Cybersecurity Risk Management - Physical Devices

Episode #43

Cybersecurity Risk Management - Physical Devices

The risk management process entails four fundamental concepts, which can be further broken down; however, the fundamental concepts are:

Frame risk
Assess risk
Respond to risk once determined
Monitor risk on an ongoing basis

However, before getting here, other fundamental steps must be in place, and one that I have discussed here in the past has been asset management. Today I want to give you a bit more detail on this process.

First, inventory every physical device and system you have and keep an inventory of them; this is one of the most important yet least practiced cybersecurity tasks conducted worldwide. Small and mid-sized businesses can start with a simple Excel or Google spreadsheet, while larger organizations can leverage a configuration management database (CMDB).

The approach can be as simple as brainstorming with your team a list of system types, such as:

End-user devices: laptops and phones
Servers: virtuals and physical servers
Cloud platforms: SaaS, PaaS, and IaaS

You should tie the software inventory into the hardware asset inventory where possible. Make sure to include critical information, such as:

Network address
Hardware address
Machine name
Data asset owner

Along with the traditional IT devices, consider as part of your team brainstorming devices such as VoIP phones, printers, HVAC systems, and any IoT devices connected to the network that could become an attack vector.

Detection of new authorized and unauthorized devices is critical for the program; therefore, some automation is necessary, which will vary depending on the size of your organization. It can be as simple as monitoring the DHCP server for IP assigning or systems that can scan the network and monitor it on a 24/7 basis or at periodic intervals determined by your organization.