Although it may not get the buzz like AI, machine learning, zero-day or deception technologies, asset management is foundational to cybersecurity. Look behind many of the breaches and you’ll find a single, unsecured point of access and/or a single person’s credentials that unlock the gates. And as those points of access increase exponentially to include smart devices in the internet of things (IoT) boom, the risk compounds greatly.
This is where cybersecurity asset management enters the picture. It’s the process of gathering data from any source that provides detailed information about assets, correlating that data to produce a view of every asset, continually validating every asset’s adherence to the overall security policy and creating automatic actions whenever an asset deviates from the policy.
Asset Management in Security
Asset management can help security—and other teams—solve many nagging issues. Here are five common security holes, glitches and errors often uncovered by a cybersecurity asset management program.
Assets Missing an Endpoint Agent
Most security teams buy many security and management tools to protect assets like laptops, desktops, servers, virtual machines, mobile devices and cloud instances. Despite purchasing and deploying multiple agents, organizations often struggle to answer questions such as:
- Which assets are missing the relevant endpoint protection platform/endpoint detection and response (EPP/EDR) agent defined by their security policy?
- Which assets have the right agent installed, but have disabled its functionality?
- Which assets have an old version of the right agent installed?
These questions address agent health and cyber hygiene—understanding which assets are missing the proper security tool coverage and which are missing the tools’ functionality.
Much like buying a home security system and not turning it on, going through the process of evaluating security vendors, rolling out the selected solution and then having an asset fall victim to malware because it didn’t have the endpoint agent would be a tragedy that shouldn’t happen.
The biggest security issue related to agent health and cyber hygiene is simply not knowing which assets aren’t covered by a security solution. It should be easy to know, but there are inherent challenges. For example, logging into the admin console of an EPP/EDR can tell organizations which assets have had the agent installed. Unfortunately, many solutions can’t tell whether the agent is currently running and functioning as expected.
Unmanaged assets are devices that are only known to the network and have no management or security agents installed. These could be laptops plugged into the corporate network, cloud instances without any security solution coverage or an IoT device only seen by a vulnerability assessment (VA) tool.
By definition, unmanaged devices are only known to the network or network scanners, and that means very little is known about them. In some cases, that’s OK. The smart TV in the conference room isn’t going to be part of a patch schedule and doesn’t need to have an EPP/EDR agent installed. But most organizations will find unmanaged assets that should be managed.
Cloud Instances Not Being Scanned by a VA Tool
The elastic, on-demand nature of the cloud, coupled with the speed of DevOps, has driven organizations to move more to the cloud. However, the security solutions that organizations have implemented to protect their on-premises assets don’t necessarily work for the cloud.
VA tools do an amazing job of scanning a network to discover devices with known vulnerabilities, but they can only scan what they know about. The dynamic nature of the cloud can cause a gap whereby VA tools don’t know that there are new instances to scan.
And publicly available cloud instances are increasingly becoming the cause of data breaches. Most recently, attackers have found a way to exploit a zero-day to install ransomware on cloud servers without requiring end-users to click on anything.
Users with Bad Permissions
Microsoft lists several Active Directory (AD) permissions that should not be set for users, but here we’ll look at three: AD password never expires, AD password not required and AD no pre-authentication required.
Having a user account in AD with the password not required flag set can create a security risk, especially when this is a domain admin account login on a domain controller. Additionally, the user is not subject to any existing policy regarding the length of the password and may have a shorter password than is required—or may even have no password at all, even if empty passwords are not allowed.
With no pre-authentication set, a malicious attacker can send a dummy request for authentication and the Key Distribution Center (KDC) will return an encrypted ticket-granting ticket (TGT), and the attacker then can brute-force it offline. Upon checking the KDC logs, nothing will be seen except a single request for a TGT. When Kerberos timestamp pre-authentication is enforced, the attacker cannot ask the KDCs for the encrypted material to brute force offline. The attacker has to encrypt a timestamp with a password and offer it to the KDC. The attacker can repeat this over and over. However, the KDC log will record the entry every time the pre-authentication fails.
Assets with Critical Vulnerabilities
Assets with critical vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) classification, defined as deficient or vulnerable to a direct or indirect attack that will create decisive or significant effects.
Devices with critical vulnerabilities are the most prone to attack, as published vulnerabilities are proven to be exploitable and are the most likely to be targets of malicious actors. Any time a critical vulnerability is published, security teams should focus on patching and updating any assets found to have the critical vulnerability present.
Looking at the entire list, you’ll instantly notice that these discoveries are not zero-day vulnerabilities, or anything quite so flashy. It’s the basics of good security hygiene, and where organizations should be focused to get the most benefit. As organizations race to the edge and adopt devices for innovation and efficiency, they have to bring along both best and basic cybersecurity practices to ensure that devices dangling around the edges or even core to new initiatives aren’t increasing risk posture.