The year is hardly a month old and we have people racing around as if their hair is on fire, demanding to know if the GLibc vulnerability CVE-2015-0235 (aka GHOST) [1] affects them. It’s a reasonable certainty that this won’t be the only time this year someone will be hammering on your door* wanting answers. And they want them now. It’s a fair question, given the impact certain vulnerabilities can have, but seemingly a large percentage of businesses can’t immediately answer this. This is the part that doesn’t make much sense. Knowing what software you have and which system it inhabits should be a basic business requirement, which is supported by IT[2]. Whether it be in a fancy cloud-based database or a simple spreadsheet (CSV format even) this information should be up to date and easily accessible. This leads to another question; shouldn’t someone in the IT team/group/department/dark room in the basement know this already? Why are they asking the security team? Odd, isn’t it, when a problem pops today and it’s something to do with “security”, the expectation is that the security team should know the answer? Perhaps that a simple testament to how good you are getting answers, or, more likely you’re the most logical person to ask. (Well, it is an IT security problem, that nice media story/article/tweet has said so...). It becomes pretty easy to do the wrong thing here and play politics here by pointing fingers and blaming someone else. So how to avoid get in this mess in the first place? An up to date and complete asset list is worth its weight in gold for numerous folk with in a company, so if the nice people in Audit and Compliance are maintaining it, it’s time to make new friends. If one doesn’t exist, then go meet with the people that can help create one and show them the value of doing this. You have to show the value to them and understand their perspective as this can be a lot of work to keep current. Getting others to build and maintain the asset inventory because they see value and actual use in it avoids the “Because my boss is making me do it” loathing issue. Anytime someone fails to understand or realise the value of an asset inventory, it then becomes the last thing on a very long “to do” list. This means it never gets properly completed or updated, and we’re back to the same problem again. Socializing security requirements is about building a community of people that understand and ultimately care about being part of a more secure working environment. It’s about talking to your workmates and explaining helping you out with something as simple as an asset inventory, can be good for the whole company. And what’s good for the company, is good for them. So the next time someone bursts through your door, wide eyed and panting over today’s wittily titled vulnerability, you’ll be able to give them the definitive answer. Then you can drop in “this wouldn’t be possible without the help of…” and give those other folks their due credit too. The basics for an asset inventory lists are straight forward, it needs: what is it, where is it, who owns it and what’s on it. This will get answer most of the basic questions or provide a starting point to initiate more in-depth and complex questions with the right system owners. Basic asset inventories won’t give you the answer to how many systems are vulnerable to something like CVE-2015-0235, but it will show how many systems, and which systems, are potentially vulnerable. That’s a much better place to be. Basic requirements of an asset Inventory data fields:
This is a very simple list and it has to be expanded dramatically to be useful to your business and needs. So go forth and inventory! If you have any other suggestions or advice on getting a decent asset inventory in place and updated, please feel free to add a comment.
For the Australian Readers - Support your local Con - CrikeyCon is back! CrikeyCon is on the Saturday,21st February and held in Brisbane, Australia. For more details go to http://crikeycon.com
Chris Mohan --- Internet Storm Center Handler on Duty [1] Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)
|
Chris 105 Posts ISC Handler Feb 2nd 2015 |
Thread locked Subscribe |
Feb 2nd 2015 7 years ago |
IPs and MACs are also required.
Cheers |
piotr.chmylkowskigmail.com 2 Posts |
Quote |
Feb 2nd 2015 7 years ago |
This one is a real pain (as were heartbleed, shellshock) because of all the appliances running various versions of who-knows-what. They range from security appliances to the Internet radio folks installed in the kennel so the animals could hear music. A good inventory does help, but... keeping them isolated as best I can...
|
John 88 Posts |
Quote |
Feb 2nd 2015 7 years ago |
I would love a pointer to an unbiased discussion of what tools (freeware and commercial) address this need and how well they work in an enterprise setting.
|
Anonymous |
Quote |
Feb 2nd 2015 7 years ago |
Beyond a spreadsheet are their any applications that people prefer to use to help with inventory?
|
ADHurt 1 Posts |
Quote |
Feb 2nd 2015 7 years ago |
Some other things useful to add to your asset tracking tool are build notes (anything whoever setup the system thinks might be useful to an on-call), backup server (where do I go if I gotta recover from backups - at my $DAYJOB$ we have more than one backup server), and how to obtain remote console access (such as "IPMI:hostname" or "DRAC:IP" or whatever). We also note what sort of authentication the server uses (NIS:domain or LDAP:domain or LOCAL, etc).
If, like me, you're cheap and don't want to spend a boatload of cash for an asset tracking tool, OpenDNS can be turned into one that'll track whatever data you want pretty easily. We had a tool built with perl CGIs on top of a Sybase DB written by a long-gone ex-employee... which naturally broke when we needed it most. And using our LDAP servers to track assets turned out to be pretty easy. Plus I don't have to worry about inflicting some internally developed interface on the rest of the IT team - it's just LDAP. Don't like the interface? Find some other LDAP browser/editor - any one will do. ![]() |
Brent 133 Posts |
Quote |
Feb 2nd 2015 7 years ago |
Other useful and sometimes necessary information to gather includes:
System Admin (name, phone, location), Backup System Admin System Type (Production, Test, Development, etc.) IP address(es) MAC address(es) OS Service Pack System Connectivity (Standalone, VLAN, Business Network, etc.) In addition to Make, Model, SN, get the Manufacturer name Software Inventory (Nessus plugin 20811 will reveal this list) Vulnerability Scanning frequency (weekly, monthly, quarterly, etc.) Vulnerability Patching frequency Outage frequency and date |
Brent 1 Posts |
Quote |
Feb 3rd 2015 7 years ago |
Yeah, one of the other nice things about using OpenLDAP for our asset tracking tool, was that server records could contain attributes that pointed right at a person's record in LDAP as the owner, or manager or emergency contact or whatever. So contact info (emails, phones, pagers, etc) was all readily available. And since it's just LDAP, it was pretty easy to bang out a script to automatically populate things like cpu cores, memory, OS/version, mac addresses, etc.
I didn't want to bury my tiny little embedded system acting as a web server in hits but I wrote up a page on how to use OpenLDAP to build an asset tracking tool for some friends of mine who were curious. I don't really want to post a URL here but if you google for OpenLDAP asset tracking you'll likely find it. ![]() If there's enough interest I might even make an updated page with details on using the new (faster) backend instead of BerkeleyDB or how to make OpenLDAP do "pass-thru auth" in case you want your asset tracking tool in one LDAP server but your authentication proxied to somewhere else (AD, kerberos, whatever)... |
Brent 133 Posts |
Quote |
Feb 4th 2015 7 years ago |
As long as we are dreaming...
How about documenting where and when the data or configuration for the device is backed up? |
Brent 2 Posts |
Quote |
Feb 5th 2015 7 years ago |
As long as we are dreaming...
How about documenting where and when the data or configuration for the device is backed up? |
Brent 2 Posts |
Quote |
Feb 5th 2015 7 years ago |
I've been using Open Audit for years. Open Source & Agentless, and works with all types of Operating Systems. So much better than thick client inventory alternatives like SMS & LanDESK!
|
Sionnan 1 Posts |
Quote |
Feb 6th 2015 7 years ago |
As for me, I use Total Network Inventory 3 is a useful solution for personal computer and other network asset audit and software inventory. Thanks to this very efficient network inventory tool, you will not need to carry out a manual inventory. Windows, Mac OS X and Linux-based systems can be scanned without pre-installed agents. Using this software, you'll be able to group assets, attach comments to them and add additional information, monitor asset online status, generate flexible reports on different information categories, build table reports with any of the hundreds of asset data fields and do much more. Also, any report can be printed or exported to a popular format.
|
Sionnan 1 Posts |
Quote |
May 6th 2016 6 years ago |
You can try to find http://www.capterra.com/it-asset-management-software/ all of the alternatives freeware or paid inventory managers. Most popular ones are Lansweeper and Spiceworks as far as i know for an audit. You must install all of the copies on other nodes or it works from a scratch using OS functions. I chose Total Network Inventory http://www.softinventive.com/products/total-network-inventory/ from Softinventive Lab because it doesn`t need preinstalled agents and creates easy-to-read reports. Good license compliance management as well as hardware inventory software.
|
Sionnan 1 Posts |
Quote |
Oct 24th 2016 5 years ago |
Using network asset tracker pro from http://www.misutilities.com
They added some features for me. |
Anonymous |
Quote |
Apr 21st 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!