it asset management and cybersecurity
TRANSCRIPT
IT Asset Management and Cybersecurity
Greg Witte (Senior Security Engineer, G2, Inc.)
March 2017
(second in a series of IT asset management webinars)
SUPPORTING WEBINAR RECORDING AVAILABLE AT: WWW.APMG-INTERNATIONAL.COM/WEBINARS
Agenda• Welcome & introduction
– Ronn Faigen, General Manager – US, APMG International
• IT Asset Management Training for ITIL ATOs– Keith Rupnik, Education Director – IAITAM
• Guest Speaker – Greg WitteSenior Security EngineerG2, Inc.
• Q&A
• Further information
• Close
Why are we doing this?• Expand the perception of IT Asset Management by covering a
variety of current topics:– February 15 - The Why's and What's of IT Asset Management– March 15 - ITAM and Cyber Security– April 19 - ITAM and the Internet of Things– May 17 - BYOD: D for Device or D for Disaster?– June 14 - Tools Are Not Enough– July 11 - ITAM and Data Privacy– August 16 - The business value of ITAM / Aligning IT with the business objectives
through ITAM– September 20 - ITAM and the benefits to executive management
• Make the case that a default IT Asset Management program is no longer sufficient
• Point you towards resources that can help you build an effective ITAM program
Why Are We Doing This?
• The world if IT assets has changed dramatically• IT asset management goes beyond the traditional
thinking of “true up” penalties.
• One of the most compelling reasons for a robust IT asset management program is Cybersecurity
Some examples
Mr. Greg Witte• Greg consults on integration planning and technical
delivery of a broad range of cybersecurity topics including identity management, industrial controls, cloud computing, cryptography, virtualization, policy and compliance, and security automation to US Federal Government agencies.
• He was a core member of the team which created the Cybersecurity Framework to Secure Critical Infrastructure, a publication developed by NIST and the public in response to Presidential Executive Order
• Greg is a co-author of Security Automation Essentials: Streamlined Enterprise Security Management & Monitoring with SCAP published by McGraw Hill, and Implementing the NIST Cybersecurity Framework published by ISACA..
Senior Security EngineerG2, Inc.
The Changing Face of IT Asset Management• IT Assets themselves have changed so dramatically, and
become such a critical part of our every day lives• Those of us on this call know that ITAM has always been
about more than counting PC and servers, – IP-based devices e.g., sensors and cameras– Convergence of physical and logical (e.g., door locks, cameras)– Increasingly mobile/portable – even embedded
• IT is also increasingly outsourced – these slides were developed on a half-dozen devices and stored, emailed, and shared through online services
• While the world is quite digital lately, many of our customers tend to neglect physical (e.g., paper) assets
ITAM is so often seen as a “once and done”, but we must consider the whole lifecycle
• I’m personally grateful to IAITAM and APMG for helping with understanding lifecycle– Tracking / Reducing TCO– Reducing attack surface area
• Many of the processes in security guidance are actually ITAM in disguise– e.g., many of the practices
reviewed in CDCAT• Need to integrate security into
overall holistic approach
Plan
Request
Procure
Acquire -
Receive
Deploy
Manage
Retire
Dispose
The Key Function in the NIST Cybersecurity Framework is IDENTIFY• For example, in development of the NIST Cybersecurity
Framework, workshop participants highlighted the critical need to IDENTIFY what matters– Obviously inventory (hardware, software, networks)– Need to understand externally-housed assets– Also identify critical personnel– Roles & responsibilities an important part of that identification
• ITAM is sometimes treated like one-size-fits-all– Need to understand which assets support mission drivers– Role of Governance to direct & monitor adherence to
requirements• ISO 31000 points out that understanding of internal & external
context (key drivers and the IT assets that enable those) are the foundation of Risk Management
Similar Findings from the CIS Critical Security Controls (current version 6.1)
• #1 = Asset Management– Establish an inventory– Leverage automation– Draw from multiple sources of
information– Cover both publicly available and
private internal resources– Tie the inventory into the
acquisition process– Understand authorized vs.
unauthorized– Ownership and Accountability
Other cybersecurity considerations• Manage & monitor configurations• Maintain master images and store them securely• Understand and prioritize potential vulnerabilities – learn from
others!• Monitor use as it aligns with data classification / protection rules• Any external facing system (including email) has real threats• Ensure protection commensurate with risk• Limit access to sensitive / critical assets• Consider product life – often, outdated = unsafe• Be mindful of Wireless risks• Secure application development – including outsourced
development and, importantly, reused/shared software code• Monitoring, Testing and other exercises are critical
Think beyond the network connector!
This is a recent example of an org that spends hundreds of thousands of dollars a year on firewall protection, then may have left data in an unsecured hallway for the delivery man
Expanding Threat Considerations
• Not too long ago, the primary threats may have included:– Loss of property– Physical theft of intellectual property– Temporary outage from a backhoe
• Today’s threats and methods are more complicated– Assets are often a target used in a broader event (e.g., millions
used for a denial-of-service attack, others used as a launch point or to gather information)
– Ransomware is a real issue, with many falling victim every day• Recent attacks can destroy hardware & devices – not just data
– Need to practice recovery and need to ensure multiple copies of reliable backups
– We also need to stay informed about potential new threats
Physical Disposal Seems to be Diminishing, but don’t Forget about Reuse!
• In many areas, the cost of technology is dropping
• Availability is increasing– I can pick up a 256GB chip at the convenience store– ( It can also fall out of my pocket if managed carelessly )
• A bigger problem recently has been on-demand storage with a 3rd Party Provider or in a Shared Service location– Little pieces of virtual data may be spread across the globe– Ensure that rules are clear regarding what must occur when
decommissioning virtual systems– It is cheap and easy to “image” an environment – be clear about
what how those must be archived and/or destroyed
Cybersecurity comes down to managing people, processes, and technology – and those all boil down to the PEOPLE!
• From Planning through Disposal, various work roles impact security within asset management
• Consider the various roles and the knowledge/skills required
• Opportunity to engage senior leaders in setting priorities and resource decisions Source: NIST Cybersecurity Framework
• Business leaders need to be engaged in the lifecycle• By organizing and communicating in business terms, results
are meaningful and cost-effective
ResourcesThe International Association of IT Asset Managers (IAITAM)The professional association for individualsand organizations involved in any aspect of IT Asset Management (“ITAM”) IAITAM.org
IT Asset Management Certification Training
• ITAM Foundations• Hardware Asset Management• Software Asset Management• IT Asset Management
• IT Asset Disposition• Mobile Asset Management• Asset Management Liaison to
Security
Enhance Your ITAM Knowledge & NetworkWhy IAITAM Events?• Dynamic keynotes• Focused education• Interactive workshops• Targeted networking• Access to industry providers
What, Where and When?• ACE - Annual Conference & Exhibition
- Henderson, NV USA | May 2-4- Rome Italy | September 13-14 - Tokyo Japan | October 4
• Road Show Series- Brussels May 16 - London May 18 - Paris May 23 - Rome May 25
ITAM Accredited Training Organizations
Visit APMG’s Cyber Site
https://apmg-cyber.com/
Mark your calendars for our next webinar
April 19IT Asset Management and the Internet of Things