DESCRIPTION OF CONTROLS
Critical Control 1: Inventory of authorized and unauthorized hardware.
How do attackers exploit the lack of this control?
Many criminal groups and nation states deploy systems that continuously scan address spaces of target organizations waiting for new, unprotected systems to be attached to the network. The attackers also look for laptops not up to date with patches because they are not frequently connected to the network. One common attack takes advantage of new hardware that is installed on the network one evening and not configured and patched with appropriate security updates (i.e., “hardened”) until the following day. Attackers from anywhere in the world may quickly find and exploit such systems that are Internet-accessible. Furthermore, even for internal network systems, attackers who have already gained internal access may hunt for and compromise additional improperly secured internal computer systems. The attackers use the night-time window to install backdoors on the systems that are still present after the systems are hardened and are used for exfiltration of sensitive data from compromised systems and from other systems connected to it.
Additionally, attackers frequently look for experimental or test systems that are briefly connected to the network but not included in the standard asset inventory of an organization. Such experimental systems tend not to have as thorough security hardening or defensive measures as other systems on the network. Although these test systems do not typically hold sensitive data, they offer an attacker an avenue into the organization, and a launching point for deeper penetration.
How can this control be implemented, automated, and its effectiveness measured?
An accurate and up-to-date inventory, controlled by active monitoring and configuration management can reduce the chance of attackers finding unauthorized (those not previously approved for installation) and unprotected systems to exploit.