No matter what you all your program (I call mine Vulnerability Management) to manage threats and vulnerabilities as they apply to your network and processing environment you must know what you have for assets.
Assets ---equipment, operating systems, virtual environments, applications, infrastructure parts and pieces --- need to be identified by manufacture, make, model, version, etc... While it will be a chore to initially identified and gather all the information of these assets; the hard part may be keeping the data current without proper processes in place.
When setting up the process to gather and keep the information current, keep in mind that it should be part of other processes. For example, during the project phase for new systems, include a step to update the asset database. Including a step in the change management process that requires an update of the asset database with the new information will ensure existing assets are kept current.
One of the items that is frequently forgot in the asset identification is the network infrastructure. Don’t forget to identify the firewalls, proxy servers, VPN concentrators, switches, wireless equipment (switches and access points), and network management devices. As a security professional, make sure you include your own systems, such as a SIEM, DLP, A/V and malware servers, and vulnerability scanners.
A key part of the tracking of threats against assets is knowing how the devices are configured and used in your environment. An example would be Active Directory…what changes are made from the default configurations? How does your password policy compare? Is it weaker or stronger? This could have an effect on the risk rating applied to a vulnerability identified for your operating system.
Once you have the assets of your IT environment identified, it is time to start down the identification of SCADA and other control systems…..good luck.
Until next time….