When COVID-19 started forcing enterprises to close buildings across the planet leaving some with tiny, skeleton crews and others entirely empty, it was a first. The reason for the closures was simple — to prevent people from catching a virus that was killing hundreds of thousands of people globally.
For human beings, the pandemic is a catastrophe. For CISOs worried about asset management, it is a crisis never seen before. And for cyberthieves, cyber terrorists and corporate espionage actors, it is an opportunity of epic proportions.
With almost no employees or security guards to interfere, all the attackers need to do from a physical security perspective is defeat a door’s lock and then casually walk through the relatively empty halls and plant whatever they like: listening devices in conference rooms or maybe the CEO’s office, tiny video cameras facing computers of key employees, internet of things (IoT) devices of all kinds everywhere they like, especially on the network. Do you think you had minimal visibility into all your assets before the COVID closings? Try now when almost all physical inspections are not viable. And then think of all of the surprises that await you upon your return to the buildings.
Who watches the watchers?
Asset management is a lot more complicated than simply keeping track of your computing devices. There is a physical security aspect that often is overlooked or left to the operations team or human resources. Consider: Did anyone ever run security checks on your COVID-19 cleaning crews before they were hired to decontaminate your offices? Indeed, who does clean the clean rooms?
In some cases, companies used known entities to do the decontamination, but as the pandemic forced companies to act quickly, often without doing full due diligence, some cleaning crews likely were hired based on less corporate vetting than perhaps was normal. In any case, even if the cleaning companies did some vetting, manning cleaning crews was the cleaning vendor’s essential operation. It is possible that cybercriminals took jobs on cleaning crews in order to bypass physical security barriers to enter corporate facilities.
“This period of crisis is the perfect time to conduct as asset management internal audit. Employees don’t always follow policies and procedures under normal circumstances,” says Robert Bendetti, the CFO at Life Cycle Engineering, a Charleston, SC-based consulting, engineering, information technology and education firm. “During periods of crisis and change, many employees stray significantly from the plan. Now is the perfect time to discover issues and make corrections before an external audit. Right now, no one is following your awesome procedures.”
Bendetti argues that “an internal audit can also serve as a teaching tool to connect the corporate asset management strategy to the changing realities of daily work life of the average employee within your organization. A productive internal audit results in a list of identified gaps and a roadmap to eliminate those gaps, developed in concert with the affected departments.”
But as a CFO, Bendetti also wonders about the massive number of compliance irregularities occurring now, especially items that are required to be reported to the board. “The lack of [properly] doing asset management during the building closures is a reportable event you should be reporting that to your board,” Bendetti says, adding “sometimes we give people way more access than they should have, especially during an ongoing crisis.”
Jeffrey Ingalsbe, CISO for investment firm Flexible Plan Investments in Bloomfield Township, Mich., and the former manager of the IT cybersecurity consulting group at the $156 billion Ford Motor Co. in Detroit, sees one of the most critical problems with enterprise asset management strategies is that key players are functioning with very different definitions of asset management. “We are a regulated firm, so we have to be really careful about what we say is the data that our company values,” Ingalsbe says.
He speaks of business strategy meetings attended by security people with computer science and engineering degrees and line of business (LOB) managers with business degrees. “They couldn’t talk with each other” about asset management issues, Ingalsbe says. With his security team, he tells staffs “write me a Powershell script for these 40 servers and we are going to look for executable files. And then do it again in a month and look for what is different. Then go back to the business and ask about it. You have to watch directories.”
The walk-throughs Ingalsbe encourages are not merely “seeing whether the [observed] stuff is supposed to be there or not” due to evil-doers. He ran into a situation recently where a building was installing new thermometers for the thermostats. “We had Android [IoT] thermostats on the network and didn’t even know about it.”
What happened was that a facilities staffer was told install them and that it had been approved. “He says it’s all been approved. By whom? Turns out that he was let in by the person who manages the switch closets. If you don’t have proper oversight, then well-intentioned good people can do things like that.”
Another issue that frequently crops up is less than ideal asset management coordination/communication between security and IT. Jackie Singh, CEO of the Oakland, Calif.-based security consulting firm Spyglass Security, does not start with asking IT or security execs what they have. She asks, “Are you certain that you can tell us what you have?” Unless asked that specifically, most will answer and not volunteer that they really don’t know, or that they only know about a percentage of assets and that they don’t even know what that percentage is, she says.
Some of this, Singh says, is “because [the] security [team] it not as tightly aligned with IT” as it should be. It’s an issue of “failing to have a single source of the truth” and, importantly, “not knowing the criticality of those assets. Different parts of the company have a very different perspective on what the criticality is.”
That’s not just a difference between IT and security, but between finance and legal, between supply chain and marketing and between facilities and manufacturing.
There are very difficult issues on which to focus: Do we know what we have and do we even have the same definition of what we’re looking? Singh also argues that putting in place lots of bureaucratic roadblocks for getting anything approved and installed is not the answer. “You don’t want to create artificial barriers to getting the job done,” she says, citing lightbulbs as an example.
Singh also argues that network management is an essential part of an asset management strategy, citing clients with many web browsers that were out of date. “Are they using Firefox from the network or from IT?,” she asks.
Rolf von Roessing is the CEO of the Swiss firm Forfa Consulting, as well as the board vice chair for ISACA, an organization that handles security certifications. Von Roessing argues that even once assets are discovered, audits and other efforts often find them lacking in security compliance.
“Where legacy and/or under-protected assets are essential for the functioning of the process layer above, recent trends are pointing away from isolation — network zoning or air gapping — and toward remodeling/emulating these assets in a virtualized environment,” he says.
“These projects are still in their infancy as they present [several] challenges. I´m currently doing one of these for a company leveraging 30-year-old postal sorting arrays — as in ancient conveyor belts and hardware — where the control computers must be brought into the virtual age. It’s not easy. Most recent initiatives combine the idea of autodiscovery, which is old, with artificial intelligence, which is new, to not only discover but also recognize unknown assets as they enter the corporate sphere of control.”
He adds that CISO should “be sure that when you virtualize, you get that same reliability. It can be a bit of a bumpy road there. The older the system, the more things you’ll have to do deal with.”
Von Roessing also stresses the need to watch partners and the risks that you inherit every time you sign a new contract. Renewing a contract might not bring on new risks, but it will extend the exposure to the risk from that partner that you always had, quite likely unknowingly.
He also wants enterprises to roll out security standards to their partners, but he puts himself in the acceptance of risk category in that he is less likely to demand that all partners immediately comply and more inclined to “wait until contract renewal. That’s the easy way out because you’re shying away from conflict.”