Today, organizations depend on a host of information technology assets to accomplish their business objectives. The tried-and-true datacenter and workspace configuration has reigned supreme for many years, but a new breed of workforce and worker configurations has emerged, especially in the aftermath of the COVID-19 pandemic. What hasn’t changed, however, is the responsibility of the organization to manage, maintain, and monitor the assets that handle their critical data. These asset management principles must evolve to keep pace with the changing environment.
Addressing IoT Vulnerability
As organizations seek to define the IT asset, a growing number of them fail to track those assets that are not sourced through their PC distributor. The increasing utilization and intelligence of Internet of Things (IoT) devices within modern enterprises makes this a very likely scenario. IoT devices are often plagued by problems such as weak passwords, lack of appropriate patch mechanisms, and poor visibility into the devices or data they hold. The Mirai malware attack took advantage of networked IoT devices, turning them into bots participating in Distributed Denial of Service (DDoS) attacks. Years after that attack, researchers still see hundreds of thousands of devices with default credentials and other security vulnerabilities, directly exposed to the internet. Responsible owners should ensure that they first know what IoT devices are on their network. Secondly, use advanced forms of authentication that are appropriate for the device in question. Whether leveraging Privileged Access Management (PAM) technology or some form of multi-factor or certificate-based authentication, make sure that only authorized users can access these devices. Finally, have a strategy for monitoring and patching vulnerabilities on these devices. Update mechanisms must themselves be secure—using encrypted communication and management channels—and must support the overall goal of secure software being distributed to secure devices.
A 2020 study identified some of the following problems with Internet of Medical Things (IoMT) devices:
- 20% of enterprises surveyed had PCI segmentation violations
- 86% have ten or more devices with recalls
- 95% showed Alexa and Echo devices on their network
- 75% failed to segment medical and non-medical devices
IoT and other smart devices pose a real threat to enterprise security. And as adoption continues to increase, organizations must ensure that their asset management plan can account for these devices.
Consider Ephemeral & BYOD Assets
Some assets, especially in containerized and cloud-heavy infrastructures, contain assets that don’t follow a traditional IT asset lifecycle. Assets can be spun up or down depending on the need of the overall system, and even in their short life span, can have a serious impact on the health of a system. Vulnerabilities tend to work in chains, with a weakness in one system often being leveraged to attack another. Whether in the cloud or in the datacenter, your asset management program should have awareness of these changes.
BYOD assets, like phones, cameras, and other mobile devices, fall into this category as well. Left unmanaged and unmonitored, they can introduce a tremendous amount of risk to the environment. Knowing what was on the network two weeks ago simply isn’t enough anymore. Intelligence should be as up-to-date as possible and include continuous discovery capabilities. In addition, consider segmenting these devices into areas of the network where the blast radius of any attack will be limited.
“Out of Sight” may equal “Risk”
What happens to those laptops or other ‘smart devices’ that employees take home? Are they sitting in a forgotten laptop bag somewhere, waiting to be reconnected to the network? This isn’t a far-fetched scenario, as our increasingly mobile workforce has stretched the computing edge into risky territory. These ‘cold assets’ are often not updated with latest security patches, possess outdated software versions, and may permit actions not possible on newer, more secure devices. When reconnected, they will pose a significant risk to security posture by introducing vulnerabilities that may have been previously eliminated from the network.
Addressing this problem requires some administrative—as well as technical—controls. Ensure that users are aware of their responsibilities with outdated or spare equipment. Remind them that assigning that old laptop to a child is irresponsible and puts them and the company at risk. We’ve all heard about companies losing data to old laptops that were previously forgotten. Provide capabilities for quickly and securely disposing of both equipment and data drives and track their destruction. When all else fails, incentivize employees to turn in old laptops. One company even offered free coffee in a ‘Lattes for Laptops’ buyback program. The small investment was well worth the reduction in risk, as hundreds of mothballed laptops were mailed back to their IT team.
Asset management lies at the heart of any security program, as IT professionals must understand what devices are used to collect, store, process, transmit, and destroy data. Any effort to manage those assets must incorporate visibility at every stage of their existence and account for changes in location, state, and connectivity. By doing so, teams increase their ability to maintain a proper security posture and protect critical data.