CIS Control 01: Inventory and Control of Enterprise Assets

Since 2008, the CIS Controls have been through many iterations of refinement and improvement leading up to what we are presented with today in CIS Controls version 8.1.

CIS Controls reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, and individuals). The controls reflect consideration by people in many different roles, such as threat analysts, incident responders, solution providers, policy-makers, and more.

This work is the collected wisdom from across many sectors that have banded together to create, adopt, and support the CIS Controls.

Today, I will be going over the first control from version 8.1 of the top 18 CIS Controls – Inventory and Control of Enterprise Assets. This control has not been modified since its last publication in CIS Controls 8. I will go through the 5 safeguards for CIS Control 1 and offer my interpretation of what I've found.

Key Takeaways for Control 1

Starting with the basics. CIS Controls for version 8 have 18 controls out of the 18, the first 6 are considered the basics for setting the foundation for enterprise cybersecurity. Adopting CIS Controls can both simplify and strengthen cybersecurity at once.
Tool availability. Many of the tools that accomplish the requirements set forth in Control 1 are open-source, which can help cut costs down during the adoption of CIS. This is mainly for smaller organizations, as larger ones will quickly outgrow the extent of capabilities available as open-source. Commercial tools and services are available for enterprises that fit this category.
Reusability. Work smarter, not harder. Many of the tools referenced in Control 1 can be used in Control 2, which is very helpful when tackling the controls in order.

Safeguards for Control 1

1.1) Establish and Maintain Detailed Enterprise Asset Inventory

Description: Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, including end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers.

Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM-type tools can support this process where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and within cloud environments.

Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under the control of the enterprise. Review and update the inventory of all enterprise assets bi-annually or more frequently.

Notes: The security function for this safeguard is Identify. Any time after a scan, all assets that are recorded should be cataloged after a scan. If you are a small business, a simple CSV file can be sufficient, but middle to large enterprises will require a proper asset management database.

1.2) Address Unauthorized Assets

Description: Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset to isolate it from other assets.

Notes: The security function for this safeguard is Respond. Having new devices show up as discovered assets doesn't always mean there is something nefarious a foot. Establishing a secure baseline from previous asset scans should help ease your paranoia. Keeping a secure baseline will show you when a new asset is discovered, making it easier to assess whether or not the asset is permitted to be on the network or if the asset needs to be quarantined.

1.3) Utilize an Active Discovery Tool

Description: Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute at least daily.

Notes: The security function for this safeguard is Detect. A basic example of active discovery is the classic ping-and-response method used by many systems as an initial way to locate hosts on a network. Keep in mind that some assets might not show up or remain hidden with active discovery due to firewalls or transient connectivity. This is where deploying both active and passive (which we will go over later) techniques are important in order to gain full transparency of an organization's network.

1.4) Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Description: Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly or more frequently.

Notes: The security function for this safeguard is Identify. DHCP is a benefit to many organizations for the sake of centralized IP address management and the ability to easily add new devices to the network using recycled addresses. This safeguard is very similar to safeguards 3 and 5 with the exception of using DHCP versus a static IP address.

1.5) Use a Passive Asset Discovery Tool

Description: Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly.

Notes: The security function for this safeguard is Detect. Unlike active discovery methods where they send packets to a host and monitor its response, passive discovery locates services running on a network by observing traffic generated by servers and clients. Passive and active discovery are complementary methods that, when utilized together, give organizations more descriptive data that they can then start to generate a detailed outline of all assets located on their network. Organizations can't protect what they don't know they have.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading this guide here.

Read more about the 18 CIS Controls here:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery