Cybersecurity is Dependent on IT Asset Management
How the lack of a functioning IT asset management practice at Equifax materially contributed to one of the most damaging data breaches that impacted over 140 million Americans.
For years, Chief Information Officers (CIOs) have been told that IT asset management (ITAM) solutions were critical tools for containing costs and avoiding the expense and disruption of a vendor-originated software compliance audit. There are, of course, other benefits including avoiding over-buying software, managing hardware end-of-life and effectively managing the patching process. Every once-in-a-while an article would appear touting the role of ITAM as a cyber-security tool, but ITAM practices were rarely called out as a key preventative measure for data-breaches. That was until the United States Senate Permanent Subcommittee on Investigations Committee on Homeland Security and Governmental Affairs published a report entitled How Equifax Neglected Cybersecurity And Suffered A Devastating Data Breach. The 67-page report details how the lack of a functioning IT asset management practice at Equifax materially contributed to one of the most damaging data breaches that impacted over 140 million Americans.
In Section Two of the report entitled "Equifax Was Aware of Cybersecurity Weaknesses for Years", the Senate committee report focuses on Equifax's lack of coordinated patch management and IT asset management practices. The report notes that an internal audit conducted by Equifax in 2015 indicated that "Equifax was not remediating vulnerabilities in a timely fashion". Second, the audit identified the security risks associated with Equifax's lack of a comprehensive IT asset inventory. Third, the audit found that Equifax's IT department was not proactively applying patches throughout its network. Fourth, the audit highlighted Equifax's "failure to verify the successful implementation of patches" (Senate report p23). Of particular interest is the observation that security risks were associated with the lack of ITAM practice or toolset.
In today's computing environment cyber-criminals are constantly looking for software vulnerabilities, or zero-day events and software publishers are pushing out patches as soon as vulnerabilities are identified. Consequently, applying patches must be an ongoing process throughout any network. Knowing what system to patch, what patches have been applied and what software has identified vulnerabilities is crucial. The absence of an IT asset management solution complicates this process, as was identified in the Equifax case. The Senate report noted that a significant number of Equifax systems were not patched in a timely manner and that the company was using threat and vulnerability information to reactively patch their systems instead of proactively applying patches. Consequently, this patching practice caused Equifax systems to remain susceptible for an unnecessarily extended period of time (Senate report p25). Regular reports detailing the installed software, patches and missing patches can be used to proactively patch systems and reduce overall network vulnerability.
The report also linked the breach to the absence of an accurate IT asset inventory. In fact, "Equifax did not have a complete IT asset inventory or accurate network documentation". According to the report, the risk of not having this inventory "makes it difficult to ensure systems are patched in a timely manner and are being regularly scanned for security vulnerabilities". Having an asset inventory is "paramount" from a security standpoint because an organization can only defend the assets it has identified. Equifax's former Vice President of its Cyber Threat Center (CTC) told the Subcommittee that without an inventory, an organization would be unaware of the need to scan particular assets for vulnerabilities. She added that "having an asset inventory is a best practice" (Senate report p25). In this case, knowing was even more than half the battle. Having an up-to-date inventory of all devices and installed software enables an organization to fully evaluate and threats and prioritize its patching and update practices.
The Equifax breach brought congressional attention, and might, at some point, fuel national data security legislation, however, long before that legislation is passed the company will be facing lawsuits and other legal actions. Estimates range from $200 million in lawsuit settlements to $143 billion if the company is prosecuted under a federal law that carries damages of as much as $1,000 per violation, plus punitive damages. Clearly, the cost of the breach outweighs the cost of a corporate-wide IT asset practice.
However, as serious as the Equifax breach was, it pales in comparison to the Marriott breach, which exposed 500 million customer records, and is being prosecuted under the 2018 EU General Data Protection Regulation (GDPR). That regulation requires data center operators to maintain the highest level of security and have full knowledge of their computing environments, as would be available from an ongoing ITAM practice. It also provides significant fines for the unauthorized release of personal customer information. The lower level of the penalties is either €10 million, or 2% of the worldwide annual revenue of the prior fiscal year, whichever is higher. The upper level is up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher. As Forbes reported, Marriott's global annual revenue for 2017 was $22.89 billion in 2017 and the highest level fine could amount to 4% of that number, the sanctions imposed by the E.U. could be as much as $915 million. Conceivably, the vulnerability that resulted in the breach could have been identified earlier, or mitigated in its entirety through the use of a comprehensive ITAM toolset.
Although overlooked in many cases, a comprehensive, proven and secure IT asset management solution, providing detailed hardware and software inventories, is a critical component of any cybersecurity operation. Following 1.3 years of vulnerability testing the xAssets technology is certified for use on the SIPRNet, the U.S. Department of Defense's most secure network, and perhaps the most secure network in the world. CIO's can rest assured that installing xAssets solutions into their computing environments will introduce no additional vulnerabilities. In addition, xAssets reports are highly accurate and are accepted by the Software and Information Industry Association (SIIA) for purposes of proving software license compliance. Whether cloud-based or on-premises, xAssets IT asset management solutions provide IT managers with the detailed customizable reports needed to identify vulnerable or unpatched systems.
In addition, the xAssets tools are agentless, requiring no changes to existing configurations and short installation timeframes. For more information on how xAssets can enhance any cybersecurity practice, visit us at www.xassets.com or call us at (800)-691-9120.