Home 2024 Asset Management for CyberSecurity

Asset Management for CyberSecurity

by Raghunath Iyer
2 comments

CyberSecurity has gained prominence in the past few years with the proliferation of the Internet and Mobile handset. The mobile handset has put the Capitalise internet in everyone’s palm. On the one hand the Internet changed the way we communicate, conduct business, engage with people and businesses, but on the other hand the Internet also enabled anonymous entities to access your always connected devices by exploiting weaknesses in your devices or by exploiting weak passwords. In more recent times exploits target weaknesses in human psychology.

The goal of all exploits is to compromise your device, gain control of your device or gain access to your privileges on some other device, a server on the Capitalise internet (your photos or work data on a google drive or on an Amazon S3 bucket). Increasingly it is to gain control or access of your data. Devices are less valuable than the data that reside in those devices.

Cybersecurity is the practice and application of tools, techniques and processes to secure your devices and privileges on third party devices. The tools can be broken down into multiple specialised sub domains. This image-pdf (from Optiv) provides a nice classification of the different cybersecurity solution providers.

Some solutions target the network pathways through which malicious activity is carried out or malicious content is planted/distributed. Some solutions ensure robust authentication is present in all pathways. Some solutions monitor device activity to watch for any anomalous behaviour (either via artefacts on the device or via artefacts on the network wire. Please note ether is the wire in wireless). Some other solutions prevent data export from devices by locking down all possible ways by which data can be sent out (block hardware interfaces such as USB, block email attachments etc). Many solutions target the device directly. They monitor the device health continuously ensuring the device is always healthy. In summary Cybersecurity is a not a single point solution, but involves practising and applying defence in depth.

Asset Management is the branch of Cybersecurity that focusses on device health. It is often said you cannot secure what you do not know about. Once you know all your assets, you must ensure they are healthy “continuously”.

Brian Krebs, a reputed Cybersecurity expert summarised very succinctly thus (Sourced Credit: Kerbsonsecurity)
1. Do not install what you did not go looking for.
2. If you installed it, take care of it by ensuring it is up to date and free of known shortcomings/bugs.
3. If you are not using it, remove it.
This applies to enterprises as well as personal devices. It is vital that you identify all your devices and ensure they are running only such software as is needed and such software is the latest and the best the vendor has to offer. Ensure there are no unnecessary software on the device.

Lay persons believe that devices are “hacked” because of “hacker’s” skills and ingenuity. While skills and ingenuity are / may be needed, the primary reason devices get “hacked” are because of “owner’s” carelessness and naiveté. They are not practising the 3 simple rules laid out by Brian Krebs.

Lay persons assume that their devices are secure if they are running an anti-virus application. Anti-virus applications are like band aid on a wound. A wound happens because you are careless or your health is compromised.

In the context of smart devices and computers, wounds are the equivalent of a virus/malware infection and  “unhealthy” means the device/computer is running buggy software/hardware. Bugs that allow unintended operations to be carried out, such as the installation of a malicious program. An anti-virus prevents further damage from happening or spreading. In some rare cases an anti-virus will prevent the execution of a malware. For this level of protection anti-virus software must be updated regularly, possibly as frequently as twice daily.

Let us step back a bit. If buggy software are prevented or software on the devices are robust does it mean devices cannot be hacked? YES. However rogue actors are constantly studying all known applications for potential bugs/weaknesses and testing exploits. Software vendors have to be diligent and do the same (reputed companies run bug bounty programs). Good software vendors issue security upgrades to all their software regularly. Vendors who do not issue such security upgrades should not be supported/encouraged. Their software is a risk. That said, user naiveté and ignorance are still a problem. Users can be tricked via social engineering methods to install unnecessary software which themselves may not be or are not malicious but aid the hacker in conducting reconnaissance and identifying potentially vulnerable devices in the neighbourhood.

Summarising what we have said so far in the ideal world an individual or an enterprise CISO MUST KNOW  “ALL” their devices and MUST ENSURE they are running robust secure software and are not running unknown software. Towards this they must have ways of measuring the “health” of “ALL” their devices. For a moment let us a take a simple modern home. It has a couple of laptops, 2-6 smart phones, a home router, a smart TV, an Alexa, one more smart speakers, one or two smart displays showing their vacation photos, some CCTVs potentially. Do not be surprised if some homes have 50-60 Capitalise internet enabled devices. Is the home owner “monitoring” the health of all these devices? Is the home owner even aware of the software in these devices? Let us look at enterprises. A large bank in India has 100-500 thousand devices, running a zoo of applications, spread across 3-4 data centres, and 2-3000 branches. With the growing popularity of cloud computing, many of these devices are “virtual devices” that reside in the “cloud”. Cloud and virtualisation bring in an additional layer of challenge because devices may “come alive and go dead/silent” as the data centre scales dynamically.

Enter Asset Management in this scenario. Is it easy to locate, identify and track all devices? I will provide some first-hand stories to highlight the practical challenges in Asset Management.

My company built, sold and deployed high speed Network Access Control solutions to large enterprises. Once deployed the solution would prevent unknown or rogue devices from communicating over the network. Our solution was priced on the basis of device count being monitored/controlled.

A large bank, one of the earliest adopters of this technology, purchased our solution declaring they had 70k devices…The bank and the vendor were confident of the device count. Six months into the roll out of our solution the product dashboard logged 96K devices on their network. Being a “new kid” in town, the bank’s CISO declared our solution was suspect and faulty.

A large bank, one of the earliest adopters of this technology, purchased our solution declaring they had 70k devices. We sized the solution for this count and began roll out in mid-2009. The bank had a FMS (facility management service) provided by a vendor. The vendor-maintained inventory of all devices and applications on devices using an army of hands and legs in every branch, each updating various excel sheets that were centrally collated. The bank and the vendor were confident of the device count. Six months into the roll out of our solution the product dashboard logged 96K devices on their network. Being a “new kid” in town, the bank’s CISO declared our solution was suspect and faulty. We stood our ground and asked them to prove the absence of those 26K additional devices, or prove those were duplicates. We provided the FMS teams the required IP addresses and branch locations where they could be located. After long rounds of back and forth over two months, the banks IT team and FMS vendor finally managed to “find” 24K additional devices and the unknown count was reduced to 2K. A number of the unknown devices turned out to be computers that the branch IT team had procured to run some local services without the knowledge of HQ. In some cases the devices turned out to be computers used to manage “tokens” and display devices. There were some printers and some other biometric access control devices. There were also end user laptops that had been re-provisioned because the old machine had crashed. HQ  had no knowledge.

Finally the bank felt they had good control over their inventory. They decided to turn on “access control features” of our solution. We cautioned them that this would deny unrecognized devices any network access. And that they should be confident the 2K “unknown devices” were not “business critical”. On a Sunday night they chose to enforce access control. Monday morning hell broke loose. Critical interbank money movement stopped. Turned out one of those 2K “unknown devices” was a computer crucial for the interbank money transfers. That computer was not in the regular data centre racks. It was connected to a switch in a disused corner of the data centre. That device was blocked from accessing the network. After some more rounds of blame game, finally the bank realised their inventory management was in disarray. Thereafter the bank chose to undertake a serious review.

You cannot secure what you do not know about. Now try to imagine the state of those unknown devices. If they have been compromised and were running rogue software would the bank have come to know of those?

Finally let me replay a scenario that unfolded in another large bank in May 2017. This one relates to bullet 2 of Brian Krebs guidelines. For those involved in Cybersecurity May 2017 will be memorable. It was the first time there was widespread infection of a Ransomware called WannaCry. WannaCry exploited a bug (recall being healthy) in Microsoft’s file transfer protocol called SMB version 1. WannaCry brought down a number of computers around the world. Notably Maersk, one of the largest shipping companies, was off business for 2 months. Turns out Microsoft had announced a “security patch” for SMB. Unfortunately most enterprises treated the application of this “patch” in their usual Business as Usual approach. However cyber criminals were active. Ransomware producing companies had fine-tuned their tool kits to distribute WannaCry to anybody who wanted to capitalize on this situation.

The attack began at around 1 pm IST on 12 May 2017. One of our bank customers went to work as soon as news of WannaCry started percolating in. The bank’s IT team got into War mode as soon as news started trickling in from security companies globally. They wanted to ensure by Monday morning before business resumed, the Microsoft security patch was applied on their devices. Our product’s automatic network access restriction on non-compliance feature was turned on. Auto remediation was enabled and patches started getting applied. This time the bank had been using our product for quite a while. So their inventory control was good. They had good visibility of all devices on the network together with the software inventory on those devices. 90% of the devices were patched in the first attempt. But it took all of Sunday night to ensure 100% compliance. In all these cases there were outdated OSes that needed a number of pre-requisite patches to be applied. Finally with 48 hours of round-the-clock focus the bank was satisfied their assets were secure. Monday morning was uneventful.

I can mention many more such incidents where having full visibility of all assets and their health status was vital. If you need more insights please get in touch with the author. The author has been instrumental in creating non-intrusive asset discovery solutions in later years. These are deployed globally in many large enterprises.

You may also like

2 comments

John Smith November 8, 2024 - 4:45 pm

This blog highlights the importance of asset management in cybersecurity, showcasing how a structured approach to tracking assets can significantly strengthen defenses and reduce vulnerabilities. A must-read for security-focused organizations.

Reply

Leave a Comment