Have you ever had your identity stolen? Or perhaps an identity crisis? I hope for your sake the answer is "no." However, if it's yes, you are in good company.
Computing devices, which I'll loosely refer to as "assets," often change their identity, and at times even have it stolen (as a side note, NIST has a much broader definition of asset
more akin to the dictionary definition of the word "asset," but I digress...).
So, what kind of company are you keeping? Well, it's a surprisingly difficult challenge to consistently pin down
an asset from moment to moment. And to make matters worse, there are many points of view
about an asset. Let's take the first case.
Your "phone" (really, a Very Personal Computer [VPC]) will hop from IP address to IP address. One day, it may have an IP address leased to it from your employer's DHCP server, while another day, when you're on a different floor of the building or at a coffee shop, you're on an entirely different network and have an entirely different IP address.
So much for using IP addresses as a source of identity.
As a savvy techie, you might say, "Yes, yes. Just use a MAC address." It's true that a MAC address serves as a much more stable identifier, but it may not be as stable as you would like if Apple has its way
. Additionally, the sensing devices usually have to be on the same network segment or the link layer to get a MAC address, if you speak OSI, which doesn't scale so well for customers with hundreds (or thousands) of network segments.
Let's consider the second case—
when your laptop interacts with multiple services, say Active Directory and an SCM system like Tripwire Enterprise. Active Directory identifies your laptop differently than the SCM security agent
(e.g. Tripwire Enterprise's VIA Agent), both of which have important things to say about your laptop but may not be able to agree on which laptop they are describing.
Identity is important. From an IT security point view, if you can't identify an individual asset on a network, it makes remediating vulnerabilities and measuring unauthorized change difficult. Worse still, it makes it difficult to organize and categorize assets.
If you can't create an accurate inventory of your network using something like Tripwire's IP360
and group those assets using tags with Tripwire Enterprise's Asset View, for example, how can you hope to get a complete or focused picture based on the assets business context?
It's not just me, SANS Top 20 Critical Security Controls
agrees with me... or vice versa.
Having a piece of software running on a system greatly simplifies the identity problem because an agent can assign an identity and consistently report it, but not everything can or does have an agent installed (e.g. network switching gear or Apple iPhones). So, in those "agent-less" cases, we look to other identifiers and other systems to help us help our customers.
For example, we could use the iPhone unique device ID
(UDID)... ok, maybe not. Even device vendors are wary of sharing their unique identifiers for fear of abuse. Either way, we will have to invent a recipe for uniquely identifying assets for our users... another challenge we are ready to tackle.
So, how do you inventory your assets? Do you have a spreadsheet "CMDB," or are you using something more enterprise-y? How do you keep that inventory fresh and relevant?
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].