The year is hardly a month old and we have people racing around as if their hair is on fire, demanding to know if the GLibc vulnerability CVE-2015-0235 (aka GHOST) [1] affects them. Its a reasonable certainty that this wont be the only time this year someone will be hammering on your door* wanting answers. And they want them now.
Its a fair question, given the impact certain vulnerabilities can have, but seemingly a large percentage of businesses cant immediately answer this. This is the part that doesnt make much sense. Knowing what software you have and which system it inhabits should be a basic business requirement, which is supported by IT[2]. Whether it be in a fancy cloud-based database or a simple spreadsheet (CSV format even) this information should be up to date and easily accessible. shouldnt someone in the IT team/group/department/dark room in the basement know this already? Why are they asking the security team? Odd, isnt it, when a problem pops today and its something to do with security, the expectation is that the security team should know the answer? Perhaps that a simple testament to how good you are getting answers, or, more likely youre the most logical person to ask. (Well, it is an IT security problem, that nice media story/article/tweet has said so...). It becomes pretty easy to do the wrong thing here and play politics here by pointing fingers and blaming someone else. So how to avoid get in this mess in the first place?
An up to date and complete asset list is worth its weight in gold for numerous folk with in a company, so if the nice people in Audit and Compliance are maintaining it, its time to make new friends. If one doesnt exist, then go meet with the people that can help create one and show them the value of doing this. You have to show the value to them and understand their perspective as this can be a lot of work to keep current. Getting others to build and maintain the asset inventory because they see value and actual use in it avoids the Because my boss is making me do it loathing issue. Anytime someone fails to understand or realise the value of an asset inventory, it then becomes the last thing on a very long to do list. This means it never gets properly completed or updated, and were back to the same problem again.
Socializing security requirements is about building a community of people that understand and ultimately care about being part of a more secure working environment. Its about talking to your workmates and explaining helping you out with something as simple as an asset inventory, can be good for the whole company. And whats good for the company, is good for them.
So the next time someone bursts through your door, wide eyed and panting over todays wittily titled vulnerability, youll be able to give them the definitive answer. Then you can drop in this wouldnt be possible without the help of and give those other folks their due credit too.
The basics for an asset inventory lists are straight forward, it needs: what is it, where is it, who owns it and whats on it. This will get answer most of the basic questions or provide a starting point to initiate more in-depth and complex questions with the right system owners. Basic asset inventories wont give you the answer to how many systems are vulnerable to something like CVE-2015-0235, but it will show how many systems, and which systems, are potentially vulnerable. Thats a much better place to be.
Basic requirements of an asset Inventory data fields:
- Make of the device
- Model of the device
- Serial Number of the device
- Assigned asset tag number
- System Name (assigned host name)
- System Owner (who is responsible for the asset, both business and technical contacts)
- Physical Location
- Operating System
- OS version level
- Function (apps web server
- Network location (e.g. internal workstation LAN, DMZ, Protected Internal network, etc.)
- Business criticality (e.g. Low, Medium, High, Critical)">If you have any other suggestions or advice on getting a decent asset inventory in place and updated, please feel free to add a comment.
For the Australian Readers - Support your local Con-">CrikeyCon is back!
CrikeyConis on the Saturday,21stFebruary and held inBrisbane, Australia. For more details go to http://crikeycon.com
">Chris">--- Internet Storm Center Handler on Duty
[1] Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[2] And is on most of the critical controls list, including: https://www.sans.org/critical-security-controls/control/2
* Real or virtual (email, IM, fax or telegram now seem to be doorways too)