CIS CSC #1 – Inventory and Control of Hardware Assets

I am working on a series of posts related to the Center for Internet Security (CIS) Critical Security Controls (CSCs). See the full listing here.

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.

This control includes eight (8) sub controls. For those of you reviewing the CIS Controls with the Implementation Groups in mind, there are two (2) IG1 controls and six (6) IG2 controls. This means that, at a minimum, we want to:

  • Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization’s network or not.
  • Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner.

You have no chance on being able to secure a network if you do not have a full inventory of everything that is connected to it. This control requires up-front work, as well as ongoing monitoring. You cannot simply perform a network inventory and consider it done. How are you going to remove any unauthorized devices if you are not actively looking for them? This control seems to increase in complexity exponentially as the network/environment grows.

A really simple implementation of this control can be running an nmap scan to identify hosts on the network. You can then re-run the scan on a regular basis and compare the results.

# example simple host discovery scan of the 192.168.0.0/16 range
# including the date in the file name will make comparisons easy

nmap -Pn 192.168.0.0/16 -oX /path/to/scan_results/[date]_192_discovery

# Ndiff can be used to compare scan results. Changes marked with a + indicate an item in the second # file that was not in the first - a potential new piece of hardware.

ndiff scan_one.xml scan_two.xml

A few things to keep in mind:

  • RFC 1918 reserves the following ranges for internal networks – your organization may have other ranges to check
    • 10.0.0.0 – 10.255.255.255 (10/8 prefix)
    • 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
    • 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
  • If DHCP is in use, you may not be able to rely solely on the IP address for your hardware inventory.

This also ties in to many regulatory requirements as well – both directly as in accurate network diagrams, but also indirectly through other controls such as patching requirements, vulnerability scanning, etc.

Related News Stories

Relevant Tools

CommercialOpen-Source & “Freemium
Cisco ISE OpenNAC
CounterAct (ForeScout) PacketFence
Clear Pass (HP Aruba) Spiceworks
AD Certificate Services OSSIM (AlienVault)
MS System Center Nmap
LANSweeper
Network Topology Mapper

The CIS Controls are in version 7.1 at the time of this writing. For more information on this control check out the CIS Control #1 page here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s