The Importance of a Network Inventory
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
As I have often heard, “you cannot protect what you do not know is there.” Further, you cannot eliminate unauthorized devices and software on your network if you don’t know what is supposed to be on your network. All organizations should perform an inventory on the physical devices and software connected to their networks. A network inventory is an important part of any entity’s internal controls over information technology. Here are a few examples of cyber-security organizations and their emphasis on the importance of performing network inventories:
- The National Institute of Science and Technology’s very first control for improving critical infrastructure is to inventory the physical devices and systems within an organization. The second is to inventory the software and applications.
- The Center for Internet Security’s first two controls for critical security are to inventory authorized and unauthorized devices and inventory authorized and unauthorized software.
- The AICPA Cybersecurity Risk Management Program Description Criteria 11 suggests the use of inventory management to classify the entity’s information assets, including hardware, virtualized systems and software (licensed and public domain) according to their nature, criticality, and sensitivity.
- ISO 27002-2013 control A.8.1.1 requires an inventory of assets.
- The HIPAA Security Rule 45 C.F.R. §§ 164.308 requires an inventory of devices and software.
Threat Agents, whether they are external or internal, are constantly looking for unprotected systems attached to the network. These systems could be BYOD (Bring Your Own Device) or new hardware that is installed but not completely configured and hardened. Just because a device is not visible from the internet doesn’t mean it is useless to a threat agent. The threat agent may already have access to the internal network and is just waiting to attack an unprotected internal device. When uncontrolled devices are allowed on the network, there is the potential that they are running software with no business purpose or that they are infected with malware from an unsecure network. Either way, once the device has been compromised, the attacker can use it as a collection point for your organization’s data or as a launching point to compromise your “approved” devices. In addition, “managed control of all software plays a critical role in planning and executing system backup, incident response and recovery.” (https://www.cisecurity.org/controls/inventory-and-control-of-software-assets/)
What should be included in a network device and software inventory? According to an ITworld article on October 29th 2008 (https://www.itworld.com/article/2779724/software-as-a-service/taking-it-inventory—network-inventory-management.html), the goal of a network inventory is to have a complete, up-to-date and accurate view of all network components, including PCs, servers, printers, hubs, routers, switches and software. Center for Internet Security (CIS) Critical Security Control 1.4 states: “The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc.” Control 2.3 states: “The software inventory system should track the version of the underlying operating system as well as the applications installed on it. The software inventory systems must be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.”
IT Managers should have the following basic information for all devices:
- Device identification (name, serial number, etc.),
- IP address if static,
- MAC address (the IP or MAC helps you identify the device on network scans),
- purpose (why is it on the network),
- list of software installed on the device,
- and configuration settings.
This information would allow another IT manager to come in and understand the network or replace devices as new technology emerges.
How should an organization collect this information? It can be collected manually or with an active discovery tool that identifies devices connected to the organization’s network. There are many active discovery tools available.
What if you are a small organization, with just a few servers and a mostly static environment? You still need a document with all the information described above. You may not need to spend the money on an active discovery tool, however you need to know what is supposed to be on your network. To some, this may seem overwhelming, and I often hear that IT environments are constantly changing. Although this is true, it is important to document.
What about BYOD? This does not apply to most organizations. BYOD is allowing the employee to bring their own device from home and then allowing that device access to everything on the network (that the employee should have access to). Allowing Outlook emails on a personal tablet is not BYOD. Allowing employees to access the network remotely through VPN is not BYOD. However, a lot of organizations allow employees to utilize company WiFi for their personal devices while at work. To control what is on the production network (the network with all the critical and sensitive organization data), personal devices should not be allowed access. A separate guest WiFi network should be set up and it should be logically and physically segregated from the production network.
If your “inventory” is scattered across four different applications, you don’t have an inventory. It needs to be in one place so that when someone (management, an auditor, the new CIO, etc.) asks if you have an inventory, you can answer “Yes, right here.” If the answer is “Well…I can get you screenshots from this system, and we can never tell how many personal devices are on the network, and I think I have a list of software licenses in Excel somewhere,” that is not an inventory. Yes, a network device and software inventory can take time to create and yes, it is documentation. However, it is also a sign of a well-organized network administrator and is an important tool for management, business continuity and disaster recovery and for security.
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Principal in our Firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit training […]