logo

CIS Control 1: Inventory and Control of Enterprise Assets

Unless you know what IT assets you have and how important each of them is to your organization, it’s almost impossible to make strategic decisions about IT security and incident response.

Indeed, inventory and control of enterprise assets is so important that it is the first in the set of Critical Security Control (CSCs) published by the Center for Internet Security (CIS). The CIS asset management control provides information that can help you identify the critical data, devices and other IT assets in your network and control access to them.

This article explores the provisions of CIS Control 1.

1.1. Establish and maintain a detailed enterprise asset inventory.

The first safeguard in CIS CSC 1 is to establish and maintain a complete and up-to-date inventory of all assets that access your networks. It should include all hardware assets connected to your infrastructure physically, virtually, or remotely, even if they’re not under your control. Examples include user devices, servers, non-computing and IoT devices, and network devices.

The asset inventory should also document how critical each asset is to your organization’s operations. Be sure to record network addresses, machine names, enterprise asset owners and hardware addresses. Also include each asset’s department and whether it has approval to connect to your network.

Update the inventory whenever you introduce a new asset into your environment. A well-maintained inventory will naturally help track your assets and manage costs, but it will also help you understand and prioritize security risks.

1.2. Address unauthorized assets.

Review the asset inventory thoroughly to identify unauthorized assets, such as employees’ personal smartphones or laptops. Because unauthorized devices are not properly managed by the IT team, they are often riddled with vulnerabilities that hackers can exploit to gain access to the network.

Set up a process to check for and address unauthorized assets on a weekly basis. Options for dealing with ab unauthorized asset include removing it from the network, denying it the ability to connect remotely to the network and quarantining it.

1.3. Utilize an active discovery tool.

CIS recommends investing in an active discovery tool that can reveal all the assets in your network and differentiate between authorized and unauthorized assets. You can configure the tool to execute daily or more frequently, depending on your organization’s needs and risk tolerance.

In addition to simply detecting assets on your network, some discovery tools can gather details such as device configuration, installed software, maintenance schedules and usage data. This information can help with you detect vulnerabilities, minimize downtime, track bandwidth and spot unauthorized use.

1.4. Use dynamic host configuration protocol (DHCP) logging to update the enterprise asset inventory.

DHCP is a network management protocol used to automate the process of assigning IP addresses to assets on the network. Enabling  DHCP logging on your IP address management tools and DHCP servers can help IT teams monitor assets connected to your IT environment from a single location. By reviewing the logs on a regular schedule, they can also keep the asset inventory up to date.

1.5. Use a passive asset discovery tool.

While active scanning tools check for new devices on your networks, passive asset discovery tools help identify any devices sending traffic to your network. You can also use historical log data to find assets that breached your networks in the past.

You can connect these passive tools to switch span ports to help you view flowing data. With these tools, you will have an easier time identifying foreign systems and assets communicating within your network and be able to mark all items with an IP address in your inventory.

Summary

CIS Control 1 is vital for improving cybersecurity. Adversaries often target personal laptops and other mobile devices because they are often not kept up to date on patches and may have vulnerable software installed. By maintaining an inventory of all assets connecting to your network and proactively removing unauthorized devices, you can dramatically reduce your attack surface area.

Netwrix Change Tracker scans your network for devices, then helps you harden their configuration with CIS certified build templates. All changes to system configuration are monitored in real time, immediately alerting you to any unplanned modifications.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.