It was an easy week; I had a complete and up to date inventory of hardware, operating systems and software!

by J. Edward Durrett

This week, a couple of security issues impacting the confidentiality and [potentially] the availability of a large number of
computer systems were revealed to the general public. Of course, I am referring to Specter and Meltdown [1] [2] [3] [4] [5].
The combination of the large number of systems affected [6] with the often breathless and alarmist publicity, I got quite a
few questions from outside of my engineering circles as the to impact. As I manage multiple systems, the answers were not on
the tip of my tongue but at the tips of my fingers. I had taken the time, actually a long time ago, to inventory my systems
and keep that inventory up to date. That means, preparing to answer the inevitable flood of questions meant researching the
vulnerabilities. I already had the information on the systems on hand. I did not have to conduct a chicken with its head cut
off scramble to research what systems and software I am ultimately responsible for. This meant I was able to provide quick and
accurate information to the other stake holders with out obfuscation or undue hype.

From other locations in my realm I heard reports of people in similar positions to mine being overwhelmed with the information
this week. Although I can not be sure why they were overwhelmed, I can say with confidence (because I have seen it) there are
still many organizations who do not know what hardware and software they are running. Insanity comes to mind as this is basic
IT management. The top two of the CIS Controls [7] deal with having an inventory of software and hardware. The first question
that brings to mind I can not answer but I’ll mention it anyway: what type of organization pays the high cost for senior
infrastructure and security professionals if those people are not delivering the basics? That will remain a mystery. The
second question is why do some of these professionals think it is justified to ignore a basic principle, namely having an
inventory of hardware and software? I have heard a couple of arguments this year and I will outline them below:

1. There are too many devices / too much software to keep track of

This is one of the most common ones I have heard. And, to be kind, I can understand where people are coming from with this.
Large numbers can be over whelming but they are also relative. I have heard this from organizations that manage on the
high end 35,000 systems to ones that manage 10,000 systems to ones that manage just under 100 systems. It actually does not
matter all that much. Imagine, just how many items are in Amazon’s supply chain at any point in time? Is it too many to keep track
of? What about planes in an airline fleet? Students in a university? Keeping track of large numbers of things is what we do as
managers. That is what business administration is. Devising a and implementing a plan what senior managers get
paid for.

2. I could care less what people are running on their systems

This type of haughty indifference coupled with ignorance of the very real monetary risk theft and misuse pose to an
organization might sound like something a junior admin with no previous business work experience might say. Unfortunately, it
was uttered by a someone with a weighty title (CISO) at a fairly large institution. I am not sure if there is a counter argument. The
above statement has the underlying premise that management of information systems is not a function of the institution.

3. We have a partial inventory, but know its not complete because it is based off network scans and don’t know how to make
it complete

To this, I must give some credit for they are moving in the right direction and understand the importance of having that
inventory complete. What is the last step? Well, that depends on the institution and the resources available. In retail and
warehouse management, physical inventories are a normal part of operations. Of course there might be physical limits to how
far you can go through the organization to finish this last mile. For example, getting a round the world trip approved might
be difficult, but by establishing relationships, maybe even with people outside of IT, you can multiply the eyes and hands
required to get the information.

4. Everyone is responsible for their own devices

This would be another jaw dropper much like number two above with the exception that it is very common especially in smaller
organizations with a very limited IT management budget. Resource management is a crucial function of business management and
allowing valuable information to flow about with out proper audit controls is the same thing as allowing every employee to
make entries to the general ledger. I have not heard many senior management professionals suggest eliminating the CFO and
accounting department and have employee responsible. Of course, though, technologist have a way of presenting
themselves as outside the norms of institutional management. We certainly are not.

Those are just some of the excuses for not having an inventory of hardware and software that I have heard recently. It is a
crucial organizational management function and without it failure will come sooner or later. Being organized also makes your
day much more pleasant.

[1] https://meltdownattack.com/
[2] https://spectreattack.com/
[3] https://www.kb.cert.org/vuls/id/584653
[4] https://www.ncsc.gov.uk/guidance/meltdown-and-spectre-guidance
[5] https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
[6] https://www.us-cert.gov/ncas/alerts/TA18-004A
[7] https://www.cisecurity.org/controls/







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.