No
matter what you all your program (I call mine Vulnerability Management) to
manage threats and vulnerabilities as they apply to your network and processing
environment you must know what you have for assets.
Assets
---equipment, operating systems, virtual environments, applications,
infrastructure parts and pieces --- need to be identified by manufacture, make,
model, version, etc... While it will be
a chore to initially identified and gather all the information of these assets;
the hard part may be keeping the data current without proper processes in
place.
When
setting up the process to gather and keep the information current, keep in mind
that it should be part of other processes.
For example, during the project phase for new systems, include a step to
update the asset database. Including a
step in the change management process that requires an update of the asset
database with the new information will ensure existing assets are kept current.
One
of the items that is frequently forgot in the asset identification is the
network infrastructure. Don’t forget to
identify the firewalls, proxy servers, VPN concentrators, switches, wireless
equipment (switches and access points), and network management devices. As a security professional, make sure you
include your own systems, such as a SIEM, DLP, A/V and malware servers, and
vulnerability scanners.
A
key part of the tracking of threats against assets is knowing how the devices
are configured and used in your environment.
An example would be Active Directory…what changes are made from the
default configurations? How does your
password policy compare? Is it weaker
or stronger? This could have an effect
on the risk rating applied to a vulnerability identified for your operating
system.
Once
you have the assets of your IT environment identified, it is time to start down
the identification of SCADA and other control systems…..good luck.
Until
next time….
~Skeeter
No comments:
Post a Comment