Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings Triumph And Disaster

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“..If you can meet with Triumph and Disaster

    And treat those two impostors just the same;..

Yours is the Earth and everything that’s in it,   

    And—which is more—you’ll be a Man, my son!

-Rudyard Kipling

This is a snippet from Rudyard Kipling’s poem “If”. You can wish things would turn out the way you want them to when they haven’t, or you can accept that things are the way they are. If it’s raining, we are happy it’s raining; the air is getting cleansed, crops and plants are getting watered.

This doesn’t mean we accept and approve of injustice or just give up. Acceptance of both triumphs and disasters is the first step using those occurrences in our lives that we learn and grow from, that make us who we are. We’ve been through this (or something like it) before. Accepting that, although in the moment, it is a setback. But, as Thomas Edison said when his factory burned down, it keeps me from getting bored.

CIS Critical Security Control #1

Inventory and Control of Enterprise Assets

  1. Know what is on you network (and what shouldn’t be).

Before we start, you can pull your own copy of all the controls from the Center for Internet Security’s Critical Security Controls.

What is it?

The theme here is being able to see what is on your network, who they belong to, and prevent unauthorized users/systems from connecting to your network. Think about using both technical and procedural actions together to account for and manage our inventory of assets and associated data throughout the lifecycle.

There are 5 safeguards (sub-controls) that make up this control.

1.1 Establish and Maintain Detailed Enterprise Asset Inventory

Build and keep an up-to-date inventory of everything that touches our networks. This includes assets that connect to our infrastructure physically, virtually, remotely, and cloud assets. Additionally, all ephemerally connected things like portable and mobile devices, and assets that connect to our infrastructure that aren’t under our control (think supply chain). Have a plan in place for periodicity but never longer than every 6 months.

Implementation Note: The catalog can be as simple as a csv or a full asset management database. The key is identifying and cataloging everything on our network.

1.2 Address Unauthorized Assets

Have a process in place to address unauthorized assets at least weekly. We can either remove the asset immediately, deny the asset from connecting remotely, or quarantine the device.

Implementation Note: Having a secure baseline is the key to identifying anomalies and knowing when a new asset on the infrastructure is authorized or not. A new asset doesn’t mean there are malign activities on our network. Key here is responding to unauthorized assets on our network.

1.3 Utilize an Active Discovery Tool

Utilize an Active Discovery Tool at least daily to monitor our network. Straight forward. Which tool to choose should be based on budget, knowledge, and risk strategy. We can go as straight forward and hands on as Zenmap or purchase some expensive capabilities like Solarwinds or something in between like Spiceworks. The choice is really case-by-case.

Implementation Note: The key here is detecting assets reliably. Pay attention to firewalls and ephemeral connectivity. Gaining full understanding of our network is essential to later controls.

1.4 Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory at least weekly.

Implementation Note: This is the dynamic sibling to controls 1.3 and 1.6. The Key function here is identifying assets on our network via DHCP logging. DHCP lets us centralize IP address management and recycle addresses for new devices. If we have SIEM solutions, we can ingest DHCP logs to correlate with other security events and services to help automation.

1.5 Use a Passive Asset Discovery Tool

Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly. Where the active discovery tool sends packets and monitors responses, the passive discovery tool observes generated traffic to identify what’s on our network.

Implementation Note: Like active discovery, Passive discovery focuses on detecting assets. The two methods are complementary and work together to give us a more holistic picture for assets on our networks. That’s essential as we can’t protect what we don’t know we have.

How Do We Implement It?

The reality is that we’ll have to implement multiple tools to develop a high-confidence model for our asset inventory. If we are working with smaller enterprises, we can utilize free, open source, or preinstalled tools. At a minimum, we should be doing a discovery scan of the network with a vulnerability scanner; reviewing anti-malware logs, logs from endpoint security portals, network logs from switches, or authentication logs; and managing the results in a spreadsheet or database.

Larger enterprises implementing additional platforms can collect data from cloud portals and logs from enterprise platforms such as: Active Directory (AD), Single Sign-On (SSO), Multi-Factor Authentication (MFA), Virtual Private Network (VPN), Intrusion Detection Systems (IDS) or Deep Packet Inspection (DPI), Mobile Device Management (MDM), and vulnerability scanning tools.

Why Should We Care About Control 1?

I’ll start with a rhetorical question. If you didn’t know what systems you had on your network, and you didn’t know what software was running on your network, how would you protect your enterprise?

Having an accurate and up to date inventory of our assets provides the essential foundation to implementing protections and controls. Once we know what we have, we can tailor our security strategy to the assets, our risk management strategy, and program management strategy.

This lets us minimize business disruption, demonstrate risk reduction, integrate with the other business functions, and be agile when it’s time to extend to the next big thing (cloud, IoT, etc.)

Well, I was loquacious on Control 1 (read -vv) so Control 2 next week!

Interesting and In the News

Databricks is moving into AI.

Most of the AI innovators and builders have the programming and agent creation down. What they don’t have is data. Training models and agents requires massive amounts of data. Enter the data space owners. I anticipate the next step here is context and pairing down the size.

| More

AI Framing with zoom features

Midjourney released version 5.2 which includes new “zoom out” and “square” features. This lets prompters maintain the original image as a centerpiece while zooming out or filling in the image with additional imagery as if using a camera lens to pull back for more scenery. Color me impressed.

| More | Samples

Political hackers strike Fort Worth to protest anti-trans legislation

SiegedSec posted that they had accessed "roughly 500k" files including "work orders, employee lists, invoices, police reports, emails between employees/contractors, internal documents, camera footage, and lots, lots, lots more." This is in response to Texas Governor Gregg Abbott made headlines after controversially signing legislation banning gender-affirming medical care for transgender youths.

| More

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.