CIS Control 1: Inventory and Control of Hardware Assets
This article focuses on CIS Control 1: Inventory and Control of Hardware Assets and the eight requirements associated with the first of the twenty CIS Controls.
You cannot protect what you don't know you have – that's why CIS Control 1 is listed as the very first control to adopt when developing your cybersecurity strategy. This Basic security control is all about identifying devices, documenting your inventory, and keeping the inventory current and up to date.
Let's jump right into the eight sub controls of CIS Control 1.
Control 1.1: Utilize an Active Discovery Tool
- Utilize an active directory tool to identify devices connected to the organization's network and update the hardware asset inventory.
Control 1.2: Use a Passive Asset Discovery Tool
- Utilize a passive discovery tool to identify devices connected to the organization's network and update the organization's hardware asset inventory.
Sub controls 1.1 and 1.2 recommend the use of active and passive discovery tools. Active scanning tools sweep the entire network to devices, while passive scanning tools listen on networks for new devices sending traffic. These passive tools can be connected to switch span ports at critical spots within the network to view all data flowing through the switches, helping maximize the chance of identifying systems communicating through those switches. Anything with an IP address must be counted as inventory, including devices like printers and copy machines, Virtual Private Networks (VPNs), and mobile devices.
Control 1.3: Use DHCP Logging to Update Asset Inventory
- Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory.
Sub control 1.3 recommends Dynamic Host Configuration Protocol (DHCP) be used to assign IP addresses to help keep hardware asset inventory up to date.
Control 1.4: Maintain Detailed Asset Inventory
- Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.
Control 1.5: Maintain Asset Inventory Information
- Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.
Sub controls 1.4 and 1.5 highlight the importance of maintaining a detailed hardware asset inventory, detailing what devices are connected or not and those that are authorized to be connected to the network. At a minimum, this includes the name of the devices, the IP number, and whether or not it is portable. Organizations should document whatever other information they find necessary to keep in the asset inventory. It's important to note that this step is not a one-time thing – this process is dynamic and ongoing for the entire lifecycle of all devices.
Control 1.6: Address Unauthorized Assets
- Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.
Sub control 1.6 suggests addressing the unauthorized devices entering your network. Spotting new devices does not automatically mean a hacker is trying to gain access to your network, but once your secure baseline is established, new devices should rarely appear on the network. This includes Internet of Things (IoT) devices which have been proven time and time again to pose a serious threat to an organization's overall security posture. Hackers often use these unauthorized and unprotected devices such as employees' personal smartphones or laptops riddled with viruses to gain access to the network.
CIS 1.7: Deploy Port Level Access Control
- Utilize port-level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.
CIS 1.8: Utilize Client Certificates to Authenticate Hardware Assets
- Use client certificates to authenticate hardware assets connecting to the organization's trusted network.
Sub controls 1.7 and 1.8 advises two steps that organizations need to take to maintain control of devices that are authorized to connect to their network. Port-level controls being the first, along with proper switch configurations. Both need to be tied to the device asset inventory. This will help organizations make certain that only authorized, secure devices may connect to the network.
Diagram: CIS Control 1 – System Entity Relationship Diagram
Cybercriminals are constantly searching for new and unprotected systems to gain access into the network, particularly laptops and Bring-Your-Own-Device (BYOD) which are often out of date on security updates. Even devices that are not visible from the internet can be used by an attacker with internal access looking for internal pivot points or victims. Once in, attackers can exploit other systems and wreak havoc on an organization's system. NNT Change Tracker Gen7 R2 addresses this basic security control by providing an accurate inventory of exactly what devices are on your network, allowing you to ensure that the devices are authorized with up to date configurations, patches, and appropriate user access controls.
NNT recommends implementing NNT Change Tracker Gen7 R2 with its integrated ITSM option to assist aligning with CIS Control 1. NNT Vulnerability Tracker and NNT Change Tracker can provide direct asset discovery and tracking of any new/changed/removed devices. Change Tracker will also integrate with ITSM systems such as ServiceNow, Remedy or Cherwell to leverage CMDB information as an asset inventory source.
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises