Maintaining an inventory of assets is a challenge in itself - just starting the process in an enterprise can be daunting. This can be difficult in any organization, and it’s amplified in a complex enterprise because there’s more stuff, either hardware, software, people and relationships. The purpose of this article is to share how you can identify the full breadth of your organizations internet-facing estate.
Why Unknown Assets are Unknown
In theory, an organization should have a complete, HD picture of its assets. In practice, that picture is more like the puzzle inherited from your mother-in-laws cabin - ragged and torn edges, washed out pieces where you can’t quite make out the picture, and of course, missing pieces.
These pieces are lost and damaged when new people come to the cabin, a piece of the puzzle is used to replace a lost thimble on the Monopoly game board, and when your mother-in-law let the neighbors borrow the puzzle for an extended weekend turned summer. That puzzles been taken out and half built a few dozen times in the last couple decades, but the fact remains - now you own it.
Enterprise Assets are lost in quite the same way. Like new people come into the cabin, new people come into an organization and roles change. With those natural progressions in an organization, the understanding of the landscape changes too. Traditionally organizations look at these changes (losses) as a loss of institutional knowledge. Like the misplaced game piece, during acquisitions new assets come into the playing field, but they may not be managed/inventoried appropriately.
Like when the puzzle was lent to the neighbors and forgotten about, organizations forget that old networks even exist. Regardless of how the unknown became the unknown, the fact remains - now you own it.
The Risk of the Unknown
You can’t protect what you can’t see, and any unknown asset will offer an easy opportunity for attackers. Security 101 says to keep up with patches - the unknown may be years out of date. Even new hackers can gain access to a well documented vulnerability.
The unknown also creates risk to compliance - when you’re investing time, money, and key resources into meeting compliance standards it’s important to have a complete picture. An unknown network or database can put you out of compliance, and not far from a breach.
GDPR makes this even more important. GDPR goes beyond marketing data; it concerns employee data, internal data, and every type of personal data your company stores. How many meetings in the last months have you discussed what you’re collecting, why you’re collecting it, and what you really need. Legacy systems may contain information that puts your organization at serious risk of breaching new laws.
Finding Unknown Assets
Creating a mature security program requires that you find and identify the full breadth of the organization's estate. Finding unknown assets includes creating a full asset register comprised of all the systems, domain names, and IP addresses that make up an estate. Start with creating a comprehensive map of your estate through existing inventory, interviews, and research. A comprehensive attack plan will identify unknown assets so they can be added to inventory and secured appropriately. Most organizations don’t have the resources to develop an appropriate, ongoing attack and assessment plan that includes everything from vulnerability scanning and penetration tests to full red teaming.
Vulnerability scanning is the first step towards understanding your organization's weaknesses. Penetration testing is used to demonstrate how potential attackers can exploit weaknesses in your IT systems. Simulating a full assault using internal and external attack vectors tests your systems ability to withstand a cyber-threat. The penetration test goes further than a vulnerability scan to further improve your understanding and security posture. Red team assessments have a broader scope than traditional penetration tests, with a focus on gaining access to resources critical to your business. Red team attacks simulate real world threat actors across the organization including networks, applications, people, and physical security.
About The Author
Jon Santavy is the CEO of Wuvavi (www.wuvavi.com) - the world’s leading cybersecurity awareness platform for small and medium sized business. Through innovative training, simulated phishing attacks, and the right analytics, Wuvavi customers create a culture of awareness in their organization.
Main Image Credit : The awesome piece of artwork used to head this article is called 'Old School Gaming' and it was created by graphic designer Fabian Denter.