Beating the Odds: One Chance in 9,223,372,036,854,775,808
By Jennifer Kurtz, Cyber Program Director
What are your odds for picking the perfect security bracket around your information and its supporting systems? Probably worse than the odds of crafting the perfect March Madness bracket, which some mathematicians calculate as one in 9.2 quintillion. And yet, you probably know someone who is willing to play the odds: an estimated $10 billion was bet on March Madness outcomes in 2017, according to the American Gaming Association1. As a comparison, US organizations spent about three times as much—$31.5 billion—on cybersecurity tools and services in 20162. Those betting on either should be using similar techniques for making their picks, starting with identification (AKA reconnaissance, also, the starting phase for pragmatic hackers).
Reconnaissance is the essential information-gathering phase during which you identify the components of your information system. It requires taking a physical inventory of devices; a discovery inventory of software; a process inventory of automated scripts, system interfaces, and information transfers not readily visible; and a personnel inventory of access privileges. Although documenting your system inventory is time-consuming, you can’t protect what you don’t know you have—and can’t reliably detect, respond to, or recover from undesirable or unscheduled system changes. What you don’t know can hurt you.
Physical Inventory: Taking physical inventory is a familiar routine. Tools exist for automated network discovery that will make the first cut at listing IT assets easier, although you might still have to insert details about assets manually (e.g., useful life, vendor, registration/model/license numbers, repair and maintenance notes, known connected objects that were undetected). The general categories of physical IT assets include servers, routers, switches, hubs, wireless access points, printers, fax machines, sensors, UPS, cameras (e.g., surveillance), desktop phones, removable storage media, small factor/mobile devices (all that connect to the network, whether owned by the organization or individuals).
Software Inventory: Recording software assets may reveal an environment that is excessively complex. Standardizing on software versions can simplify tasks related to technical support, whether they are related to end-user assistance, software patching, licensing payments, system maintenance, or technology refreshment.
Process Inventory: A process inventory is often recorded as a network diagram and/or information process flow diagram. Assembling the relevant information with good detail (and possibly historical knowledge) requires surveying data owners and data users to understand all creation, collection, retention, transfer, and sharing points for information. Remember when performing the process inventory that the “as designed” and “as built” information system (IS) environments may be inconsistent with the “as used” environments.
Personnel Inventory: Document all those who have access to different systems by individual user accounts, actual usage, and privilege level (what an individual account has access to, where and when access is permitted, and what activities are permitted).
Next Steps: Gather the information into simple documents, electronic and hard copy, with the latter stored securely—and at least one copy stored offsite. You may have already started to inventory IT assets as part of insurance, budget, tax, disaster recovery, incident response, or business continuity planning. Build on this IT asset inventory and update it regularly and as known changes occur. Performing both calendar-triggered and event-triggered updates can help close the information gap between what the inventory record says and actual usage. There are recommended follow-up evaluation steps for all of this inventory documentation that will be addressed in subsequent Simply Cyber issues.
Just as you wouldn’t squander your March Madness picks without knowing the 64 teams actually on the roster, you oughtn’t squander your cybersecurity resources—budget, personnel, energy—without knowing your environment. Identifying your IT assets is the essential first step to exercising due care and bettering your protection odds.