Do you know every device that is on your network?
Many organizations will say they have a good idea.
But do they really?
On penetration tests, we regularly find devices that the organization being tested wasn’t aware were present.
Here are 5 IT asset management best practices that you should follow to reduce your attack surface.
- Create an IT Asset Inventory
- Develop IT Asset Life Cycle Management Plan
- Automate processes to discover new assets
- Prevent un-approved items from joining the network
- Regularly audit and update asset inventory
Create an IT asset inventory
Here’s the bottom line when it comes to IT Assets:
You can’t secure what you don’t know exists.
It is paramount for your organization’s security program to know exactly what devices, software, and solutions are being used.
Here’s how you can create a complete asset inventory
Step 1: Discovering Assets
Use an asset scanner/discovery solution like NMAP to find all of the devices that are connected to your network.
Note: NMAP is a command line tool, but you can use the GUI version – ZenMap – if you aren’t that great with command line. You can download the tool here.
In Zenmap, you will need to perform a scan of your network’s subnets.
There are many operators that you can use to improve the results you get.
For example, you can use the -O flag to tell it to try to determine the operating system of the device.
If you are new to NMAP, here’s a great tutorial to get started.
Step 2: Document the devices you’ve discovered
In Zenmap, you can’t export your network findings to a CSV file directly.
But there are some tools that can help you easily convert to an Excel sheet if you want to track your assets that way.
Here’s one tool that can help.
NMAP Scan To CSV Tool
Alternatively, you can use an IT Asset Management Solution tool to track your assets.
These tools usually make it very simple to sort, filter, and export assets and asset details.
Step 3: Add an agent for automatically inventorying software
You can perform a manual software asset inventory, but that will get SUPER tedious and painful for your IT team – I promise.
Instead, I would recommend starting with an automated solution.
Qualys is a free option that works really well.
Whenever you deploy a new device, add the Qualys agent.
It will automatically report all of the software installed on each device and the version info and any vulnerabilities that may exist.
This is a cloud-based solution.
If you aren’t comfortable with cloud-based solutions, Spiceworks has an on-premise version that works decently well.
Bonus Tip:
Here are some things that you may want to consider adding to your asset inventory
- Drivers
- Firmware
- Graphics and Audio
- Hard Drives
- Hosted Virtual Machines
- Logical Volumes
- Memory
- Network Interfaces
- Operating System
- Updates Applied
- Out of Band Management
- Peripherals
- Ports and USB Controllers
- Processors
- Removable Media
- Software Inventory
- Storage Controllers
- System Information
- OS Update Information
Develop IT Asset Life Cycle Management Plan
So once you have a complete asset inventory in place, you will need to move on to the next asset management best practice.
Turning your asset inventory list into a complete asset life cycle management plan.
While this part isn’t nearly as tedious as the initial phase, it is equally important.
Here’s how you can create a plan for managing IT assets during their entire lifecycle.
Create policies and procedures
Your organization needs to have policies and procures in place that dictate how staff will handle each phase of asset’s life cycle.
Here are some policies or procedures that you should look into standardizing:
Device request policy
Create a standard form or method that ALL individuals within the company must follow when requesting new devices.
The complexity or sophisticaiton of this will vary greatly depending on your organization.
For a large organization, this could include request forms with components request and management approval.
Smaller organizations, on the other hand, might simply have a form to document the request made.
Asset request approval policy
The party(s) who approve request for new devices should have procedures in place for documenting them.
Should an investigation come up later, you want to be able to go back and know who made a request and who approved it.
IT asset procurement policy
Another important part of the asset lifecycle that you’ll want to create standard procedures for is purchasing.
This becomes especially important for managing warranties.
Asset deployment policy
It is important that assets in your environment be deployed in a standardized way.
This is quite important for security.
Hopefully, you have already created a standard computer build.
This build will have been checked for security vulnerabilities and have all of the common software in your environment.
Then, each time a new computer needs to be deployed, it will basically be a clone of the “golden image.”
Again, this is super important for security; it will be much easier to secure and maintain standardized devices in your environment.
Automate Processes To Discover New Assets
Here’s the thing about following IT Asset Management best practices that you have to understand.
It is a continuous process; it’s not at all a one-time project.
That being said, it’s very important that you find ways to automate the required processes.
Again, remember, the focus of your efforts in this entire process is to secure your environment.
And you can’t secure what you don’t know exists.
SpiceWorks IT asset management solution
There are countless IT asset management solutions that you can use, but in this section, we’ll look at one that’s free and works great for SMBs.
Once you have SpiceWorks Asset management setup, you can schedule network scans.
There are a few options for querying detailed information about the assets on your network.
If you use WMI, be sure that you have a service account setup in active directory.
Create security alerts for this account.
Next, create policies and schedules for scanning your network.
In SpiceWorks, set how often you want the scans to be performed and the target networks.
Finally, you can set up automated reports to email network scan findings.
Take note.
While automated tools like SpiceWorks IT asset management are great, you should still perform manual audits.
It’s possible for attackers to hide from these systems.
Prevent unapproved devices from joining your network
This is a critical IT Asset management best practice.
You should definitely implement a solution to prevent unauthorized devices from joining your network
There are numerous ways that you can approach this; let’s discuss a couple.
MAC Filtering
Every network device has a unique identifier — a MAC address.
If you’ve been implementing the IT asset management best practices that we’ve already discussed, you should have the MAC address of each device on your network.
Now, to prevent un-approved devices from joining or traversing your network, you can implement MAC filtering.
Many modern switches, routers, and firewalls have this capability.
Essentially, you will whitelist the MAC addresses that you want to allow on your network.
Everything else will be blocked.
Note: There are various ways that you can add the MACs to the whitelist. You don’t have to do it manually. Check out this article to learn more about it.
Network authentication
Network authentication protocol is another effective way to prevent rouge devices from joining your network.
Traditionally, this would require a completely separate solution.
However, for SMBs, many of the common UTMs and firewalls have this capability baked in.
In the SOPHOS XG firewalls, for example, you can sync the users from Microsoft Active Directory.
Then, you can set that all users have to authenticate with their AD credentials before their traffic can traverse the network
Regularly audit and update asset inventory
Here’s the IT Asset management best practice that often gets overlooked.
You have to keep it up.
If your organization is in a regulated industry, you know that you must be prepared for audits.
However, every organization should keep their security documentation updated.
Performing self-audits is a requisite part of this.
Here’s how you can audit and maintain your asset inventory
Create audit policies – Step 1
You need to have a policy in place that defines how often you will perform the audit as well as what the audit will review.
The policy that you create should include the people who will conduct the audits as well as what tools they will use.
Conduct the audit – Step 2
Exactly how you audit your IT assets will vary greatly depending on the size of your organization and the tools you have.
Here’s what you want to do
Perform another scan of your network and determine the devices present.
Then, compare that scan’s results with the documented results.
Do they align closely?
Are there big gaps?
If so, you should determine what led to those gaps.
Were policies and procedures not followed? Or have rogue devices or software been installed.
Conducting regular audits is important in keeping your environment secure.
You can find rogue systems much more quickly.
Conclusion
Organizations are getting breached constantly.
Many times, it’s the basic security controls that they are missing.
One of the most fundamental security controls is knowing exactly what devices and software are on your network.
If you aren’t following these simple IT asset management best practices, your organization is vulnerable.
Set a goal.
If you don’t have an IT asset management program in place already, create one within the next thirty days.
Will you do it?
