You might have noticed a trend in most of our critical control guides: the first step in most of them is to understand your environment. You can’t properly implement security controls without first knowing what’s inside your environment and how it works.
Asset lifecycle management is a way to keep your view of your environment accurate and up-to-date. It tracks the software and hardware you have through each key stage: purchase or development, maintenance, and decommissioning.
A critical part of this lifecycle is monitoring when a system goes from supported to legacy. Legacy systems are systems that a vendor no longer supports, or systems that an organisation no longer maintains.
A lot of incidents we see at CERT NZ and globally are caused by lack of system maintenance. Systems are either left unpatched or un-hardened because an organisation has forgotten to maintain them, sometimes beyond their end-of-support date. Organisations are reminded these systems exist after they have been infected with ransomware and have brought down part of the organisation’s network.
The intent of this control is for organisations to record, track, and maintain every system asset in the organisation. This includes software and hardware, as well as cloud-based systems that you use.
The goals of this control are:
- all existing system assets, including software and hardware, are recorded
- all new assets are recorded when they are purchased or developed
- all assets are hardened before they are used and maintained regularly with patches and updates
- assets that are approaching end-of-life or end-of-support by the vendor have a plan for decommission before they become legacy systems
- decommissioned assets are removed from the environment and securely destroyed.
Key asset management lifecycle takeaways
- Asset lifecycle management requires multiple parts of the organisation to work together. Internal development, IT, and procurement often have to work together to make sure assets are recorded. Finding a solution that fits everyone's needs is important to make sure the solution is used and to prevent shadow IT.
- Managing and recording your assets makes it easier to confirm whether a vulnerability is or isn't in your environment. If a vendor releases a critical patch, you can act faster by referencing your recorded assets and seeing which are affected.
- It's not always possible to fully remove legacy systems before their end-of-life or end-of-support date. In the interim, your organisation can take steps to reduce the risks of running legacy systems until they can be decommissioned.
- There are multiple options on how to mitigate legacy systems in your environment. These should be temporary measures, used while you plan to migrate to a newer version or system. The risk associated with running unsupported components in your environment is too high and gets harder to manage over time. At a minimum, your organisation should be hardening and restricting access to vulnerable and unsupported components until removing or replacing the legacy system is possible.
- Legacy systems often require legacy network protocols or hardware, which means that a legacy system can place modern systems at risk. The longer a legacy system is in place, the more likely it becomes that the people who understand how it works are no longer available, and replacing or changing the system becomes more difficult and expensive.