Welcome to the inaugural blog post from Axonius and SC Media for the new site, Cybersecurity Asset Management. We will be looking at the essential business and technology issues every CISO needs to know about cybersecurity and IT asset management and how it impacts your company’s security and compliance requirements.
Norman Augustine, the former CEO of Lockheed Martin Corp. and a long-time civil servant, including serving as Under Secretary of the Army, published his list of Augustine’s laws about the tech industry in 2012. This cheeky list of aphorisms and downright silliness (fitting and often humorous observations and insights), is just as appropriate today as it was when he first published it and even prior to that, when he joined the Defense Department in 1965 as Assistant Director of Defense Research and Engineering. Among his list of laws is one about software, but it just as easily could be about any IT assets. It is one of those sayings that makes you do a double-take and then just nod in agreement at its logic.
Augustine’s Law 17 states “Software is like entropy. It is difficult to grasp, weighs nothing, and obeys the Second Law of Thermodynamics; i.e., it always increases.” Had he been talking about virtual machines today, he would not need to change a word — save for replacing “software” with “VMs.”
VMs are fast and easy to build. Assuming a company already has an IT environment that includes servers, OSes, storage and the like, the only real cost is for the virtualization software and the time it takes for someone to configure it. Spinning up a VM in and of itself is not terribly difficult. The hard part is remembering to decommission it when it’s no longer needed. And therein lies the problem in many corporations — VMs get created but, it seems more often than not, they are not decommissioned.
The reason for that is simple and pretty logical: Often users will keep old VMs in case they need them again. It is like having a spare server sitting about except it does not require any physical space in a closet or a rack. The problem is that once you have multiple VMs that are not doing anything, you have ready-made targets for cybercriminals from which they can launch a DDoS attack or some other nefarious activity. It’s like building a house and leaving it unoccupied with the door open; you don’t know who might move in or what they will do with it.
Your best options are multilayered. First, one best practice is to inform the IT department any time a VM is spun up, especially if it is done by someone outside of the IT department. That way the security staff can keep a record of the asset and protect it appropriately. Another best practice is to have policies and procedures in place for decommissioning and deleting unused VMs and other virtual devices no longer being used. If a VM or device is repurposed in a department outside of IT, policies should require that the owner of the VM alert IT of the change so that the asset can be monitored.
Protecting the hardware running the VM also is essential. This includes functions such as ensuring you are backing up your data on the VM in case the physical server is attacked, as well as protecting it from a breach as though it were a physical server. Next, make sure you only allocate those resources for the VM that are needed to do the job. There is no reason to allocate 1TB of virtual disk space if you are only testing a small app that takes up 50MB. If you need more resources, you can always add them. Removing resources is almost like decommissioning the VM — it does not happen as often as it should.
Finally, remember to turn the proverbial lights off when you leave the room. Decommissioning unneeded VMs seems like a no-brainer but alas, too often the server sprawl caused by not finishing the job of managing unneeded VMs becomes the playground of attackers.
It’s just this simple: If you don’t know what assets you have and what they’re doing, you are simply asking for trouble. And don’t worry — you don’t have to worry about going looking for trouble; it will surely come to you.