Often times when an entity discusses inventory management the discussion is limited to physical assets; however, inventory management extends beyond the tangible to the digital to include software, software licenses, stored data, and in some exceptionally specific organizations personnel assets. Now that inventory management has been scoped (defined) for the purpose of this article I will be covering just two reasons it is considered essential for privacy and cybersecurity programs, the identification of rogue devices and the identification of a data breach.
If Dave Miller (name picked at random which does not represent any real person) works for the organization and employees use phones to access the corporate network (either personally owned or corporate issued phones) it is reasonable to expect to see “Dave’s Phone” or “Dave’s IPhone” as a legitimate device on the network but if both are present there may be a rogue device. If an organization does not have a complete and accurate list of which devices are authorized it is unreasonable to believe the organization will be capable of detecting unauthorized devices. In the case of “Dave’s Phone” an attacker could change the MAC address on a laptop to match “Dave’s Phone” (spoofing) or more likely transpose two of the least significant digits so both the authorized and rogue device can operate at the same time. Transposing two of the least significant digits of the MAC address will cause all automated systems to believe both devices are from the same manufacturer and the transpositions of the digits will unconsciously create a condition in defender’s mind that makes the legitimate and illegitimate address look identical unless very meticulously scrutinized. In the event a defender does intentionally scrutinize the mac addresses, without an accurate inventory of authorized devices the defender will not know which device is rogue. These subtle attacks on the human mind and automated systems are enabled by incomplete inventories. Similar tactics and techniques are used in software names which makes it essential to have complete and accurate software and data inventories.
When Dave loses his laptop, phone, or clicks the link in the email from HR requesting he read the new ‘vacation, leave, and compensation policy” it can be fairly important to have a complete and accurate inventory of which software, licenses, and data were present on the compromised device. Dave may have access to a host of sensitive data from PHI, administrator access to the corporate password vault, and/or corporate secret data. If Dave never moved any of those data types from the corporate or cloud locations to the device there is little worry; however, most employees will take screenshots, reproduce the data, copy portions of the data, or save whole data-sets for ease of use which means that device has become an appetizing target for certain attackers. Only by having a complete and accurate inventory of which data is stored on a device can an organization respond proportionally, responsibly, and accurately. If the data-types on a device are unknown a responsible company will enact the most stringent and energetic response activities to ensure a proper response is provided in the event the unknown data-types include highly sensitive data (rare for most organizations). Irresponsible organizations will enact a response that is aligned with the least significant data-type that could be present on a device based on organizational data policies. Most organizations fall somewhere between the two. The point is, unless the organization has an accurate and complete data inventory it will overspend on response activities using too many personnel hours and assets or it will under-respond which could lead to further (more devastating) compromises, loss of reputation and marketshare, and/or significant compliance fines.
Inventory management, it isn’t just “Dave’s Phone” versus “Dave’s IPhone” it also includes the data, software, and licenses on all authorized devices. Proper inventory management requires complete and accurate physical, software, license, and data asset inventories.
-Thanks for Reading
Andrew