IT Asset Management - An Overview

Having an asset management program to keep track of all of your hardware and software is a valuable part of your cybersecurity program, as well as giving you a way to help manage support costs and productivity.  You can quickly determine how broad your footprint is in terms of how many different hardware makes and models you need to support as well as knowing your risk exposure by knowing the numbers and types of vulnerabilities that are applicable to your environment and having accurate inventories of all of your hardware.  Likewise, you can determine licensing requirements and how many different types of vendor software patches and updates will apply to your environment by knowing what software is in your environment.  By having a centralized management program and automated toolsets, you will be able to quickly find out what you have in your organization.  A well-organized asset management program will then allow you to properly inventory and secure your devices, as well as determine costs and lifecycle replacement schedules as well.  If you do not know what you have, you do not know how to secure it.

This article will serve as a quick IT Asset Management primer which will discuss the need for having accurate inventories and variety of tools out there that will help you with both hardware and software asset management.  A centralized and well-organized management system has the added bonus of also serving as a vital part of your security suite. 

Hardware Asset Management:

Knowing where your hardware is located, knowing how many different makes and models of endpoints you have to support, and keeping track of equipment life-cycle maintenance are all vital aspects of a good hardware asset management program.  From a security standpoint, you need to know what is connecting to your network, what kind of traffic it is generating, and you need to know if what is on the network is being properly managed with all of the necessary security tools.  To help you properly manage all of these things, you need to keep an accurate inventory of your hardware.

Your hardware inventories should include the following:

• Machine name
• IP address
• Operating system
• Make
• Model
• Serial number
• Date purchased and/or provisioned
• Location (city, state, address, etc)
• Assigned user (if a workstation or mobile device)
• Administrator (if a server, router, switch, or another network component)
• Last Inventory Report Date
• Up/Down Status

Examples of Tools That Will Help with Hardware Asset Management:

• Tivoli Endpoint Manager (BigFix)
• SolarWinds
• MobileIron (for mobile devices)
• Microsoft System Center (SCCM)
• ForeScout CounterAct

Software Asset Management:

Having a software standards list is vital so that you can determine what software and applications you are allowing to operate in your environment, and will help keep track of licensing issues.  A few of the key issues with software in your environment are:

• Is the software safe and secure?
• Are there common vulnerabilities and exposures (CVEs) that can be quickly mapped to your software by your management tools?
• Are you preventing yourself from exposure to legal issues caused by using software that you are not paying for?
• Are you spending money on software that you don’t use?

To tackle these issues, start by developing a software standards document. Your software standards document should contain a list of operating systems for both workstations and servers, and which firmware is installed on all of your routers, switches, and other network devices.  Don’t forget cell phones, tablets, and other mobile devices.  Keep track of the latest smartphone operating system versions and which applications you are going to allow your users to install.  Make sure to include the minimum operating system version to use as a baseline to determine compatibility and compliance.  Then, list each type of standard software that every computer in your environment should be using.  For example, all workstations would have some sort of office productivity software suite, so you would list Microsoft Office 2016 as the minimum version that you would want on every machine.

Also list all security software that MUST be installed on each computer, such as antivirus clients, patching system agents, and any other security utilities that you decide for your computing environment.  Again – list minimum versions.  This will be a very dynamic document, so as you install new and updated versions, be sure to update the Software Standards document.

Keep an accurate inventory of your software.  This will help with licensing true-ups, and will also help you to determine compliance with minimum software version numbers as mentioned above. These inventories need to be updated periodically to ensure accurate counts.  Your inventories should include the following:

• Software title
• Software version
• Publisher or vendor
• Where installed (which computers)
• Software usage information (when installed, how often used, etc)

Examples of Tools That Will Help with Software Asset Management:

• Tivoli Endpoint Manager (BigFix)
• SolarWinds
• MobileIron (for mobile devices)
• Microsoft System Center (SCCM)
• Carbon Black Protection

A word on “prohibited software.”  Things like peer-to-peer file sharing (“bit-torrent” types of applications), and streaming applications can lead to your organization running afoul of licensing and copyright regulations by allowing your employees to download protected material and store on your network.  This makes YOU liable for any infringements that arise.  These types of software programs also eat up bandwidth and performance on your network as well as causing your employees to be distracted and less productive.  Remote access tools (RATs) can leave your network vulnerable, especially if you are using a wide variety of these tools instead of selecting and standardizing one or two tools that you can manage and keep secure.  Many of these types of software programs are not secure and will potentially leave you with critical security vulnerabilities on your network that can be easily exploited.  Things like stock trading applications, games, and video streaming applications can be distractions for employees, lead to reduced productivity, and even lead to employee misconduct issues.  Make sure that your employee acceptable use (rules of behavior) policies state what your employees are allowed to do on the job, and be sure to monitor software installations.

Having old, outdated, and unsupported versions of even non-prohibited software will leave you vulnerable to unmitigated vulnerabilities. For example, I remember doing vulnerability analysis of our environment a while back - right about the time that Adobe announced that they would no longer support Adobe Acrobat versions 11 and prior.  I pulled vulnerability reports of all of our machines that had these older versions and found out that one single instance of an unpatched Adobe Acrobat 11 on a single computer accounted for 76 vulnerability line items.  Multiply this by hundreds of computers, and we had several thousand HIGH severity vulnerabilities.  I outlined more examples of this phenomenon in my article earlier this year on Vulnerabilities and Patches.  The bottom line is that old and unsupported software can leave your organization vulnerable with no mitigation.

Asset Management Strategies:

There are a variety of tools out there that will help you with both hardware and software inventories and have the added bonus as serving as your centralized patching/software update solution. Tivoli Endpoint Manager (aka BigFix), for example, has an entire suite of tools that allow you to do hardware and software asset management, patch deployment, secure configuration compliance analysis, and vulnerability analysis.  “BigFix” also supports Windows, MAC, and Linux based operating system components.  Microsoft System Center (aka SCCM) also allows for centralized patch management as well as the hardware and software inventory capabilities, but only for Microsoft based operating system components.  In addition, to make, model, user name, iOS versions, and phone number, tools like MobileIron allow you to see which apps are installed.  Centralized mobile management systems also give you the ability to send “wipe” commands to delete all of the data on a device that is lost or stolen.

IBM Endpoint Manager for Software Use Analysis:

ForeScount/CounterAct is a tool that connects to a SPAN port on your core switches to see all of your network traffic and uses NMAP to survey your entire network infrastructure to locate any device that connects to your network.  CounterAct allows you to create policies to classify devices, look for software installations, and even alert you when software has been added or removed from your connected devices.

Tools like Carbon Black and Microsoft AppLocker will allow you to set policies on what software can and cannot be installed and executed, and will also provide a technical means of automatic policy enforcement.   Carbon Black gives a very accurate software inventory and has the ability to provide administrators with an easy way to automatically approve or block software applications.

Here are some resources that will give a pretty good overview of the IT Asset Management program:

• CIO Magazine - Best Practices in Hardware Asset Management:  https://www.cio.com/article/3077893/best-practices-in-hardware-asset-management.html
• ITIL Docs – Guidelines for IT Asset Management Policy Operations:  http://www.itil-docs.com/it-asset-management-policy-itil-asset-management/
• DHS Continuous Diagnostics and Mitigation (CDM) Program:  https://www.dhs.gov/cisa/cdm

Stay Safe by Raising Your Levels of Awareness

I know - not cybersecurity or tech-related, but September has been designated as National Preparedness Month, so with that, I will be putting a series of articles here this month to help you become and stay prepared in times of emergency.  By keeping you and your family prepared, you will then be able to help your neighbors and co-workers with their preparedness also.

During times of emergency, you can either choose to be proactive or reactive. The difference is that by being proactive, you are more in control of the situation. If you’re reactive like most people, your awareness level is low. Sudden acts of violence that seem to spring out of nowhere can take you by surprise because you’re unaware of what is going on around you. There are thousands of people who have been victims of thefts, rape, robberies, and murders – all because they weren’t aware of their surroundings. All preppers should remember this mantra – if you’re not looking for it, you won’t see it coming!

Look Out For Things That Seem Off:

The first step to raising your level of awareness is to look out for things that may seem amiss or out of the ordinary. During a time of crisis, crimes will skyrocket. Even during peacetime, criminals are constantly looking for an opportunity to strike and they want an easy victim. It’s going to be someone… but you don’t want it to be you. If you notice the same guy walking by the street outside your house several times and you’ve never seen him before, do alert law enforcement. Do not assume he’s a landscaper. Something is amiss, and you need to be proactive. He could be casing your house with intentions to break in at night. It’s better to err on the side of caution.

Risk Management:

People by nature are not violent. Most of them abhor confrontation and physical fights because they do not want to hurt someone or get hurt in the process. However, there are some people who do enjoy causing pain. They may have anger issues or be mentally unsound. Burying your head in the sand and thinking that Mahatma Gandhi’s non-violent style is the way to go, will probably mean that you could end up as a victim. If you’re on the road and someone cuts you off, getting into a physical altercation with them may be tempting, but it’s not the way to go. Stay calm. If you’re outside and a group of youths makes fun of you, do not approach them to ‘sort them out’… let it go and move on. The first rule of survival is to get away from a dangerous situation. If you’re in a bus late at night and someone who looks creepy gets on the bus, stay alert and be aware of what they’re up to without making direct eye contact. Do not bury your head in a magazine or glue your eyes to your mobile phone. They could attack you in an instant and catch you unaware. It has happened before, and it will happen again.

Walk Confidently:

Just making yourself look confident and like someone that is not to be ‘messed with’ is enough to put off most criminals. The man who walks upright and scans his surroundings confidently gives off the air that he can handle himself. Criminals will steer clear of him because he doesn’t seem like an easy target. The man who shuffles meekly to his car while clutching a newspaper under his arm as he balances his cup of coffee while trying to use his phone pinched against his ear with his shoulder as he opens the car door has the words ‘mugging victim’ written all over him. Act brave. Look tough and be alert… even if you’re quaking in your boots. Presentation really matters.

Teach Your Children Well:

Teach your children not to trust strangers. If someone calls the house pretending to do a survey and the kid answers the phone, they shouldn’t disclose if there’s no one at home. Or mention that their mother is busy doing the dishes at the moment and there is no other adult around. It could be someone planning to rob the house. The people that your kids meet on the internet can pose serious threats too. Be very aware of whom they’re chatting with online.

Don’t Be Too Trusting:

Last but not least, NEVER be too trusting. No good deed goes unpunished. The guy having car problems by the road may have accomplices who car-jack you the moment you step out to offer assistance. If you told a few of your neighbors that you’re storing food supplies in case of an emergency, they’ll probably laugh at your paranoia. However, when crisis strikes and there’s a food shortage in your area, guess who is the first person they’re going to think of approaching or robbing. Yup… it’s you. Be careful of what you tell others. There can be severe consequences.

To wrap it all up, just know that during a crisis, you need to be extra vigilant and aware of what’s going on around you. Stay alert and you’ll be much more likely to pick up on little things that just don’t seem right. Your gut instincts will guide you. Listen to them and you’ll probably be safe.