Cybersecurity is like a Gas Station?

How Hardware and Software Inventories Help Secure Our Networks

Every morning I wake up and get ready for the day in the same usual way, walk and feed the dogs, take a shower and get dressed, and then head to work. By the time I get to work though I have to be ready to hit the ground running and start filtering through last night’s alerts and potential new attacks and like most people, I rely heavily on copious amounts of caffeine to make that happen. However, while most people are satisfied with various coffee drinks, my favorite caffeine delivery system is Monster Energy Drink either in the Mango Loco or original flavor. Before going to work I first swing by a gas station and pick up 2 cans and then head to work.

But how do I know that the gas station will have the flavors that I want? The answer to that is that they stock those flavors based on how much is being sold. How do they know how much is being sold? The gas station knows how many of each flavor they are selling because they keep an inventory of all of the items they receive from vendors and then track how many of those have been sold. This may be familiar to you if you have ever worked any job at any type of store as inventories are key to tracking products as well as profit. So why do I care about how gas stations track their inventory of Monster Energy Drink? While our schools are certainly not receiving or tracking sold Monster Energy Drinks, inventories are just as important for maintaining and securing our district’s technology environment.

Inventories, both software and hardware inventories, are a key piece in maintaining and securing our district’s environments. The main reason inventories are important is the simple idea of you don’t know what you have until you know what you have. Meaning until you accurately account for all of the technology in your environment you will never 100% know what technology is actually in the environment. While this may seem like a trivial matter, it is anything but trivial. Let’s look at a real-world example of why inventories matter. In our example, School District A does not have any inventory management system in place and they updated their laptops from Windows 7 to Windows 10 5 years ago. They are now upgrading all of their laptops from Windows 10 to Windows 11. However, shortly after upgrading their laptops, School District A fell victim to a severe network-wide malware attack that compromised most of the school’s data and even transferred large sums of money out of their school bank accounts. How did this happen?

The answer to this question is simpler than you might think. Since School District A did not have any inventory management system in place, and when they updated their laptops from windows 7 to windows 10 they assumed they had gotten all of the laptops, and the same when updating from Windows 10 to Windows 11. However, they had assumed incorrectly and several windows 7 laptops were left in a classroom that was no longer in use. Years later those laptops were powered back on and connected to the internet and then it wasn’t long before attackers found them and used the Eternal Blue exploit (CVE-2017-0144) and compromised the network through those Windows 7 devices. 

This example may seem very detailed because while it is an example, this is a real scenario that I encountered while working as a Desktop Engineer and helped that school district recover from the attack. Hardware and software inventories allow you to have visibility into your network that only exists with these tools but sometimes just having an inventory management system isn’t enough. If the inventory is not reasonably up to date it is essentially useless. This means that having and then maintaining software and hardware inventories are key in securing your environment. This concept is so important to security that is included in almost all security and compliance frameworks.

One framework that is widely used for cybersecurity compliance is the CIS (Center for Internet Security) Controls. This document is composed of the top 18 controls (security best practices) with each control having several subcontrols to help clearly define the best practice. These controls and sub controls are then broken up into 3 different implementation groups with Implementation Group 1 being used for small to medium enterprises and Implementation Group 2 and 3 being used for large enterprises with a large internal IT team with several dedicated security professionals. For this article, we are just going to focus on implementation Group 1 since that is the starting point for all other implementation groups.

The first CIS control is Inventory and Control of Enterprise Assets. This control then has the subcontrols of 1.1 Establish and Maintain Detailed Enterprise Asset Inventory and 1.2 Address Unauthorized Assets. Control 1.1 is described as: “Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM-type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under the control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.” Control 1.2 is described as: “Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.”

The second CIS control is Inventory and Control of Software Assets. This control then has the subcontrols of 2.1 Establish and Maintain a Software Inventory, 2.2 Ensure Authorized Software is Currently Supported, and 2.3 Address Unauthorized Software. Control 2.1 is described as: “Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, including the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.” Control 2.2 is described as: “Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If the software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without exception documentation, designate it as unauthorized. Review the software list to verify software support at least monthly, or more frequently.” Control 2.3 is described as: “Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.”

So we now know that hardware and software inventories are important but if we don’t have any currently in place, where do we start? The easiest way to start is by opening up an excel or google spreadsheet and start recording information about what is in the district and to who it is assigned. For hardware inventories recording information such as make, model, operating system, asset tag, serial number, MAC address, and the assigned user is a great starting point. For software inventories recording information such as publisher, version number, operating systems, architecture, licensing information, installer information, and assigned user is another great starting point. These spreadsheets will contain important information about your district, so it is necessary to have them protected either with a password or behind some sort of encrypted drive that lets you control who has access to the documents, like Google Drive or Microsoft One Note. Beyond a simple spreadsheet, there are some great free tools such as Snipe-IT and Spiceworks Inventory Management. If you’re looking to up your game to a paid solution there are a lot of different software and software vendors out there, most of which come with a trial period for you to test out the solution in your environment.

As you can see from the example scenario and the CIS controls and sub controls, hardware and software inventories are very important in how we secure our networks. Knowing what we have and where we have it allows us to easily spot unexpected behavior and potentially stop an attack before it’s too late.

For more Cybersecurity Resources, please visit our Free Cybersecurity Resource Page.