IT Asset Management - An Overview

Having an asset management program to keep track of all of your hardware and software is a valuable part of your cybersecurity program, as well as giving you a way to help manage support costs and productivity.  You can quickly determine how broad your footprint is in terms of how many different hardware makes and models you need to support as well as knowing your risk exposure by knowing the numbers and types of vulnerabilities that are applicable to your environment and having accurate inventories of all of your hardware.  Likewise, you can determine licensing requirements and how many different types of vendor software patches and updates will apply to your environment by knowing what software is in your environment.  By having a centralized management program and automated toolsets, you will be able to quickly find out what you have in your organization.  A well-organized asset management program will then allow you to properly inventory and secure your devices, as well as determine costs and lifecycle replacement schedules as well.  If you do not know what you have, you do not know how to secure it.

This article will serve as a quick IT Asset Management primer which will discuss the need for having accurate inventories and variety of tools out there that will help you with both hardware and software asset management.  A centralized and well-organized management system has the added bonus of also serving as a vital part of your security suite. 

Hardware Asset Management:

Knowing where your hardware is located, knowing how many different makes and models of endpoints you have to support, and keeping track of equipment life-cycle maintenance are all vital aspects of a good hardware asset management program.  From a security standpoint, you need to know what is connecting to your network, what kind of traffic it is generating, and you need to know if what is on the network is being properly managed with all of the necessary security tools.  To help you properly manage all of these things, you need to keep an accurate inventory of your hardware.

Your hardware inventories should include the following:

• Machine name
• IP address
• Operating system
• Make
• Model
• Serial number
• Date purchased and/or provisioned
• Location (city, state, address, etc)
• Assigned user (if a workstation or mobile device)
• Administrator (if a server, router, switch, or another network component)
• Last Inventory Report Date
• Up/Down Status

Examples of Tools That Will Help with Hardware Asset Management:

• Tivoli Endpoint Manager (BigFix)
• SolarWinds
• MobileIron (for mobile devices)
• Microsoft System Center (SCCM)
• ForeScout CounterAct

Software Asset Management:

Having a software standards list is vital so that you can determine what software and applications you are allowing to operate in your environment, and will help keep track of licensing issues.  A few of the key issues with software in your environment are:

• Is the software safe and secure?
• Are there common vulnerabilities and exposures (CVEs) that can be quickly mapped to your software by your management tools?
• Are you preventing yourself from exposure to legal issues caused by using software that you are not paying for?
• Are you spending money on software that you don’t use?

To tackle these issues, start by developing a software standards document. Your software standards document should contain a list of operating systems for both workstations and servers, and which firmware is installed on all of your routers, switches, and other network devices.  Don’t forget cell phones, tablets, and other mobile devices.  Keep track of the latest smartphone operating system versions and which applications you are going to allow your users to install.  Make sure to include the minimum operating system version to use as a baseline to determine compatibility and compliance.  Then, list each type of standard software that every computer in your environment should be using.  For example, all workstations would have some sort of office productivity software suite, so you would list Microsoft Office 2016 as the minimum version that you would want on every machine.

Also list all security software that MUST be installed on each computer, such as antivirus clients, patching system agents, and any other security utilities that you decide for your computing environment.  Again – list minimum versions.  This will be a very dynamic document, so as you install new and updated versions, be sure to update the Software Standards document.

Keep an accurate inventory of your software.  This will help with licensing true-ups, and will also help you to determine compliance with minimum software version numbers as mentioned above. These inventories need to be updated periodically to ensure accurate counts.  Your inventories should include the following:

• Software title
• Software version
• Publisher or vendor
• Where installed (which computers)
• Software usage information (when installed, how often used, etc)

Examples of Tools That Will Help with Software Asset Management:

• Tivoli Endpoint Manager (BigFix)
• SolarWinds
• MobileIron (for mobile devices)
• Microsoft System Center (SCCM)
• Carbon Black Protection

A word on “prohibited software.”  Things like peer-to-peer file sharing (“bit-torrent” types of applications), and streaming applications can lead to your organization running afoul of licensing and copyright regulations by allowing your employees to download protected material and store on your network.  This makes YOU liable for any infringements that arise.  These types of software programs also eat up bandwidth and performance on your network as well as causing your employees to be distracted and less productive.  Remote access tools (RATs) can leave your network vulnerable, especially if you are using a wide variety of these tools instead of selecting and standardizing one or two tools that you can manage and keep secure.  Many of these types of software programs are not secure and will potentially leave you with critical security vulnerabilities on your network that can be easily exploited.  Things like stock trading applications, games, and video streaming applications can be distractions for employees, lead to reduced productivity, and even lead to employee misconduct issues.  Make sure that your employee acceptable use (rules of behavior) policies state what your employees are allowed to do on the job, and be sure to monitor software installations.

Having old, outdated, and unsupported versions of even non-prohibited software will leave you vulnerable to unmitigated vulnerabilities. For example, I remember doing vulnerability analysis of our environment a while back - right about the time that Adobe announced that they would no longer support Adobe Acrobat versions 11 and prior.  I pulled vulnerability reports of all of our machines that had these older versions and found out that one single instance of an unpatched Adobe Acrobat 11 on a single computer accounted for 76 vulnerability line items.  Multiply this by hundreds of computers, and we had several thousand HIGH severity vulnerabilities.  I outlined more examples of this phenomenon in my article earlier this year on Vulnerabilities and Patches.  The bottom line is that old and unsupported software can leave your organization vulnerable with no mitigation.

Asset Management Strategies:

There are a variety of tools out there that will help you with both hardware and software inventories and have the added bonus as serving as your centralized patching/software update solution. Tivoli Endpoint Manager (aka BigFix), for example, has an entire suite of tools that allow you to do hardware and software asset management, patch deployment, secure configuration compliance analysis, and vulnerability analysis.  “BigFix” also supports Windows, MAC, and Linux based operating system components.  Microsoft System Center (aka SCCM) also allows for centralized patch management as well as the hardware and software inventory capabilities, but only for Microsoft based operating system components.  In addition, to make, model, user name, iOS versions, and phone number, tools like MobileIron allow you to see which apps are installed.  Centralized mobile management systems also give you the ability to send “wipe” commands to delete all of the data on a device that is lost or stolen.

IBM Endpoint Manager for Software Use Analysis:

ForeScount/CounterAct is a tool that connects to a SPAN port on your core switches to see all of your network traffic and uses NMAP to survey your entire network infrastructure to locate any device that connects to your network.  CounterAct allows you to create policies to classify devices, look for software installations, and even alert you when software has been added or removed from your connected devices.

Tools like Carbon Black and Microsoft AppLocker will allow you to set policies on what software can and cannot be installed and executed, and will also provide a technical means of automatic policy enforcement.   Carbon Black gives a very accurate software inventory and has the ability to provide administrators with an easy way to automatically approve or block software applications.

Here are some resources that will give a pretty good overview of the IT Asset Management program:

• CIO Magazine - Best Practices in Hardware Asset Management:  https://www.cio.com/article/3077893/best-practices-in-hardware-asset-management.html
• ITIL Docs – Guidelines for IT Asset Management Policy Operations:  http://www.itil-docs.com/it-asset-management-policy-itil-asset-management/
• DHS Continuous Diagnostics and Mitigation (CDM) Program:  https://www.dhs.gov/cisa/cdm