Summary:
- First in a sequence of blogs which will outline how to implement security measures with business support.
- Know what you know and investigate what you don’t know
- Leverage existing systems but apply some intelligence to achieve security goals
- Refine by identifying the weaknesses, fix the weaknesses and monitor for improvements.
Simple question: Can you tell me right now, who has disabled their AV?
It’s amazing to find the number of organisations that would not be able to give you an answer to that.
‘You cannot protect what you can’t see’
Consider these scenarios:
- decentralised procurement/budgets, leading to authorised/unauthorised purchases such as a computer, for one reason or another, the asset is not tracked in the asset register, computer is compromised, leading to security issue.
- staff connect a custom built system to the network, system gets infected, causes issues on the network, leading to security issue.
I’ve been an advocate of having asset management as part of a security function for quite some time, it may not be managed by the security team but the security team could and should have some input and exposure. Reasoning behind this stem from the implementation of the SANS 20 Critical Security Controls.
The first control is to create an Inventory of Authorised and Unauthorised Devices
http://www.sans.org/critical-security-controls/control/1
The win is that you know what to protect within your organisation, providing the availability of statistics. As mentioned, statistics then can be used for a lot of things: metrics, milestones, forecasting, planning, KPIs, etc.
Remember, before any system is implemented, it is important to note that business support and approval must be obtained otherwise the project will be doomed for failure.
No matter how good your asset management is, you will get rogue purchases, staff circumventing the system. This is where planning, policy and processes are required to stop the leaks.
Not everything has a technological solution, in fact, planning/strategy, policies, procedures and guidelines help drive the technology selection process for an organisation.
Planning/strategy allow for the right decisions to be made so that the company infrastructure can be designed to support the organisation. This also provides uniformity to a common goal for all staff.
Policies are required to steer procurement decisions for the organisation and also used to curb deviations from the corporate norm. (for procurement and delinquent departments)
Standards are defined to ensure alignment with the policies for procurement, IT and all staff. As mentioned, standards are also there for system identification
Guidelines assist planners by outlining what could be used within an environment
With this in place, the laws of the land is set out and referred to by all.
A good resource for policy creation is the SANS Security Policy Project:
http://www.sans.org/security-resources/policies/
The primer is a good read.
Having these in place will help reduce the number of ‘rogue’ devices within the organisation as well as set the framework for a solid asset management system.
Well Oiled Security 