Asset Management-4
“In a world where You can be Anything - Be Kind; In a world where You can Access Anything - Be Ethical.”
NIST Control ID.AM-4: Asset Management
External information systems are cataloged. A Guide for Engineers, Analysts, Managers, and Auditors.
NIST Control ID.AM-4, which states "External information systems are catalogued," is a fundamental element within the Asset Management category of the NIST Cybersecurity Framework's Identify function. This control emphasizes the importance of maintaining an accurate and up-to-date inventory of all external information systems that interact with or impact an organization's network and data. This includes cloud services, third-party vendors, and any other systems that may process, store, or transmit sensitive information.
By cataloging these external systems, organizations can gain a comprehensive understanding of their attack surface and potential vulnerabilities. This knowledge is crucial for conducting effective risk assessments, prioritizing security efforts, and implementing appropriate safeguards to protect against unauthorized access, data breaches, and other cyber threats. A well-maintained catalog of external systems serves as a foundational reference point for managing the complex relationships between internal and external entities, ensuring that security controls are consistently applied and monitored across the entire ecosystem.
Why It Matters
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
While Sun Tzu wasn't talking about cybersecurity, his wisdom applies perfectly to asset management. Knowing your external information systems is crucial for:
Understanding your attack surface
Managing third-party risks
Ensuring compliance with regulations
Effective incident response planning
The 2020 SolarWinds supply chain attack, which affected thousands of organizations including multiple U.S. government agencies, starkly illustrated the critical importance of understanding and managing external information systems.
Former CISA Director Chris Krebs
“This [SolarWinds attack] is a patient, well-resourced, and focused adversary that has sustained long-duration activity on victim networks. It is likely that their success is not limited to SolarWinds. It’s critically important that all federal agencies and critical infrastructure entities take action now to assess their networks for indicators of compromise and secure their environments.”
Source: CISA press release, Dec 13, 2020
Senator Mark Warner
“The size and scope of this [SolarWinds] breach are staggering. It’s clear that the United States needs a dramatically stronger effort to protect critical infrastructure from cyberattacks."
Source: Senate Intelligence Committee statement, Dec 15, 2020
Microsoft President Brad Smith
"The attack on SolarWinds highlights the dangers posed when organizations don't have visibility into their entire software supply chain."
Source: Microsoft blog, Dec 17, 2020
FireEye CEO Kevin Mandia
"This attack is different. The attackers used a new combination of techniques not witnessed by us or our peers previously... We are witnessing an attack by a nation with top-tier offensive capabilities."
Source: FireEye blog, Dec 8, 2020
Former SolarWinds CEO Kevin Thompson
"We’re sorry. That’s the first thing – a sincere apology, from me and everyone at SolarWinds…We take this responsibility very seriously."
Source: House Oversight Committee hearing, Feb 25, 2021
These quotes capture the gravity of the SolarWinds attack and emphasize the need for heightened vigilance and proactive measures to address the vulnerabilities posed by external information systems. The breach served as a stark reminder that even trusted third-party vendors can become unwitting conduits for sophisticated cyberattacks.
For Engineers
Engineers are at the forefront of implementing and maintaining the technical aspects of external system cataloguing.
Responsibilities:
Develop and maintain tools for discovering and cataloguing external systems
Implement secure interfaces with external systems
Ensure proper segmentation between internal and external systems
Key Actions:
Implement automated discovery tools to identify external systems
Develop APIs for secure data exchange with external systems
Implement network segmentation to isolate external systems
Set up monitoring for data flows to and from external systems
Best Practices:
Regularly update discovery tools to catch new types of external systems
Implement zero trust architecture principles for external system interactions
Document all technical interfaces with external systems
Human Interest: In 2019, a Boeing 737 Max crashed due to a failure in an external sensor system. While not a cybersecurity incident, as a metaphor it highlights the critical importance of understanding and properly managing external systems.
For Analysts
Security analysts play a crucial role in assessing the risks associated with external information systems.
Responsibilities:
Conduct risk assessments of external systems: Evaluate the potential risks associated with third-party vendors, cloud providers, and other external systems that interact with the organization's network and data. This includes identifying vulnerabilities, assessing the likelihood and impact of potential threats, and recommending appropriate security controls.
Monitor for unusual activities involving external systems: Continuously monitor network traffic and system logs for any signs of unauthorized access, data exfiltration, or other malicious activity originating from or targeting external systems. This may involve using intrusion detection systems (IDS), security information and event management (SIEM) tools, and other security monitoring technologies.
Analyze data flows between internal and external systems: Map and analyze the flow of data between the organization's internal systems and external entities. This helps ensure that sensitive data is handled appropriately, access controls are in place, and data transfers comply with relevant regulations and policies.
Develop and implement security policies and procedures for external systems: Collaborate with other stakeholders to create and implement comprehensive security policies and procedures that govern the use of external systems. This includes defining access controls, data protection measures, incident response protocols, and other security requirements.
Maintain up-to-date knowledge of external systems and associated risks: Stay informed about the latest security threats, vulnerabilities, and best practices related to external systems. This may involve attending industry conferences, participating in training programs, and conducting ongoing research.
Key Actions:
Develop a risk assessment framework specific to external systems
Implement continuous monitoring of external system interactions
Conduct regular vulnerability assessments of external system interfaces
Analyze logs of external system activities for anomalies
Best Practices:
Stay informed about emerging threats related to specific types of external systems
Develop and maintain a threat model for each significant external system
Regularly update the external system inventory based on analysis findings
"The question is no longer IF you will be breached, but WHEN."
- Robert Mueller, former FBI Director
For Managers
Responsibilities:
Develop policies for external system management: Establish comprehensive policies and guidelines that govern the selection, onboarding, and ongoing management of external systems. These policies should address security requirements, data handling, access controls, and incident response procedures.
Ensure adequate resources for external system cataloguing and monitoring: Allocate sufficient budget, personnel, and tools to support the effective cataloging, monitoring, and risk assessment of external systems. This includes investing in security technologies, training programs, and specialized expertise.
Manage relationships with external system providers: Cultivate strong relationships with third-party vendors and cloud service providers, ensuring clear communication, transparency, and accountability regarding security practices and data protection measures.
Oversee compliance with regulatory requirements: Ensure that the organization's use of external systems complies with all relevant regulations and industry standards, such as HIPAA, GDPR, and PCI DSS. This includes conducting regular audits and assessments to identify and address any compliance gaps.
Promote a culture of security awareness: Foster a culture of security awareness throughout the organization, emphasizing the importance of managing external systems securely and educating employees about potential risks and best practices.
Policy Development and Implementation:
Establish a comprehensive policy: Create a formal policy that outlines the organization's approach to managing external systems, including security requirements, risk assessment procedures, data handling guidelines, and incident response protocols.
Communicate and enforce the policy: Ensure that all relevant stakeholders are aware of the policy and understand their roles and responsibilities in its implementation. Regularly review and update the policy to address evolving threats and technologies.
Resource Allocation and Management:
Secure budget and personnel: Allocate sufficient budget for acquiring necessary tools, technologies, and personnel to support effective external system management. This includes investing in security solutions, training programs, and specialized expertise.
Optimize resource utilization: Continuously evaluate the effectiveness of existing resources and identify opportunities for improvement. Implement resource optimization strategies to maximize efficiency and minimize costs.
Vendor Management and Oversight:
Develop a robust vendor management program: Establish a formal program to assess, onboard, and manage third-party vendors and cloud service providers. This includes conducting due diligence, defining security requirements, and monitoring ongoing compliance.
Prioritize cybersecurity in vendor relationships: Incorporate cybersecurity considerations into all stages of the vendor lifecycle, from initial selection to contract termination. Ensure that vendors meet or exceed the organization's security standards.
Training and Awareness:
Provide regular training on external system risks: Conduct ongoing training programs to educate relevant staff about the potential risks associated with external systems and the importance of adhering to security policies and procedures.
Foster a culture of security awareness: Encourage employees to be vigilant and report any suspicious activity related to external systems. Promote a shared responsibility for security across the organization.
Continuous Monitoring and Improvement:
Implement robust monitoring and logging: Deploy security tools and technologies to monitor network traffic, system logs, and data flows between internal and external systems. This enables early detection of potential threats and vulnerabilities.
Conduct regular audits and assessments: Perform periodic audits and assessments to evaluate the effectiveness of external system management practices and identify areas for improvement.
Adapt to evolving threats and technologies: Stay informed about the latest cybersecurity trends and adapt security measures accordingly. Continuously update policies, procedures, and technologies to address emerging threats and vulnerabilities.
Best Practices:
Regularly review and update external system management policies
Foster a culture of security awareness, especially regarding external system risks
Engage with industry peers to share best practices in external system management
Noteworthy Event: The 2013 Target data breach, which affected 41 million consumers, was initiated through an external HVAC system. This incident highlights the importance of managing even seemingly innocuous external systems.
For Auditors
Auditors ensure that the organization's practices for external system cataloguing meet required standards and best practices.
Responsibilities:
Verify compliance with NIST Control ID.AM-4
Assess the completeness and accuracy of the external system catalogue
Evaluate the effectiveness of external system management processes
Key Actions:
Catalogue Review: Thoroughly examine the documentation of the external system catalogue, verifying its accuracy, completeness, and currency.
System Verification: Validate that all identified external systems are appropriately recorded within the catalogue and subject to proper management and oversight.
Discovery Process Assessment: Evaluate the organization's processes for identifying and cataloging new external systems, ensuring they are effective and aligned with security policies.
Risk Assessment Evaluation: Scrutinize the risk assessment procedures applied to external systems, confirming their rigor, comprehensiveness, and alignment with industry best practices.
Control Effectiveness: Test the implementation and effectiveness of security controls associated with external systems, identifying any gaps or weaknesses that require remediation.
Best Practices:
Stay informed about regulatory requirements related to external system management
Conduct interviews with key personnel involved in external system management
Perform spot checks to ensure external systems are properly catalogued and managed
Human Interest: In 2018, a casino was hacked through an Internet-connected fish tank thermometer. This unusual case emphasizes the need for thorough auditing of even the most unexpected external systems.
General Best Practices
Maintain an up-to-date inventory of all external information systems
Implement a formal process for onboarding and offboarding external systems
Conduct regular security assessments of critical external systems
Establish clear data classification and handling procedures for information shared with external systems
Implement strong access controls for external system interactions
Noteworthy Statistics and Events
According to a 2021 Ponemon Institute study, 51% of organizations have experienced a data breach caused by a third party.
The 2020 SolarWinds supply chain attack affected up to 18,000 organizations, including multiple U.S. government agencies.
A 2022 survey by BlueVoyant found that 98% of organizations have experienced a cybersecurity breach because of vulnerabilities in their supply chain.
The 2017 NotPetya malware, which caused over $10 billion in damages globally, spread initially through a compromised accounting software update system.
According to Gartner, by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
Conclusion
Managing external information systems is not just a technical challenge—it's a critical business imperative. As our digital ecosystems grow more complex and interconnected, the ability to effectively catalogue and manage external systems becomes increasingly crucial.
Remember the words of cybersecurity expert Bruce Schneier: "Security is not a product, but a process." Cataloguing external information systems is an ongoing process that requires vigilance, collaboration, and continuous improvement.
By following the guidelines in this document and staying proactive in managing external systems, organizations can significantly enhance their security posture, ensure regulatory compliance, and be better prepared to navigate the complex landscape of modern cybersecurity threats.
