The Center for Internet Security (CIS) Controls include maintaining an inventory of authorized and unauthorized hardware and software as one of its foundational principles.
- SOC 2 Type II: Emphasizes the importance of maintaining an accurate and up-to-date inventory of assets as part of the information security management process.
Useful Resources:
Maintaining a comprehensive inventory can be a challenging task. However, various tools and resources are available to assist organizations in this endeavor:
- Asset Inventory & Management Software: Specialized software solutions can automate discovering and cataloging assets within an organization’s network.
- Network Monitoring Tools: These tools can help track and identify devices connected to the network, providing valuable insights into potential security gaps.
- Data Discovery and Classification Tools: For organizations dealing with vast amounts of data, data discovery, and classification tools can help identify sensitive information and ensure it receives adequate protection.
Closing Notes:
Nicolaus Copernicus’ quote, “To know that we know what we know, and to know that we do not know what we do not know, that is true knowledge,” holds profound wisdom when applied to cybersecurity and protecting organizations. The first step in securing an organization is understanding what needs protection. Maintaining a comprehensive inventory of devices, offices, applications, people, and data enables organizations to identify potential risks and vulnerabilities, thus enhancing their security posture.
In conclusion, a well-maintained inventory is not just a list of items but an essential foundation for a robust security strategy, providing the knowledge required to safeguard an organization’s most valuable assets effectively.
Sign up for my Newsletter below for a high-definition version of the Cyber Risk Mind Map. Also, to be the first to know about all new free content and resources as soon as they are out. 👇🏼