Essential Information Security Controls: Device Inventory
The Center for Internet Security’s (CIS) Security Controls is a set of best practices for preventing cyber attacks, developed and validated by leading experts around the world.
These critical controls are widely lauded as the baseline security measures that can help create a solid foundation for any organization to build upon.
The top five CIS controls include:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
I cover the first control on device inventory and its sub-controls here:
Inventory of Authorized and Unauthorized Devices
This refers to actively managing all of your hardware devices on the network to ensure only authorized devices can be given access. That includes inventorying and tracking any unauthorized and unmanaged devices to prevent them from gaining access.
The sub-controls are summarized below:
1.1 - Asset Inventory Discovery
Deploy an automated asset inventory discovery tool to build an inventory of systems connected to your organization’s public and private networks.
1.2 - DHCP Server Logging
Deploy dynamic host configuration protocol (DHCP) server logging (if you are using DHCP to dynamically assign addresses) and use this information to improve your asset inventory and detect unknown systems.
1.3 - Equipment Acquisition Updates
Ensure all equipment acquisitions automatically update the inventory system as new, approved devices connect to the network.
1.4 - Network, System & Device Inventory
Maintain an asset inventory of all systems connected to the network and network devices, recording the following information:
- Network addresses, machine names, system purpose, asset owner, associated department
- System inventory including IP address for desktops, laptops, servers, network equipment, printers, storage area networks, VOIP phones, multi-homed addresses, virtual addresses, etc.
- Device inventory including whether or not the device is portable and/or personal, and type of device, including mobile phones, tablets, laptops, and other portable electronic devices that store or process data
One way to keep a device inventory is by using Duo’s Device Insight that collects detailed information about every device authenticating into your network, without the use of agents. That means every type of device is accounted for, not just ones that have a company-installed agent on them.
The type of information includes:
- Operating system, platform, browser and plugin versions
- Passcode, screen lock, full disk encryption and rooted/jailbroken status
With Duo Beyond, you also get insight into company-owned vs. personal devices, and the ability to create application-level access policies to determine which users/devices can access certain applications. Duo’s Trusted Endpoints feature allows you to track managed devices by easily deploying client certificates on company-owned endpoints.
1.5 - Network-Level Authentication
Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. The 802.1x must be tied into the inventory data to determine authorized vs. unauthorized systems.
1.6 - Client Certificates
Use client certificates to validate and authenticate systems prior to connecting to the private network.
Check out The CIS Critical Security Controls for Effective Cyber Defense, Version 6.1 (PDF) for more detailed guidance on how to achieve complete device inventory.
Why is Device Inventory Considered Critical?
According to CIS, this control is considered critical because attackers are:
- Constantly scanning for new, unconfigured or unpatched systems to be attached to your network
- Looking for new devices, like laptops, that may connect and disconnect to your company’s network, and may be out of sync with security updates and patches
- Looking for employee’s personal devices to connect to your company’s network (also known as Bring Your Own Device or BYOD) - these devices may already be compromised and used to infect company resources
Track every device that accesses your applications and systems to get information about out-of-date software and company vs. employee-owned devices, and block or notify users with Duo’s Endpoint Remediation.
That way, you can detect and stop risky devices from accessing your environment, based on your company’s own custom security profile. For example, you may decide that only company-owned laptops can log into your Salesforce application, running the most up-to-date, fully patched operating system.
Learn more about device enrollment, including inventory, inspection, discovery and verification in BeyondCorp: Enrolling Users and Endpoints.