{"id":10582,"date":"2022-03-25T08:59:16","date_gmt":"2022-03-25T15:59:16","guid":{"rendered":"https:\/\/www.aerocominc.com\/info\/?p=10582"},"modified":"2022-03-25T08:59:18","modified_gmt":"2022-03-25T15:59:18","slug":"cybersecurity-risk-assessment-common-findings-asset-inventory-and-control","status":"publish","type":"post","link":"https:\/\/www.aerocominc.com\/info\/cybersecurity-risk-assessment-common-findings-asset-inventory-and-control\/","title":{"rendered":"Cybersecurity Risk Assessment Common Findings: Asset Inventory and Control"},"content":{"rendered":"\n<p>When you&#8217;re performing a cybersecurity risk assessment for your company, what are some of the most common findings, pertaining to asset inventory and control?<\/p>\n\n\n\n<p>In the video below, Mike explains that lack of inventory is the obvious one here, but he gives you some great ideas on how small and large organizations can better address CIS Control 01, even before a formal risk assessment.<\/p>\n\n\n\n<p>Want Mike&#8217;s recommendations on the top three companies to quote, for your organization&#8217;s formal cybersecurity risk assessment? Click the button below and ask him today.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"mailto:askmike@aerocominc.com\"><img loading=\"lazy\" width=\"200\" height=\"100\" src=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/01\/Ask-Mike.png\" rel='magnific' alt=\"Ask Mike\" class=\"wp-image-10506\"\/><\/a><\/figure><\/div>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Cybersecurity Risk Assessment Common Findings: Asset Inventory and Control\" width=\"550\" height=\"309\" src=\"https:\/\/www.youtube.com\/embed\/mq8Zu9mXcHI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h3>About Mike<\/h3>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft size-large is-resized\"><img loading=\"lazy\" src=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/02\/Mike-Smith-Headshot-2021-1.png\" alt=\"Mike Smith AeroCom\" class=\"wp-image-10540\" width=\"120\" height=\"144\" srcset=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/02\/Mike-Smith-Headshot-2021-1.png 418w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/02\/Mike-Smith-Headshot-2021-1-251x300.png 251w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/02\/Mike-Smith-Headshot-2021-1-167x200.png 167w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/02\/Mike-Smith-Headshot-2021-1-334x400.png 334w\" sizes=\"(max-width: 120px) 100vw, 120px\" \/><\/figure><\/div>\n\n\n\n<p>Mike Smith is the Founder and President of AeroCom and has been helping companies with telecom and cloud services since 1999. He\u00a0has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the\u00a0<a href=\"http:\/\/mydigitalpublication.com\/publication\/index.php?i=68145&amp;m=&amp;l=&amp;p=53&amp;pre=&amp;ver=swf\" target=\"_blank\" rel=\"noreferrer noopener\">top 40<\/a>\u00a0business people in Orange County, CA., under 40 years old. You can also hear him as the host of the popular Information Technology podcast,\u00a0<a href=\"https:\/\/open.spotify.com\/show\/0ZpSFhVSh72uKoHPLZrUsF\" target=\"_blank\" rel=\"noreferrer noopener\">ITsmiths with Mike Smith<\/a>. Follow Mike\u00a0on\u00a0<a href=\"https:\/\/www.youtube.com\/c\/Aerocominc\" target=\"_blank\" rel=\"noreferrer noopener\">YouTube<\/a>, <a href=\"https:\/\/www.linkedin.com\/in\/mikesmithaerocom\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/twitter.com\/MikeSmithsBrain\" target=\"_blank\" rel=\"noreferrer noopener\">Reddit<\/a>\u00a0and\u00a0<a href=\"https:\/\/community.spiceworks.com\/people\/mike-aerocominccom?source=navbar-subnav\" target=\"_blank\" rel=\"noreferrer noopener\">SpiceWorks<\/a>.<\/p>\n\n\n\n<div style=\"height:12px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3>Transcript<\/h3>\n\n\n\n<p>Your company is looking into possibly doing a <a href=\"https:\/\/www.aerocominc.com\/info\/cybersecurity-risk-assessment-steps\/\" target=\"_blank\" rel=\"noreferrer noopener\">cybersecurity risk assessment<\/a>, which is a really smart idea to do, but you&#8217;re probably wondering what are some of the common findings that come out of those things? What are some of the most common things that are overlooked that are going on within a company?<\/p>\n\n\n\n<p>You&#8217;re probably thinking that because, hey, I don&#8217;t want this company to come in and go, &#8220;Hey, you didn&#8217;t even do that?&#8221; or kind of embarrass you by pointing some things out that you could have done very easily right away. You&#8217;re probably thinking that in advance so I wanted to make a video series on common findings with <a href=\"https:\/\/youtu.be\/QC6bGUqXS1k\" target=\"_blank\" rel=\"noreferrer noopener\">cyber security risk assessments<\/a>, so that you can maybe watch the video and maybe fix a couple things right away before you go and pay for a cyber security risk assessment.<\/p>\n\n\n\n<h2>Should we do this on our own?<\/h2>\n\n\n\n<p>I think it&#8217;s great to do a risk assessment. Don&#8217;t get me wrong, but maybe you want to just see some videos ahead of time on what are some common things that you can kind of knock off that are easy.<\/p>\n\n\n\n<p>Obviously, if they&#8217;re difficult, maybe you need some assessment steps or some consulting to come in and give you some tips on tools to use and things to do, and things like that. Maybe dollar amounts to assign to certain risks and how much that&#8217;s potentially going to cost your company and things like that. Those are great ideas but I wanted to make a video series just kind of pointing out some common stuff that are obviously pointed out time and time again with different companies.<\/p>\n\n\n\n<h2>CIS Framework<\/h2>\n\n\n\n<p>The framework that I decided to use for this is the <a href=\"https:\/\/www.cisecurity.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">CIS framework<\/a>. Today, we&#8217;re going to be talking about asset inventory and control, which is control number one of the CIS framework.<\/p>\n\n\n\n<p>The reason I chose the CIS framework is just because it&#8217;s simple, it&#8217;s <a href=\"https:\/\/www.cisecurity.org\/controls\/cis-controls-list\" target=\"_blank\" rel=\"noreferrer noopener\">18 different controls<\/a>. There&#8217;s a lot of different frameworks we could use as a guideline for this video series. Obviously, if I did something like the <a href=\"https:\/\/www.nist.gov\/cyberframework\" target=\"_blank\" rel=\"noreferrer noopener\">NIST framework<\/a> and it has over a hundred different controls, this video series would be way too long for me to do. We&#8217;re keeping it simple with the CIS framework and going to talk about commonly overlooked areas within each of the 18 controls. Today, the video is the first control, which is asset, enterprise asset and inventory controls.<\/p>\n\n\n\n<h2>TLDR<\/h2>\n\n\n\n<p>Before I get too far ahead of myself, just really quick, if you want my recommendations on the best companies to use for a cyber security risk assessment. Maybe just a handful of companies that maybe you should quote, based on your company&#8217;s requirements, your company&#8217;s size, what frameworks you need to follow, things like that.<\/p>\n\n\n\n<p>Don&#8217;t Google it, just reach out and contact me. Shoot me <a href=\"mailto:AskMike@AeroComInc.com\" target=\"_blank\" rel=\"noreferrer noopener\">an email<\/a>, give me a call (714.593.0011). More information on that at the end of the video.<\/p>\n\n\n\n<h2>No Reporting<\/h2>\n\n\n\n<p>Okay so CIS control number one, inventory and control of enterprise assets. Within that control, number one, what are some of the most overlooked things? Well, it&#8217;s pretty simple with this one. A lot of companies simply don&#8217;t have any inventory of the assets that they have, or they have a very minimal inventory. That&#8217;s number one, that&#8217;s pointed out all the time.<\/p>\n\n\n\n<p>I&#8217;m sure that&#8217;s something that if you&#8217;re watching this video, you know already, you kind of have a lingering, guilty feeling. If you haven&#8217;t really been keeping that good of the control of the inventory, or if maybe you have been doing a pretty good job. That&#8217;s usually the most commonly overlooked thing, is that companies just have an inadequate way of inventorying enterprise assets.<\/p>\n\n\n\n<h2>You can&#8217;t protect what you don&#8217;t know you have<\/h2>\n\n\n\n<p>Obviously, you can&#8217;t protect what you don&#8217;t know that you have. It&#8217;s pretty simple there, or maybe somebody&#8217;s just using an Excel spreadsheet and they don&#8217;t update it on a regular basis. Those are prime ways that threat actors can come in and compromise your network is find assets that maybe were just installed recently on the network and don&#8217;t have the latest updates on them. Those are vulnerable right out of the gate, or maybe there&#8217;s some things that are logging onto the network that you don&#8217;t even know about.<\/p>\n\n\n\n<h2>Shadow IT<\/h2>\n\n\n\n<p>Obviously, <a href=\"https:\/\/www.aerocominc.com\/info\/mike-smiths-brain-episode-19-shadow-it\/\" target=\"_blank\" rel=\"noreferrer noopener\">Shadow IT<\/a> is a big thing. Maybe, a lot of users typically are downloading things onto their phone onto enterprise assets that you&#8217;re not aware of, different applications that aren&#8217;t secure, things like that. An Excel spreadsheet is just kind of inadequate, but obviously, ideally you&#8217;d want to be using some type of software. At the very least, maybe have an Excel spreadsheet that you periodically kind of go through and make snapshots.<\/p>\n\n\n\n<h2>Make it a standardized process<\/h2>\n\n\n\n<p>Maybe you have some type of procedure written down that we take a network snapshot every once in a while. This is difficult, obviously, because it&#8217;s an ongoing dynamic process. With users, they have mobile devices that are logging into the network, then logging off the network. They come and go on the network so if you take one snapshot, you&#8217;re not going to see every single asset that is possibly logging onto the network. You&#8217;re going to have to do it periodically at some type of a time interval. Obviously, if you&#8217;re a small company, if you just have a schedule of when you do this periodically, that&#8217;s pretty good. If you&#8217;re a larger company, it&#8217;s better to use certain types of tools to do this in an automated fashion, on an ongoing basis. At least you can take a few snapshots.<\/p>\n\n\n\n<h2>Where can I get the best snapshot?<\/h2>\n\n\n\n<p>What I&#8217;d like to do is just kind of go over a few ideas for snapshots. Things you can look at on a periodic basis, if you think about it, there&#8217;s a lot of different logs that you can take a look at, like DHCP logs, firewall logs, endpoint protection logs, switch logs. Kind of go through things like SSO, active directory, and you can kind of brainstorm as the IT department, you guys know a lot more than I do about which logs that you guys can look at. Maybe make a list of the best logs and make some type of process where every once in a while, maybe it&#8217;s once a month or so, or once every two weeks, you go through and just take a look at that snapshot and see if it matches up from week to week. That&#8217;s an idea of how to do it periodically and just logging it on an Excel spreadsheet.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" width=\"1024\" height=\"576\" src=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/03\/Cybersecurity-Risk-Assessment-Common-Findings-Asset-Inventory-and-Control-2-1024x576.png\" alt=\"Cybersecurity Risk Assessment Common Findings - Asset Inventory and Control\" class=\"wp-image-10583\" srcset=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/03\/Cybersecurity-Risk-Assessment-Common-Findings-Asset-Inventory-and-Control-2-1024x576.png 1024w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/03\/Cybersecurity-Risk-Assessment-Common-Findings-Asset-Inventory-and-Control-2-300x169.png 300w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/03\/Cybersecurity-Risk-Assessment-Common-Findings-Asset-Inventory-and-Control-2-768x432.png 768w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/03\/Cybersecurity-Risk-Assessment-Common-Findings-Asset-Inventory-and-Control-2-250x141.png 250w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/03\/Cybersecurity-Risk-Assessment-Common-Findings-Asset-Inventory-and-Control-2-600x338.png 600w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/03\/Cybersecurity-Risk-Assessment-Common-Findings-Asset-Inventory-and-Control-2.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<h2>Tools<\/h2>\n\n\n\n<p>If your company&#8217;s a little bit bigger, it&#8217;s really more important to get some tools, maybe some tools that identify active assets. If you want to take it even a step further, get some tools that&#8217;ll identify passive assets on the network. Overall, that is the most overlooked item on asset control, asset and inventory control, which is control number one on the CIS framework. I know it&#8217;s a pretty obvious one, but not a whole lot to talk about on this control. Hope that helped a little bit.<\/p>\n\n\n\n<h2>Need some recommendations?<\/h2>\n\n\n\n<p>Again, if you want to know which vendors your company should quote for a cyber security risk assessment, there&#8217;s a bunch of them out there. Don&#8217;t start Googling it. You&#8217;d probably end up with the wrong company. Instead, just contact me <a href=\"mailto:AskMike@AeroComInc.com\" target=\"_blank\" rel=\"noreferrer noopener\">via email<\/a> or phone (714.593.0011). This is what I do for a living. I&#8217;m a broker for all the major cyber security services vendors.<\/p>\n\n\n\n<p>Based on a few questions, I can tell you the handful of companies that you should be quoting for a cyber security risk assessment. I can also introduce you to the right people at those companies and oversee the quoting process and the calls, and be on the calls with you. The nice thing is that if you find a company that you like and you end up getting a cybersecurity risk assessment from them, that company pays me my broker fees. You don&#8217;t have to pay me at all, no matter what, at any point in the process, no excuse whatsoever, not to at least reach out and get my help on this. Don&#8217;t do it alone. It&#8217;s definitely too risky and too many ways you can go wrong. Do that. I hope this video is helpful. If so, don&#8217;t forget to hit the like button and subscribe to the channel and I will catch you on the next one. When we&#8217;re going to talk about CIS control, number two.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"mailto:askmike@aerocominc.com\"><img loading=\"lazy\" width=\"200\" height=\"100\" src=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2022\/01\/Ask-Mike.png\" rel='magnific' alt=\"Ask Mike\" class=\"wp-image-10506\"\/><\/a><\/figure><\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When you&#8217;re performing a cybersecurity risk assessment for your company, what are some of the most common findings, pertaining to asset inventory and control? In the video below, Mike explains that lack of inventory is the obvious one here, but<span class=\"ellipsis\">&hellip;<\/span> <a href=\"https:\/\/www.aerocominc.com\/info\/cybersecurity-risk-assessment-common-findings-asset-inventory-and-control\/\"><\/p>\n<div class=\"read-more\">Read more &#8250;<\/div>\n<p><!-- end of .read-more --><\/a><\/p>\n","protected":false},"author":10,"featured_media":10584,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[356],"tags":[1009,995,996,933,380],"_links":{"self":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/posts\/10582"}],"collection":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/comments?post=10582"}],"version-history":[{"count":0,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/posts\/10582\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/media\/10584"}],"wp:attachment":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/media?parent=10582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/categories?post=10582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/tags?post=10582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}