Curating Your Assets

Asset curation is about knowing what assets you are responsible for, what is the business impact should they be compromised and therefore the priority of what should be protected. Each asset may be vulnerable to attack or loss and to follow Zero Trust strategy, their protection must be continually validated so that business risk is minimized.

The good news is that for small businesses the majority of these processes do not require unbudgeted cost, technical expertise or even great technical experience.

However, asset curation is based on fundamentals. I.e., executive awareness and commitment that responsibility for minimizing business risk is now an essential part of both executive and departmental thinking across the organization and beyond. It does not stop when contracting with suppliers of all kinds. The strength or vulnerability of their assets become your responsibility to verify too. The awareness begins with the realization that effectively cybersecurity has become a war that will affect all organizations. 75% of attacks begin with attacks on data backups.

These are the principles that should be the basis of every organizations security policy and create the context for asset curation.

The Elements of Asset Curation

Discover every asset you have inside and outside the organization and the transactions between them.

Discovery

The process of discovery is at a minimum, living documentation and can be an automated process that is likely to migrate to an adaptive AI based tool as they become commonplace. This information must itself be properly protected since it becomes a blueprint for attacks.

Examples of Assets Together with their Status and value to the organization:

• Internally held customer/client information including any personal or access information etc., the loss of which could damage the organizations credibility or ability to conduct business.
• All intellectual property, corporate, financial and customer transactional data and records.
• Compute hardware, operating system, system and application software and network inventory including current revision, update and maintenance status. Inventory of supplier verification of their similar policies in place. Documentation of known shortfalls and resources and time to remediate
• Inventory of HR information regarding all staff and contractors in terms of potential insider threats, approved privilege levels, approved physical locations and approved devices used to access corporate assets and training on the use of defensive tools
• Third parties with data, compute or network hosting services such as MSPs, service providers, integrators and most importantly Cloud providers of compute and storage capabilities. Where clientless operation is selected, care is needed to validate the security of these operations. Responsibility does not stop when you contract with suppliers.
• Third parties with access to the organization’s assets include CRM systems and any verified plug-ins, externally hosted website plugins including those that grant access to customers, hosted firewalls and the use of automated updates, external organizations that have access to sensitive corporate information such as CPA firms, legal counsels, PR Firms and recruitment companies, physical security companies and their supplied IoT devices.
• Email systems require special attention including the use of any basic protection in place to limit phishing or other ransomware dangers inadvertently stored.

Management of Assets

• A strategy and process for the ongoing management of the above assets should include micro-segmentation (the separate storage, access tracking, encryption and configuration of assets) to ensure that attacks on any one asset does not impact all assets.
• Data encryption should be implemented on all data stored.
• The creation of a set of rules that govern the permitted access to the data (users, software and devices), time of day, length of transactions locations that are permitted. These are to be used to validate transactions by any Zero Trust-enabled monitoring software used.

Back-up and Resilience

• Plan and cost of back-up, security, offline storage and testing of stored backups.
• Prioritize the backup of data to separate fast changing data and software assets and its frequency.
• Instigate regular backups both full and incremental backups and store them in air-gapped offline facilities
• Test backups by restoring them as part of the process. Ensure that that encrypted data can be decrypted according to the rules mentioned above. Without testing backups they have no value.
• The Zero Trust principle of assume breach applies here. This is where software known as Content Disarm and Reconstruction can be used to ensure that software and data have not become infected with malware and that it can be removed.
• Finally, document and test a resilience plan so that if/when an attack is successful normal service can be resumed

Risk and Threat Tolerance

From the above steps, the scope, value and cost of protection can be fed back into the organizations security policy and the decision can be made on what and when should be protected based on cost expected risk reduction, impact to the organization and its tolerance to threats over time.

Ongoing Implementation

This in turn will allow  the development of an ongoing Security Plan so that implementation and risk reduction (collectively know as its Security Posture) can be measured against the plan over time and update as circumstances dictate.

Finally, Asset curation decisions will also be important factors on IT strategy, use of hybrid clouds, which suppliers, service providers and which outsource companies to use etc.

Summary

The critical task of asset curation does require executive buy-in and a holistic approach but the cost, expertise and resources are very limited. Some automation and backup resources are no more than those required for normal IT functions. However, taking and documenting these steps can help reduce insurance costs and show due diligence as a competitive advantage when providing products and services for large enterprises.

I wanted to create coverage of what is a critical aspect of cybersecurity that can be the basis of organizational protection while acknowledge the fundamentals that have prevented SMBs from implementing cybersecurity let alone Zero Trust endable cybersecurity.

1. No awareness of the escalating, existing threatening risks
2. Little understand that it impacts the entire organization and beyond and that 
3. They have little budget, expertise or resources available.

My contribution was intended to spell out an ordered  list of actions to be taken instead of the questions to address or simple information, which I felt could was not very SMB focused.