The Security Checklist for Designing Asset Management System Architectures
Cybersecurity concerns and workaround in asset management systems
In a previous article, I have broached the topic of Software Asset Management and how it consociates with IT Asset Management. Taking into account that we already have laid down a solid wireframe, whereupon the IT administrator can start building upon, in this follow-up article, I’m going to touch upon the cybersecurity challenges associated with asset management system architecture design.
Consequently, throughout this write-up, I’m going to talk about cybersecurity standards and compliance therewith, access controls, modularity in security policy design, physical, logistical, and software-endemic constraints, risk assessment & possible mitigations, and the relevance of tiered-based security architectures.
Reviewing compliance standard(s) for Asset Management Systems
Development and deployment of SAMs and ITAMS should observe the mandatory guidelines contained in ISO 55001, ISO 9001, and ISO 14001.
ISO 55001 ^ ISO 55002
ISO 55001 and the supporting ISO 55002, encapsulate the requirements for “the establishment, implementation, maintenance, and improvement of [an] asset management system”. Of vital importance in this regard is the 55001 document that highlights the fundamentals of AMS (asset management system) and defines its boundaries. According to the said document, AMS should encompass the context of an organization, leadership or C-level commitment, planning, support, operation, performance evaluation, and improvement.
ISO 9001 – QMS (Quality Management Systems)
Published in 1987, with subsequent revisions in 1994, 200, 2008, and 2015, ISO 9001 covers QMS (Quality Management Systems) and thereof implementation. Furthermore, the documentation also encapsulates the requirements a company needs to fulfill in order to
Similar to ISO 55001, the standard that deals with the fundamentals of AMS, ISO 9001, outlines the preliminaries of QMS: customer focus, leadership, engagement, process approach, improvement, evidence-based decision making, and relationship management.
ISO 14001 is, at its core, an environmental policy implementation guide – EMS or Environmental Management System. However, the standard also touches upon aspects connected with asset management systems such as planning, objectives & targets, training & awareness, operation control, and emergency preparedness.
Implementing and auditing security controls in SAM Systems
Security controls come in different sizes and shapes – for instance, physical and software-based firewalls are two of the most ‘popular’ security control forms, tasked with limiting access and, if necessary, halt any ingress or egress communications. Depending on the type of information your company manipulates, confidence levels, and so on, even more, security controls can be added – IDSs, DMSz, perimeter networks, or SIEMs.
By default, these security controls come with one or more implementation guides – frameworks that you can build upon your security infrastructure. To date, the most concise and easy to follow framework is SANS Institute’s CIS (Center for Internet Security) Controls. Other security control sources worth looking into:
- Guide to Developing a Cyber Security and Mitigation plan by NRECA.
- CIS on Cyber Security Critical Security Controls for Effective Cyber Defenses.
- PCI DSS or the Payment Card Industry’s Data Security Standard.
- National Institute of Standards and Technology Cybersecurity Framework.
- The Common Security Framework by the Health Information Trust Alliance (HITRUST)
- Internal Society for Automation’s ANSI/ISA 65443.
- The Healthcare Insurance Portability and Accountability Act Cybersecurity framework.
Overview of SANS’s CIS Controls framework
CIS Controls has 20 areas of interest divided into three major categories: BASIC, FOUNDATIONAL, and ORGANIZATIONAL.
Basic CIS Controls include:
- Inventory & Control of Company’s hardware assets (ITAM)
- Inventory & Control of Software Assets (SAM)
- CVM or continuous vulnerability management.
- Overview and controlled use of admin privileges.
- Hardware and software secure configuration on BYODs, servers, and workstations.
- Monitoring, maintenance, and review audit logs.
FOUNDATIONAL CIS Controls Include:
- Browser & email safeguards.
- Anti-malware guards.
- Control & Limitation of ports, protocol, and services.
- Data Recovery.
- Network devices secure configurations.
- Perimeter protection.
- Data Protection.
- Need-to-know controlled access.
- WA Control.
- AMC (Account Monitoring and Control).
ORGANIZATIONAL CIS Controls include:
- Security awareness training and the implementation thereof.
- Application Software Security.
- IRM (Incident Response and Management)
- Red Team Drills (i.e., a series of cybersecurity exercises where a team from inside the company will try to circumvent cyber-defenses by emulating an attacker’s TTP) and regular pen-testing.
Let’s start off with the CIS’ BASIC controls recommendations. Note that in this article, I’ll be covering BASIC and ORGANIZATIONAL. Don’t fret – there will surely be a part two dedicated to ORGANIZATIONAL CIS Controls.
BASIC CONTROLS FRAMEWORK
BASIC Controls for Inventory & Control of Company’s hardware assets (ITAM)
The standards CIS ITAM framework is compromised of eight distinct steps an admin should follow in order to set up a hardware and software inventory control. The very first step involves IDing all of the physical assets (endpoints) connected to your corporative network. If your company previously employed some form of hardware and software inventory, this first step will help you ‘refresh’ the existing list.
CIS’s recommendation for ITAM is NMAP, an open-source and free port scanner & vulnerability scanner and network exploration tool. There are, of course, even more alternatives to NMAP. Here area few of them: Masscan, ZMap Project, Angry IP Scanner, and Advanced IP Scanner – the choice is yours.
Moving on to the second step, we have passive scanning and asset discovery. This type of logging helps you discover even more devices by analyzing the telemetry collected from web browsers, firewalls, DHCP, and DNS.
Step three’s really an addition or extension to the second step because it revolves around DHCP logging. Cracking open the Dynamic Host Configuration Protocol’s logs can help you discovered even more devices connected to your network.
The next two steps are very similar – maintaining software and hardware asset info. To make a very long story short, maintaining asset info for each component means not shirking away from anything remotely related to clerkship tasks – ensuring that you jot down every detail related to a machine or component, record network addresses, and owners.
A bit dull, but good record-keeping can save your can in case something goes wrong. This brings us to step no. six – addressing unauthorized assets. As a dutiful and responsible admin, you must ensure that all assets labeled down as unauthorized are either removed or quarantined – no loose ends!
On to the next step which is deploying port-level control. CIS states that for port-level ACs to be efficient, they’ll need to be tied into the hardware asset inventory’s database. That way, you can ensure that only authenticated and authorized users can access your corporate network.
The last step of BASIC Controls is using client-type certificates in order to authenticate hardware assets to one or more trusted networks. As CIS pointed out, this is, by far, the most elaborate and time-consuming BASIC Controls steps since it involved PKI (Public-Key Infrastructure).
SANS Institute’s readily available guide “Technical Implementation of the Critical Control Inventory of Authorized and Unauthorized Devices for a small office\home office” is a good place to start if you’re currently researching this step.
This covers the steps associated with the inventory and control of your hardware assets. Remember that we’re still talking about BASIC controls. Up next, we have the inventory and control of your corporate software assets.
BASIC Controls for Inventory & Control of Software Assets (SAM)
CIS’s SAM framework has about ten recommendations. For brevity purposes, I’m only be covering the most important. So here the five more ‘vital’ BASIC – SAM recommendations.
The first step would be integrating hardware with software asset inventories – helps with tracking and authentication. On top of that, this blend offers continuous and passive device scanning for your network.
Darting to step number two – addressing company-disavowed or unapproved software. Whitelisting apps allow you to quickly establish a baseline (i.e., what apps and software can be deployed and used on workstations and BYODs). Furthermore, these whitelisting apps can also prevent users from installing and running illegitimate apps on their endpoints; cap’ Obvious moment, but it had to be said.
Leveraging whitelisting apps brings us to the third step which is called the whitelisting of software libraries. To prevent patch injection attacks or any kind of attempt to tamper with the library-loading process, we, me, and CIS advise you to whitelist all of your company-approved app libraries.
Step four – script approval. Scripts are essential in automation, but they can also be a point of entry for malicious code. Whitelisting apps – usually the paid variety – allow you to pre-approve automation scripts. These will, of course, be digitally-signed, to prevent a user from running potentially malicious scripts.
BASIC Controls for continuous vulnerability management (CVM)
Continuous Vulnerability management relies on three types of actions (i.e., performed on endpoints and architecture): vulnerability scanning, patching, and risk assessment. Know before you go the difference between authenticated and non-authenticated vulnerability scanning. If ‘doable’, you should definitely go for an authenticated vulnerability scanning because it yields better and more actionable results compared to an unauthenticated session.
Patching should be second nature right now and, as far as risk assessment is concerned, based on the results of your auth session’s results, establish a baseline, and assign scores to any deviations – SIEMs can help you a lot in that regard. Efficient scoring systems allow you to figure out what types of actions (i.e., preemptive, interventional) should be undertaken.
BASIC Controls of admin privileges.
Here are the most important takeaways in the area of admin rights curation – change the default passwords of your admin accounts, use admin accounts for admin purposes only (i.e., no streaming, online gaming, etc.), enforce MFA, prevent scripting on administrative stations, and last, but not least, used dedicated endpoints for administrative tasks.
BASIC Controls for Hardware & software secure configuration on BYODs, servers, and workstations.
Your choices in secure configuration should reflect upon the entire ecosystem, not just a handful of devices. Another thing you should consider would be the way you create, store, and maintain the so-called secure images – standstills of the most recent and working configuration.
There will, of course, be a master image that contains all of your ‘safest’ and most recent configs and all the other adjustments made to those configurations. Master or golden images are great baseline meters; you can use them to ‘sniff out’ any recent and probably suspicious system changes. Don’t forget about master image security – store it offline, restrict permissions, and get it behind an encryption wall.
BASIC Controls for Monitoring, maintenance, and reviewal audit logs.
Logging in to auditing what a court file is to a court hearing or something along those lines. BASIC controls for auditing include time zone harmonization (UTC for the win!), centralized log management, ensuring that audit logging is enabled and recording, fine-tuning SIEM or the log management tool of choice, and keeping an eye on the logging server’s storage unit – you wouldn’t want to run out of space there, trust me on this one.
This covers the BASIC controls. Let’s move on to FOUNDATIONAL.
Heimdal™ Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
FOUNDATIONAL CONTROLS Framework
FOUNDATIONAL Controls for Browser & email.
Internet browsers and email agents are some of the most ‘abused’ attack vectors, this being the reason why browser & email safeguards stand at the very top of the FOUNDATIONAL Controls framework.
Recommendations-wise, the best practices manual says that unsupported email apps and browsers should be vetoed, ‘shifty’ browser or email clients should be purged, and all URL requests should be logged. I would also add DNS traffic filtering, DMARC & DKIM verifications, network-based URL filters, and sandboxing email attachments by default.
FOUNDATIONAL Controls – Antimalware
Malware is everywhere – that’s why any business risk-assessment & mitigation plans have entire sections dedicated to this type of risk. Apart from deploying an anti-malware solution, you should also aim at covering those attack vectors that are not usually covered by an AM.
Some things to try out: scripted scanning of removable media, disabling auto-run feature for any content, DNS query logging, and audit logging for command-line-based frameworks that require elevated rights (see PowerShell).
FOUNDATIONAL Controls for limiting port activity, protocols, and services
Vulnerability scanners will do most of the heavy-lifting job – identify open and potentially vulnerable ports. Do keep in mind that some ports (e.g., 3389 for RDP) are more abused compared to others. As for protocols and services, a firewall with port-filtering and monitoring capabilities is your best defense against unauthorized access.
FOUNDATIONAL Controls for Data Recovery
Data recovery is all about backup – the frequent they are, the better. A couple of pointers for DR: encrypt your backups, store backups on (secured) physical drives, have at least one other location for storing backups, automate the process, and perform regular data integrity tests on the backed-up data.
FOUNDATIONAL CONTROLS for Network devices secure configurations.
This step is, more or less, about documentation, monitoring, and homogeneity. Documentation as in penning down everything pertaining to traffic configuration rules (e.g., number of rules, applicability, owner, limitations), monitoring as in using tools to verify deviation from baseline and to pinpoint changes, and homogeneity as ensuring that every device connected to the corporate network is bound to those rules.
Other things to consider: MFA, encrypted communications, and administrative segmentation (i.e., the workstation dedicated to network-related tasks should be isolated from the corporate network and, if possible, from the Internet).
FOUNDATIONAL CONTROLS for Perimeter Protection
Perimeter protection is an extensive endeavor and, for better or worse, it has very much to do with good hardware and software bookkeeping. Some things to consider when setting up your perimeter safeguard: map the boundaries with tools such as NMAP to see if there are any holes in the security meshing, use IP blacklisting to map out known malicious IP addresses, and deny all communications to and from the said addresses, enforce deny-all policies for communications taking place over unauthorized UPD and TPC ports, track network packets deploy IDS probes and sensors, and enforce MFA for all remote login sessions.
FOUNDATIONAL Controls for Data Protection
Data protection’s all about privacy. And what does privacy spell out? Encryption, of course. So, for data protection controls, CIS’s framework recommends removing rarely accessed sensitive data, policing the network traffic and blocking any authorized connection attempts, allow access to reputable and verifiable email or cloud storage providers, encrypt the disk drives of your mobile devices and BYODs, manage all USB devices, and, most importantly, encrypt all the data stored on USB devices.
FOUNDATIONAL Controls for ‘Need-to-know’ access
‘Need-to-know’ has become quite a buzzword; everything related to those levels of confidence I was talking about in a previous article ties into this concept. An efficient need-to-know access control framework should include segmentations policies (networks segregated according to data classification), firewall rules (e.g., if you have more than one VLAN, you should monitor the comm channel between them), data-in-transit encryption, micro-segmentation (i.e., if you have two or more workstation hooked up to VLAN, think about disabling device-to-device communications; makes even better sense when one workstation holds admin-type credentials, making it a liability in case of a vertical escalation attack), implementing access control lists, encrypting data-at-rest, and, of course, enforcing a full audit log for sensitive data.
FOUNDATIONAL Controls for WA (Wireless Access)
Wireless access points also need to be regulated. Here are a couple of things you might want to try out: disable wireless cards on devices if they’re not currently in use (precludes ‘wardriving’), deploy WIDS (wireless intrusion detection systems), allow employees only (i.e., curb the access of customers or non-employees to company’s WAPs), disable ad-hoc wireless connections, encrypt data-in-transit, enforce (see EAP over TLS) and prevent peripherals from connecting to the primary wireless network.
FOUNDATIONAL Controls for AMC (Account Monitoring and Control)
The last item on the list is CIS’s AMC framework. In this case, the very vest of practices is MFA, hashing or encrypting login credentials, encrypting data-at-transit, account inventory, disabling accounts that are not covered by the company’s access governance policies, and, by extension, rooting out accounts that are no longer in use, place an expiration date on all accounts and auto-locking idle stations.
Before I go, I should point out that policies and frameworks are nothing if they’re not matched with the right tools. For all your SAM and ITAM needs and beyond, I recommend Heimdal™ Security’s Patch & Asset Management.
And let us not forget about access governance and application control, two pain-point any respectable sysadmin needs to address; my recommendation is the Heimdal™ Security Privileged Access Management and Application Control duo, two powerful solutions that will take you PAM and app whitelisting\blacklisting game to the next level. Hope you’ve enjoyed my article and, as always, your comments, rants, questions, and beer donations are more than welcome. Stay safe, friends!