Do you know where all the licensed (and unlicensed) copies of Visio 2000, Yahoo tool bar, Xupiter DLLs or Outlook Express are in your company's systems? Do you know who still has the Windows Messenger Service turned on? If not, it may be time for a hardware and software asset inventory.
There was a lot of buzz about asset inventory at last month's 2003 RSA Security conference in San Francisco. It was an emerging theme that came through for those who attended sessions on vulnerability management, patching, intrusion detection, security management, emergency response and selling security to senior management. You can't protect your information and the information infrastructure if you don't know what it contains. In other words, you must have an inventory of your assets.
That makes sense, so what's the issue here? There are plenty, according to Steve Crutchley, chief security officer and co-founder of 4FrontSecurity, an enterprise security services firm in Reston, Va. At the RSA conference, Crutchley discussed ways to make information security relevant for an organization's board of directors. "Many organizations I have counseled lack an effective asset inventory. Without an asset inventory, how are the systems and network engineering groups supposed to sift through security alerts and know which ones apply to them and which can be discarded?" he said.
 |
 |
|
Peter H. Gregory, CISSP, CISA, is an information technology and security consultant, a freelance writer and an author of several books, including Solaris Security, Enterprise Information Security, and CISSP for Dummies. As a consultant he provides strategic technology and security services to small and large businesses.
He can be reached at p.gregory@hartgregorygroup.com. His Web site is www.hartgregorygroup.com. |
Many organizations have attempted to collect and maintain effective inventories of their IT assets, including data centers and desktops, to support total cost of ownership (TCO) and activity-based costing (ABC) efforts in the 1990s. Generally, these initiatives failed because the effort required to build and maintain an asset inventory was far greater than expected. Since then, many asset inventory programs have fallen into disrepair (see story).
Blended threats raise the bar
The phenomenon known as "blended threats," whereby worms and Trojan horses use multiple propagation paths (see story), is ushering in a new generation of security products that contain the best of intrusion-detection system tools and the automated processing of vulnerability alerts from product manufacturers and the CERT Coordination Center.
These products fall into the new niche known as vulnerability management. They work by keeping tabs on the latest vulnerability alerts, cross-referencing them against your hardware and software and creating "hits" when the two intersect. These hits translate into tasks where a systems administrator or network engineer needs to install a patch, change a configuration or mitigate the new vulnerability by some other means.
But the catch with vulnerability management systems is that they won't do your asset inventory work for you. While some will scan your network and others will use "agents," you may not get enough of the big picture.
Chaos in desktopland
I would be surprised if any large organizations used one of the new vulnerability management solutions to manage vulnerabilities outside of their data centers, at least not until the prices of these products begins to fall. Yet history has shown us that desktops can be like Petri dishes rich with nutrients (vulnerabilities) for new viruses and worms. For example, the SQL Slammer attacked a weakness in Microsoft SQL Desktop Engine (MSDE), a mini SQL-Server-like component installed on many desktop systems (see story). Many popular software packages install MSDE, SQL Server and Internet Information Server, often without the user being aware of it. Users are notorious for not maintaining patch levels on their systems -- it's just not their job.
My point is that even though an organization may begin to concentrate on defending itself against blended threats, doing so without having a good picture of what it's defending may be a wasted effort.
Difficult but necessary
Accurate asset inventory is hard -- particularly in the desktop world. When I was last in IT management, we tried to conduct asset inventory in support of TCO and ABC. When we discovered that the cost of performing an IT asset inventory was greater than its benefits, we quietly gave up and stopped asking for reports. The tools available for performing asset inventories didn't work very well in the 1990s, and they aren't that much better today.
But who knows where the next worm will strike. So back to my original question: Do you know where all the copies of Visio 2000, Yahoo tool bar, Xupiter DLL or Outlook Express are, or who still has the Windows Messenger Service turned on? Someday it may be exceedingly important. Like it or not, the asset inventory problem just won't go away, and the cost of not having such a program is rising.