When you’re performing a cybersecurity risk assessment for your company, what are some of the most common findings, pertaining to asset inventory and control?
In the video below, Mike explains that lack of inventory is the obvious one here, but he gives you some great ideas on how small and large organizations can better address CIS Control 01, even before a formal risk assessment.
Want Mike’s recommendations on the top three companies to quote, for your organization’s formal cybersecurity risk assessment? Click the button below and ask him today.
About Mike
Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast, ITsmiths with Mike Smith. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.
Transcript
Your company is looking into possibly doing a cybersecurity risk assessment, which is a really smart idea to do, but you’re probably wondering what are some of the common findings that come out of those things? What are some of the most common things that are overlooked that are going on within a company?
You’re probably thinking that because, hey, I don’t want this company to come in and go, “Hey, you didn’t even do that?” or kind of embarrass you by pointing some things out that you could have done very easily right away. You’re probably thinking that in advance so I wanted to make a video series on common findings with cyber security risk assessments, so that you can maybe watch the video and maybe fix a couple things right away before you go and pay for a cyber security risk assessment.
Should we do this on our own?
I think it’s great to do a risk assessment. Don’t get me wrong, but maybe you want to just see some videos ahead of time on what are some common things that you can kind of knock off that are easy.
Obviously, if they’re difficult, maybe you need some assessment steps or some consulting to come in and give you some tips on tools to use and things to do, and things like that. Maybe dollar amounts to assign to certain risks and how much that’s potentially going to cost your company and things like that. Those are great ideas but I wanted to make a video series just kind of pointing out some common stuff that are obviously pointed out time and time again with different companies.
CIS Framework
The framework that I decided to use for this is the CIS framework. Today, we’re going to be talking about asset inventory and control, which is control number one of the CIS framework.
The reason I chose the CIS framework is just because it’s simple, it’s 18 different controls. There’s a lot of different frameworks we could use as a guideline for this video series. Obviously, if I did something like the NIST framework and it has over a hundred different controls, this video series would be way too long for me to do. We’re keeping it simple with the CIS framework and going to talk about commonly overlooked areas within each of the 18 controls. Today, the video is the first control, which is asset, enterprise asset and inventory controls.
TLDR
Before I get too far ahead of myself, just really quick, if you want my recommendations on the best companies to use for a cyber security risk assessment. Maybe just a handful of companies that maybe you should quote, based on your company’s requirements, your company’s size, what frameworks you need to follow, things like that.
Don’t Google it, just reach out and contact me. Shoot me an email, give me a call (714.593.0011). More information on that at the end of the video.
No Reporting
Okay so CIS control number one, inventory and control of enterprise assets. Within that control, number one, what are some of the most overlooked things? Well, it’s pretty simple with this one. A lot of companies simply don’t have any inventory of the assets that they have, or they have a very minimal inventory. That’s number one, that’s pointed out all the time.
I’m sure that’s something that if you’re watching this video, you know already, you kind of have a lingering, guilty feeling. If you haven’t really been keeping that good of the control of the inventory, or if maybe you have been doing a pretty good job. That’s usually the most commonly overlooked thing, is that companies just have an inadequate way of inventorying enterprise assets.
You can’t protect what you don’t know you have
Obviously, you can’t protect what you don’t know that you have. It’s pretty simple there, or maybe somebody’s just using an Excel spreadsheet and they don’t update it on a regular basis. Those are prime ways that threat actors can come in and compromise your network is find assets that maybe were just installed recently on the network and don’t have the latest updates on them. Those are vulnerable right out of the gate, or maybe there’s some things that are logging onto the network that you don’t even know about.
Shadow IT
Obviously, Shadow IT is a big thing. Maybe, a lot of users typically are downloading things onto their phone onto enterprise assets that you’re not aware of, different applications that aren’t secure, things like that. An Excel spreadsheet is just kind of inadequate, but obviously, ideally you’d want to be using some type of software. At the very least, maybe have an Excel spreadsheet that you periodically kind of go through and make snapshots.
Make it a standardized process
Maybe you have some type of procedure written down that we take a network snapshot every once in a while. This is difficult, obviously, because it’s an ongoing dynamic process. With users, they have mobile devices that are logging into the network, then logging off the network. They come and go on the network so if you take one snapshot, you’re not going to see every single asset that is possibly logging onto the network. You’re going to have to do it periodically at some type of a time interval. Obviously, if you’re a small company, if you just have a schedule of when you do this periodically, that’s pretty good. If you’re a larger company, it’s better to use certain types of tools to do this in an automated fashion, on an ongoing basis. At least you can take a few snapshots.
Where can I get the best snapshot?
What I’d like to do is just kind of go over a few ideas for snapshots. Things you can look at on a periodic basis, if you think about it, there’s a lot of different logs that you can take a look at, like DHCP logs, firewall logs, endpoint protection logs, switch logs. Kind of go through things like SSO, active directory, and you can kind of brainstorm as the IT department, you guys know a lot more than I do about which logs that you guys can look at. Maybe make a list of the best logs and make some type of process where every once in a while, maybe it’s once a month or so, or once every two weeks, you go through and just take a look at that snapshot and see if it matches up from week to week. That’s an idea of how to do it periodically and just logging it on an Excel spreadsheet.
Tools
If your company’s a little bit bigger, it’s really more important to get some tools, maybe some tools that identify active assets. If you want to take it even a step further, get some tools that’ll identify passive assets on the network. Overall, that is the most overlooked item on asset control, asset and inventory control, which is control number one on the CIS framework. I know it’s a pretty obvious one, but not a whole lot to talk about on this control. Hope that helped a little bit.
Need some recommendations?
Again, if you want to know which vendors your company should quote for a cyber security risk assessment, there’s a bunch of them out there. Don’t start Googling it. You’d probably end up with the wrong company. Instead, just contact me via email or phone (714.593.0011). This is what I do for a living. I’m a broker for all the major cyber security services vendors.
Based on a few questions, I can tell you the handful of companies that you should be quoting for a cyber security risk assessment. I can also introduce you to the right people at those companies and oversee the quoting process and the calls, and be on the calls with you. The nice thing is that if you find a company that you like and you end up getting a cybersecurity risk assessment from them, that company pays me my broker fees. You don’t have to pay me at all, no matter what, at any point in the process, no excuse whatsoever, not to at least reach out and get my help on this. Don’t do it alone. It’s definitely too risky and too many ways you can go wrong. Do that. I hope this video is helpful. If so, don’t forget to hit the like button and subscribe to the channel and I will catch you on the next one. When we’re going to talk about CIS control, number two.
Related Content
Cybersecurity Risk Assessment Common Findings: Software Inventory and Controls
What are the most common findings in a formal cybersecurity risk assessment, in regards to software […]
Network Infrastructure Management | Cybersecurity Risk Assessment Template
What is the best template to use for a cybersecurity risk assessment, for Network Infrastructure […]
Cybersecurity Risk Assessment Template: Data Recovery
What is the best template to use for a cybersecurity risk assessment, for Data Recovery?
In this video, […]
Cybersecurity Risk Assessment Template: Malware Defenses
What is the best template to use for a cybersecurity risk assessment, for Malware Defense?
In this […]
Cybersecurity Risk Assessment Template: Email and Browser Protection
What is the best template to use for a Cybersecurity risk assessment, for email and browser […]
Cybersecurity Risk Assessment Template: Audit Logs
What is the best template to use for a cybersecurity risk assessment, for Audit Logs?
In this video, I […]