You Can't Protect what you Don't Know About

00:00

Lesson 2.2 You can't protect what you don't know about

00:05

in this lesson. We're going to talk about how you define what high value assets, or HV A's are and how they impact risk. And security decisions will also understand the need for mature I. T. Asset Management or I Tam and discuss the type of information that search should have access to in order to be successful

00:24

during an incident response.

00:28

So let's talk about high value assets.

00:31

High value assets are those assets that are valuable to the organization's NOAA trickery there in the name. But most organizations, I have found, haven't really done a good job about going back and identifying what in fact is considered an H V A. For them so well, look at this as we go through this lesson,

00:51

but it's critically important to know where the crown jewels restored. What are those assets and those

00:58

applications that, if they were to go down, would be detrimental to the organization and having some smarts around? What are the riskiest applications that you have? And how may they be impacted by a cyber incident

01:15

with I T Asset Management? It's comprised both of hardware, asset management and Software Asset Management.

01:22

It's also talking about the criticality of systems and though, should be taken into account. So it's great and one of the top 20 security controls to have a hardware and software asset management list. And as the lesson title describes here, you cannot protect what you don't know in.

01:40

I could say that 100 times it really is absolutely true.

01:42

It's why it's usually listed as one and two and the top 20 security controls of anywhere you look.

01:49

It is simply because of that you cannot control or protect. What you don't know is out there. So when we look at I ts at management,

01:57

it's great to have that list. But then take it a step further and say Here's the listing of all the things we have But then here's the criticality of those. We cannot treat every server, every application, every database the same because they're not the same

02:10

disaster recovery and business continuity planning Rto and RP Oh, we talked about that in the last lesson.

02:17

They all should have those objectives included in this decision on what is a high value asset

02:24

and the next part of it is a mature change management database, or CMD be with clear linkages with other systems is absolutely necessary

02:36

if you are a cyber incident responder, and you need to know how a particular system being taken off line is going to affect the rest of the organization. That's where CMD B comes in to play.

02:47

What router is that hanging off of? What switch, what ports on the switch, What databases does this application talk to? What's the front end application and maybe the Web server look like? And what is it connected? Teoh. What other applications may ride on the same physical server? Because they're all virtual applications?

03:07

These are all things that should be clearly linked together in a C M D. B.

03:14

Accurate information as well is very important for an incident response team. To have access to

03:20

search should always have access to up to date network diagrams. And honestly, this is something I see a lot of organizations not do a very good job with. I've gone and asked for network diagrams and been told we don't even have any, and I've seen some that are years outdated.

03:37

So then you have to pull in the network architecture, people and the individuals that just know the network because they built it and sketch something out quickly,

03:46

which is never a good way to do business.

03:50

Certain also needs access to the sea. MDB data that I talked about They should be able to pull and have read only access to the Sea MDB application to find out the information we've been talking about.

04:00

Also, security plans for systems I t should be writing system security plans for all of the systems that are being put into service. And this includes things like ports and protocols, recovery time objectives, recovery point objectives, data owners, sensitivity of data.

04:18

AP I calls and interconnections between systems,

04:23

Internet accessibility and requirements for external parties to touch the system. Any security that's in place in any logs that have generated all of these things should be already well documented for any system in an enterprise or in a business or an organization,

04:41

and certain needs to have access to those so they can see how systems talk to each other.

04:46

And then, of course, vulnerability scanning results.

04:48

It's really important to know what is out on your network that is vulnerable. What vulnerabilities do they have? What has been identified already? Do you have systems that are critical and also vulnerable, and that can help shape the incident responders targeting and triage of incidents that come out.

05:12

So some quick quiz questions on this Why does certainly to have access to a c M D B

05:17

A. To make sure that I t has one

05:20

be to provide incident responders with dependency and impact information during an incident?

05:27

See, in orderto audit the I T department, or D. None of the above.

05:34

Well, the answer to this one is be to provide incident responders with dependency and impact information during an incident. If you remember, I spoke about

05:44

how it's important for an incident responder to be able to walk in and see how a server talks to a database. What switches there on what other systems they may interact with

05:56

because it's not only important from connectivity reasons, but also if something has to be taken off line, it's important to know what else that may impact.

06:04

Another quiz question. Why should organizations identify their high value assets?

06:10

A. To make auditors happy during an annual PIN test

06:14

be so those devices could be patched last. So no impacts happen to the business or C to give additional context to vulnerability management, risk assessments and incident response activities and put some additional intelligence into decision making.

06:32

If he answered c on this one, you got it correct.

06:35

It is so important to not just patch things and jam patches out without any type of context or understanding what's critical, what's not. And when I say that, I mean, we shouldn't be patching

06:50

a end user desktop oven intern before we patch the domain controllers. And I see that all the time where patches come in and they just get deployed. But there's really no intelligence around any of this and making sure that we take care of those high value assets that we've identified

07:09

and that those are the things that we triage and prioritize. First

07:13

is very important, but it requires some maturity, and a lot of organizations just aren't there yet. So that's why this is the right answer to make sure you have some intelligence wrapped around vulnerability management patch management and also incident response. If you get to alerts at the same time and you're trying to triage them.

07:30

One alert is for a high value asset. One alert is for

07:33

a non high value asset.

07:35

You should be most of the time investigating that high value asset first, because we've already identified that any impact to that system is going to be much more detrimental to the non high value assets.