IT Asset Management and Cybersecurity

Greg Witte (Senior Security Engineer, G2, Inc.)

March 2017

(second in a series of IT asset management webinars)

SUPPORTING WEBINAR RECORDING AVAILABLE AT: WWW.APMG-INTERNATIONAL.COM/WEBINARS

Agenda• Welcome & introduction

– Ronn Faigen, General Manager – US, APMG International

• IT Asset Management Training for ITIL ATOs– Keith Rupnik, Education Director – IAITAM

• Guest Speaker – Greg WitteSenior Security EngineerG2, Inc.

• Q&A

• Further information

• Close

Why are we doing this?• Expand the perception of IT Asset Management by covering a

variety of current topics:– February 15 - The Why's and What's of IT Asset Management– March 15 - ITAM and Cyber Security– April 19 - ITAM and the Internet of Things– May 17 - BYOD: D for Device or D for Disaster?– June 14 - Tools Are Not Enough– July 11 - ITAM and Data Privacy– August 16 - The business value of ITAM / Aligning IT with the business objectives

through ITAM– September 20 - ITAM and the benefits to executive management

• Make the case that a default IT Asset Management program is no longer sufficient

• Point you towards resources that can help you build an effective ITAM program

Why Are We Doing This?

• The world if IT assets has changed dramatically• IT asset management goes beyond the traditional

thinking of “true up” penalties.

• One of the most compelling reasons for a robust IT asset management program is Cybersecurity

Some examples

Mr. Greg Witte• Greg consults on integration planning and technical

delivery of a broad range of cybersecurity topics including identity management, industrial controls, cloud computing, cryptography, virtualization, policy and compliance, and security automation to US Federal Government agencies.

• He was a core member of the team which created the Cybersecurity Framework to Secure Critical Infrastructure, a publication developed by NIST and the public in response to Presidential Executive Order

• Greg is a co-author of Security Automation Essentials: Streamlined Enterprise Security Management & Monitoring with SCAP published by McGraw Hill, and Implementing the NIST Cybersecurity Framework published by ISACA..

Senior Security EngineerG2, Inc.

The Changing Face of IT Asset Management• IT Assets themselves have changed so dramatically, and

become such a critical part of our every day lives• Those of us on this call know that ITAM has always been

about more than counting PC and servers, – IP-based devices e.g., sensors and cameras– Convergence of physical and logical (e.g., door locks, cameras)– Increasingly mobile/portable – even embedded

• IT is also increasingly outsourced – these slides were developed on a half-dozen devices and stored, emailed, and shared through online services

• While the world is quite digital lately, many of our customers tend to neglect physical (e.g., paper) assets

ITAM is so often seen as a “once and done”, but we must consider the whole lifecycle

• I’m personally grateful to IAITAM and APMG for helping with understanding lifecycle– Tracking / Reducing TCO– Reducing attack surface area

• Many of the processes in security guidance are actually ITAM in disguise– e.g., many of the practices

reviewed in CDCAT• Need to integrate security into

overall holistic approach

Plan

Request

Procure

Acquire -

Receive

Deploy

Manage

Retire

Dispose

The Key Function in the NIST Cybersecurity Framework is IDENTIFY• For example, in development of the NIST Cybersecurity

Framework, workshop participants highlighted the critical need to IDENTIFY what matters– Obviously inventory (hardware, software, networks)– Need to understand externally-housed assets– Also identify critical personnel– Roles & responsibilities an important part of that identification

• ITAM is sometimes treated like one-size-fits-all– Need to understand which assets support mission drivers– Role of Governance to direct & monitor adherence to

requirements• ISO 31000 points out that understanding of internal & external

context (key drivers and the IT assets that enable those) are the foundation of Risk Management

Similar Findings from the CIS Critical Security Controls (current version 6.1)

• #1 = Asset Management– Establish an inventory– Leverage automation– Draw from multiple sources of

information– Cover both publicly available and

private internal resources– Tie the inventory into the

acquisition process– Understand authorized vs.

unauthorized– Ownership and Accountability

Other cybersecurity considerations• Manage & monitor configurations• Maintain master images and store them securely• Understand and prioritize potential vulnerabilities – learn from

others!• Monitor use as it aligns with data classification / protection rules• Any external facing system (including email) has real threats• Ensure protection commensurate with risk• Limit access to sensitive / critical assets• Consider product life – often, outdated = unsafe• Be mindful of Wireless risks• Secure application development – including outsourced

development and, importantly, reused/shared software code• Monitoring, Testing and other exercises are critical

Think beyond the network connector!

This is a recent example of an org that spends hundreds of thousands of dollars a year on firewall protection, then may have left data in an unsecured hallway for the delivery man

Expanding Threat Considerations

• Not too long ago, the primary threats may have included:– Loss of property– Physical theft of intellectual property– Temporary outage from a backhoe

• Today’s threats and methods are more complicated– Assets are often a target used in a broader event (e.g., millions

used for a denial-of-service attack, others used as a launch point or to gather information)

– Ransomware is a real issue, with many falling victim every day• Recent attacks can destroy hardware & devices – not just data

– Need to practice recovery and need to ensure multiple copies of reliable backups

– We also need to stay informed about potential new threats

Physical Disposal Seems to be Diminishing, but don’t Forget about Reuse!

• In many areas, the cost of technology is dropping

• Availability is increasing– I can pick up a 256GB chip at the convenience store– ( It can also fall out of my pocket if managed carelessly )

• A bigger problem recently has been on-demand storage with a 3rd Party Provider or in a Shared Service location– Little pieces of virtual data may be spread across the globe– Ensure that rules are clear regarding what must occur when

decommissioning virtual systems– It is cheap and easy to “image” an environment – be clear about

what how those must be archived and/or destroyed

Cybersecurity comes down to managing people, processes, and technology – and those all boil down to the PEOPLE!

• From Planning through Disposal, various work roles impact security within asset management

• Consider the various roles and the knowledge/skills required

• Opportunity to engage senior leaders in setting priorities and resource decisions Source: NIST Cybersecurity Framework

• Business leaders need to be engaged in the lifecycle• By organizing and communicating in business terms, results

are meaningful and cost-effective

ResourcesThe International Association of IT Asset Managers (IAITAM)The professional association for individualsand organizations involved in any aspect of IT Asset Management (“ITAM”) IAITAM.org

IT Asset Management Certification Training

• ITAM Foundations• Hardware Asset Management• Software Asset Management• IT Asset Management

• IT Asset Disposition• Mobile Asset Management• Asset Management Liaison to

Security

Enhance Your ITAM Knowledge & NetworkWhy IAITAM Events?• Dynamic keynotes• Focused education• Interactive workshops• Targeted networking• Access to industry providers

What, Where and When?• ACE - Annual Conference & Exhibition

- Henderson, NV USA | May 2-4- Rome Italy | September 13-14 - Tokyo Japan | October 4

• Road Show Series- Brussels May 16 - London May 18 - Paris May 23 - Rome May 25

ITAM Accredited Training Organizations

Visit APMG’s Cyber Site

https://apmg-cyber.com/

Mark your calendars for our next webinar

April 19IT Asset Management and the Internet of Things