20 Critical Security Controls – Control 1: Inventory and Control of Hardware Assets

Today, I will be going over Control 1 from version 7 of the top 20 CIS Controls – Inventory and Control of Hardware Assets. I will go through the eight requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 1

• Start small. This is going to be a control that will need to be continually revisited as you mature the security operations of the organization. Many of these requirements can be done with free tools and managed with simple spreadsheet software. As the organization grows and more controls are implemented, these become more complex and integrate tightly with other requirements throughout the entire suite of CIS security controls.
• Ask for guidance from vendors. Many of these requirements are core capabilities of vendors you already have in your environment. Bring up integrations with various other tools to unlock the full potential of the dollars you already spent.
• Use standardized data formats. Unfortunately, other controls list out standardized data formats such as SCAP. As you begin scanning and gathering data, use common data formats that more complex tools utilize so you don’t need to lose valuable data when deploying new tools.

Requirement Listing for Control 1

1. Utilize an Active Discovery Tool

Description: Utilize an active discovery tool to identify devices connected to the organization’s network and update the hardware asset inventory.

Notes: By active discovery, they mean scanning the network to be able to find devices, such as a ping sweep. A quick win is using NMAP to do just that. However, once you get down to Control 3, you can use your vulnerability scanning tools to discover devices for you.

2. Use a Passive Asset Discovery Tool

Description: Utilize a passive discovery tool to identify devices connected to the organization’s network and automatically (Read more...)