Have you ever watched a movie, and all of a sudden, the actors on the screen start addressing the audience directly? It is pretty shocking, and, many times, very funny when it happens. In the early days of on-screen entertainment, there was a clear separation between the audience and the actors. That was known as “The Fourth Wall”.
In live theater, the concept of breaking the fourth wall is not unusual, as many performances are enhanced when an actor seems to let the audience in on the dialogue. Yes, even Shakespeare included this technique in some of his plays. Even recent action films, such as Deadpool, use the technique, to remarkable effect.
Our Very Own Fourth Wall
In cybersecurity, we have our own “fourth wall”. Asset visibility, which includes devices commonly referred to as “Shadow IT” and everything else beyond, and sometimes within our perimeter, can easily be compared to that fourth wall. The biggest difference is that, with the cyber fourth wall, the actors oftentimes do not want to break that wall, preferring to keep the hidden assets safely within the confines of their own “stage”.
Most folks think that shadow IT is the only asset class that is outside the purview of IT. However, there are some assets that are on the periphery of information security but are not part of the traditional shadow IT portfolio. Do you include the air conditioning units that cool your data center in your IT asset inventory? How about the fire suppression system, or the back-up power supplies? What about those printers that are all network connected? While you may not need to be the air conditioner or printer repair technician, those devices are not only vital to the proper functioning of your infrastructure and the business as a whole, but we have seen that these devices can be a rich target for lateral entry into a network.
A Shared Responsibility, But a Singular Accountability
Accounting for all of the assets in an organization is a massive undertaking. Luckily, there are many tools to assist with gathering the inventory, but many of these tools cannot reach beyond the obvious boundaries of the organization. Unless your organization is large enough to dictate an “always on VPN” setup for remote access, there are many assets that are accessing your network that are unseen. The exposure potential of these uncounted assets is unnerving.
Asset security is a foundational function of a complete cybersecurity program. Yet, many of the skills required to capture all of these assets are not part of most cybersecurity disciplines. Many security practitioners consider the topics of asset classification and inventory a strictly managerial responsibility. However, the accountability for a breach caused by an unaccounted asset will most certainly fall with the security team.
A Harsh Reality
When cybersecurity professionals were surveyed in a recent report, they expressed low confidence in the security of IoT devices, Industrial Control devices, and Containers. On the bright side, items that were once problematic, such as laptops, are now better defended against attacks than desktop computers. While the report does not note it specifically, one has to wonder if the higher visibility of laptops now over prior years has anything to do with this? In support of this idea, the report also states that “infrequently connected devices” are also a primary concern, due to their transient appearance on the network, which makes them hard to monitor.
Given that many respondents indicated that their networks were successfully attacked in the previous twelve months, it is no wonder that asset inventories may not rise to the top of the security wish list or project priority. Yet, it may be a broad leap to assume that just because asset inventories were not specifically tracked in the report, they are not a principal concern.
We Have Tools for That
Fortunately, the same report cited above indicates that many network monitoring tools are in use to detect malicious behavior. One could argue that these tools act as compensating controls in the case of an elusive or overlooked asset.
However, can tools alone solve your asset inventory challenge? Definitely not. What is required is more administrative expertise, as well as relationship-building skills. One of the most effective methods to learn about all of the assets in play is through interviewing the people in your organization. This requires a lot of creative thinking on your part. Would your discovery process be best achieved through a questionnaire, or would personal conversations be the best approach? Perhaps a combination of both will be required. This is all part of breaking that fourth wall. Whatever works best, depending on the size of your organization, you can see how this can be a huge, and time-consuming mission. The most daunting part is that, like most inventory-based cataloging (such as vendor management, and software version rosters), once you are done, you must start the process all over again, as it all changes at a very rapid pace.
How the CISSP Credential Can Help You Succeed
The CISSP Common Body of Knowledge (CBK) can bridge the gap between your technical cybersecurity skills, and your administrative skills. Unlike many other security-centric certifications, the CISSP course of study takes a broader approach to the entire spectrum of cybersecurity.
With domains that spread across a variety of topics, the CISSP credential is unique in that it demonstrates combined knowledge in legal, administrative, operational, and architectural concepts. This credential can boost your ability to operate effectively in both the technical and executive areas of cybersecurity.