Information Asset Management
Those Who Fail To Learn From History Are Bound to Repeat It
In 1948, in his address to the House of Commons, Winston Churchill stated, “those who fail to learn from history are bound to repeat it.” The context then, as it is today, provides an ominous warning that those who fail to learn from past mistakes are destined to make them again and again. On a daily basis the NJCCIC intakes reports of cybersecurity incidents from across the State while also studying incidents outside its purview for the purpose of learning from these “historical events” and improving the state of cybersecurity in New Jersey and beyond.
One such event is the 2017 Equifax Data Breach. Recently, the US House of Representatives Committee on Government Oversight and Reform released its Equifax Data Breach report. The report documents the circumstances that led to the 2017 Equifax Data Breach which impacted over 148 million Americans. As reported previously, the vector for the intrusion into Equifax’s network was an unpatched Apache Struts vulnerability. And while that was the intrusion point, it was a host of other security issues that resulted in the vulnerability not being patched. These security issues were not necessarily technical, they involved organizational and process deficiencies. Some of the key findings from the report include the following:
Entirely preventable. Equifax failed to fully appreciate and mitigate its cybersecurity risks. Had the company taken action to address its observable security issues, the data breach could have been prevented.
Lack of accountability and management structure. Equifax failed to implement clear lines of authority within their internal IT management structure, leading to an execution gap between IT policy development and operation. Ultimately, the gap restricted the company’s ability to implement security initiatives in a comprehensive and timely manner.
Complex and outdated IT systems. Equifax’s aggressive growth strategy and accumulation of data resulted in a complex IT environment. Both the complexity and antiquated nature of Equifax’s custom-built legacy systems made IT security especially challenging.
Failure to implement responsible security measurements. Equifax allowed over 300 security certificates to expire, including 79 certificates for monitoring business critical domains. Failure to renew an expired digital certificate for 19 months left Equifax without visibility on the exfiltration of data during the time of the cyberattack.
Unprepared to support affected consumers. After Equifax informed the public of the data breach, they were unprepared to identify, alert, and support affected consumers. The breach website and call centers were immediately overwhelmed, resulting in affected consumers being unable to access information necessary to protect their identity.
Reading the Equifax report is chilling, because for many of us, it’s like looking in the mirror – and not liking what we see. The problems that led to the Equifax breach are not unique to Equifax, they’re common in many organizations.
And so, as we enter 2019 and continue to spend far too much time and energy chasing magical technology elixirs such as blockchain and AI as the cure-alls for our cybersecurity ailments, we should instead let history be our guide to a more cyber secure environment. Fundamentals over fantasy – there are no shortcuts to a cyber secure environment. In fact, there is no such thing as a totally secure cyber environment. The function of a cybersecurity program is to help the organization manage risk at an acceptable level. Over the course of 2019, the NJCCIC Bulletin will include a This Is Security segment intended address common cybersecurity issues and offer practical tips in an effort to help organizations stave off “totally preventable” incidents.
What Are We Trying To Protect?
As technology has proliferated throughout organizations over the years, IT infrastructure has also become quite complex. There are legacy systems, physical systems, virtualized systems, acquired systems, distributed systems, cloud systems, third-party systems, mobile systems, IoT devices, and systems that should have been decommissioned but for some reason just won’t go away. And then there’s the shadow IT systems that are typically implemented by renegades due to a dissatisfaction with the service provided by the organization’s information technology department.
The greatest information security team in the world has no chance of effectively managing cybersecurity risk without an accurate and current inventory of their organization’s technology assets. That inventory is not just a count of systems, but of their configurations, applications, operating systems and software versions, patch levels, dependencies, and interconnections with other systems - direct and indirect. It includes sensitive data inventories. For any IT asset inventory to be effective it must also be correlated to an equally current and accurate account management inventory - to include user, administrator, and service accounts, and to what applications, systems, networks, and information they have authorized access. But too often, IT asset inventory consists solely of asset tags affixed to physical assets that can be counted annually for budget and accounting purposes.
Accurate inventories and documentation of technology assets are foundational to good IT management and security. Without it, your chances of effectively managing your IT environment is not very good. The same can be said for your ability to manage cyber risks. Unlike threat hunting, penetration testing, and red team exercises, IT asset inventory does not conjure up intrigue and suspense, but again without it, none of those sexy activities will be as effective as they could be absent a comprehensive picture of your environment. As documented in 2016 Committee on Oversight and Government Reform’s report on the Office of Personnel Management (OPM) data breach the “failure to maintain an accurate inventory undermines all attempts at securing OPM’s information systems.”
Where to Begin?
A good place to start is by reading your organization’s mission statement. Large organizations will be grouped into component business units and each of those will have mission statements, business goals and objectives that support the enterprise. Without an understanding of your organization’s mission, your cybersecurity efforts will not be as effective as they should be. Next, identify the information assets that are most critical to carrying out the mission and achieving your organization’s goals and objectives.
Examples of information assets include, but are not limited to:
Information: databases and data files, system documentation, network diagrams, user manuals, training materials, operational procedures, disaster recovery plans, archived information;
Software: application software, application source code, system software, development tools and utilities;
Equipment: physical equipment (e.g., desktop and laptop computers, portable devices, tablets, smartphones), communication equipment (e.g., routers, switches, firewalls), magnetic and optical media (e.g., tapes and disks); and
Services: locally hosted and cloud computing and communications services.
And, as important as identifying all of the above individual information assets are, correlating them to their respective business functions, criticality, and sensitivity, as well as mapping their connections and interdependencie is essential to a comprehensive inventory.
Whether you follow the Center for Internet Security’s Top 20 Controls, the NIST framework, ISO/IEC 27001, or any other security framework, maintaining a comprehensive IT asset inventory is a cornerstone to good IT and an effective cybersecurity function. Every organization should have an Information Asset Management policy in place and the asset management activities as dictated by the policy must be carried out continuously. There are plenty of examples of IT Asset Management policies on the web. The New Jersey Statewide Information Security Manual (SISM), which was published by the NJCCIC in 2018, includes one, along with standards and guidelines.
Various tools and technologies can assist in building and maintaining your inventory. IT Asset Management (ITAM) systems can help identify and store asset information. Network Access Control (NAC) solutions can also be implemented to help ensure no unauthorized devices are connected to the organization’s network. As IT environments are in constant flux, asset data must be continuously updated to reflect the latest changes and, by implementing the correct tools and technologies for your environment, most of the updates can be automated.
But tools and technologies alone will not provide the necessary business context. That information, along with information related to the asset’s current custodian, system owner, administrator, information owner, etc., will need to be entered manually and kept current.
As with any application of technology use in the security realm, the processes for creating and maintaining the asset inventory must first be in place. These processes will be unique to your organization. The processes support the application of the policies and standards, and the technology adds efficiencies and automation to the processes. Throwing technology at a problem without a process in place is a recipe for failure.
Information asset management is fundamental to information security. As we have seen in the Equifax and OPM incidents, the lack of current and accurate inventories were precursors to their respective breaches. Each system, network, application, and account should be viewed as an entry point into your environment – just like any door or window. And unless you have a full accounting and a plan to protect all of the entry points, then consider yourself as one who has failed to learn from history and are bound to repeat it.