1.6: Address Unauthorized Assets
Sub-control 1.6 states that you must ensure unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner.
| Asset Type | Security Function | Implementation Groups |
|---|---|---|
| Devices | Respond | 1, 2, 3 |
Dependencies
- Sub-control 1.4: Maintain Detailed Asset Inventory
Inputs
-
Unauthorized Assets: A list of discovered assets not currently present in the asset inventory. This can be pulled from sub-control 1.4, Measure M3. This is a list of any found asset that was not previously known to the organization. The information from M3 must be brought into this sub-control as Input 1.
-
Endpoint Inventory: The current hardware inventory. This can be pulled from I2 sub-control 1.4, Inventory I1. This is a complete and accurate inventory of all the devices within the organization.
-
Definition of "Timely": An organizationally defined time frame for the term “timely”. The CIS recommends a turnaround of 24 hours or less.
-
(Optional) Disposition of Items: Measurement results are more useful if the status (removed, added to inventory, quarantined, etc.) is provided and verified. This is not, however, required. Verification can be easily achieved with continued use of active and passive scanning techniques which determine if a device is still on the network. Assets/devices that are removed from the network can be validated as removed by a subsequent scan at a specified time period.
Operations
If the optional disposition list is provided, the checks would be tailored to those dispositions. For the following, assume no disposition list is available:
-
At the time frame specified by I3, for each unauthorized asset (I1), check to see if the asset is present in the updated asset inventory (I2). This can be easily achieved by conducting follow-up scans to determine if devices are still present, or re-appear on the network.
-
For those I1 items that are not in I2, scan the network to determine if the item is still reachable on the network.
Assumptions
If the item is not reachable, it may be reasonable to assume it has been removed from the network.
Measures
| Measure | Definition |
|---|---|
| M1 = List of items not in the inventory | M1 can be copied from sub-control 1.4, Measure M7. A list of items that were identified from scanning but that are unknown to the organization. This is also the number of items from Input 1 NOT passing either Operation 1 or Operation 2. |
|
M2 = Count of items in M1 |
A count of the total number of items in M1. This can also be copied from sub-control 1.4, Measure M8. |
|
M3 = List of items not reachable |
A list of items that are considered unreachable. This can be curated by using a Tenable Security Center component that displays a list of assets/devices by Class C address space that are unreachable. The component works by utilizing the output of plugin 10180 to ping the remote host. The plugin output of “is considered dead” uses a timeframe of the last 7 days to determine which assets/devices have been removed from the network over the last 7 days. This timeframe can be changed to what the organization deems appropriate. This component accepts custom values. . This measure is aided by Tenable Security Center Continuous View using Nessus. The following screenshots show the captured plugin output and the filters used within the component to capture the required data.
|
| M4 = Count of items in M3 |
A count of the total number of items in M3. You can manually add the count, or use the "Ground Truth" component to determine if the number of assets and devices has increased or decreased. |
| M5 = List of items not in the inventory or that are unreachable | A list of items that are considered missing from the inventory or that are unreachable. The inventory must first be reconciled, at which point you can determine which items are rogue and should be removed. |
| M6 = Count of items in M5 | A count of the total number of items in M5. |
| M7 = List of items in the inventory | A list of items that are in the current inventory. This can be derived from sub-control 1.4, Input 1. |
| M8 = Count of items in M7 | A count of the total number of items in M7. |
Metrics
Unauthorized Asset Remediation
| Metric | Calculation |
|---|---|
| The ratio of unaccounted for, unauthorized assets as compared to the total number of assets in the asset inventory. |
If the value of M6 is 0, there are no unauthorized assets that remain unaccounted for. In this case, the value of the metric is 1. Otherwise, the value is: (M8 - M6) / M8 |