A Guide to Cybersecurity Asset Management

The CIS controls version 8.0 lists Inventory /Control of Enterprise Assets and Inventory/Control of Software Assets as its first and second control.

The first control details “actively [managing] (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing / Internet of things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of [the] assets that need to be monitored and protected within the enterprise.” 

The second control details “actively [managing] (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can [be] executed”. Additionally, it notes ‘that unauthorized and unmanaged software is found and prevented from installation or execution.” 

Importance of Asset Management to Cybersecurity

If you don’t know what you have, where your important data is housed, how it is backed up, and whom the users are accessing it, then it makes it challenging to protect it. It would be like an Airline not knowing where its aircraft were when they need to be maintained next, or its capacity for how much fuel it carries and how many passengers can fly in it. Asset management in the Cybersecurity framework is critical to mitigating risks within an organization.

Asset discovery and management are the foundation of a strong IT program. Asset management is about understanding all your assets and how they interoperate to reduce your cybersecurity exposure.

How Frequently Should I Check My Technology Assets?

The collection of Inventory should not be a once-a-year update of a spreadsheet, but an ongoing collection of assets and a monthly review to ensure they align with business policies. One recommendation is to capture alerts for any new assets that are discovered. It is recommended that alerts are captured for any new assets discovered. This allows for actions to be taken to evaluate if the asset is a security risk or if it poses a threat to the organization. 

Some actions that can be taken include checking to see if it is required for the asset to be backed up, checking if the asset has the correct software loaded (Antivirus, Malware) and if the software is the approved version. Having continuous discovery of assets including classification and assessments will provide complete visibility into your environment and information on your attack surface.

Incorporating the software and hardware in an inventory list will allow you to stay current with compliance and governance requirements. It does this by alerting you on issues and ensuring you have a single source of truth.

Asset Management Resources

NIST Recommendations

NIST released detailed recommendations for IT Asset Management (NIST SP 11800-5b). It is a 237-page document that goes into detail about recommendations for implementing Asset Management in an Enterprise (including how-to guides). Although this may be more information than you require, it provides some great reference material.

Software Scanners

There are also software scanners that can scan your network and check logs for new additions to the network. It then probes devices for information on a regular basis. Implementing an automated system to manage your assets will minimize the time required to manually update the Asset Register. This will also ensure it is current and up to date when needed to be referenced for security purposes. Some even understand the relationships between assets and how they operate within your business. They also look for anomalies that are outside the normal interaction. A good example of this is a server that has a sensitive database on it that is normally accessed by three users. If a new machine comes online and accesses this database, an alert may be raised.

How to Protect My Assets?

We recommend to our clients that they have an asset and software inventory in place and include cloud-based software and virtual machines. Even if you start with something simple and build upon it. This will lay the groundwork for something that will be referenced often, and its value will be realized through the implementation of more advanced cybersecurity controls.

Need help with your asset management? Contact our team of experts today!

References

IT Asset Management (nist.gov)
CIS Critical Security Controls Version 8 (cisecurity.org)

Starting October 1st, Microsoft will start to randomly select tenants and disable Basic authentication for Exchange Online.

Basic authentication has been used by client applications for many years to connect to servers, services, and endpoints. Basic authentication sends a username and a password with every request and does not require TLS. This can leave user credentials vulnerable to interception by attackers. Furthermore, the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible when Basic authentication remains enabled. Basic authentication is an outdated industry standard and there are more effective user authentication alternatives including security strategies such as Zero Trust (Never Trust, Always Verify).

Microsoft is making this change to switch customers to Modern authentication. Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client and a server. It enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.

Disabling Basic Authentication will impact:

• MAPI, RPC
• Offline Address Book (OAB)
• Exchange Web Services (EWS)
• POP
• IMAP
• Exchange ActiveSync (EAS)
• Remote PowerShell

**Microsoft will NOT be disabling or changing any settings for SMTP AUTH.**

If you have removed your dependency on basic authentication, this will not affect your tenant or users.

Additional Resources:
• Office 365 Reports: It’s Time to Disable Basic Authentication in Office 365
• Microsoft: Basic Authentication Deprecation in Exchange Online – September 2022 Update
• Microsoft Ignite: Disable Basic authentication in Exchange Online

Morefield is here to help you make smart technology decisions and we encourage you to contact us if you have any questions or concerns.

For additional information on our Managed Service Agreements and proactive IT support, please give us a call at 717-761-6170 or email us.

Your business can benefit a lot from working with an IT provider. However, you need to avoid several key mistakes when choosing your team.

Time spent on trying to figure out the technology you use in your business can be costly. While doing that, you can’t focus on your business needs, which can then result in poor customer satisfaction.

This is where IT providers come into play.

They enable you to outsource hardware and computing-related services, such as managed IT security and cloud computing. IT providers can also provide a robust IT infrastructure so that you can direct your attention to revenue-generating activities.

While there are numerous IT providers to choose from, not all of them may accommodate your business’s specific needs. And integrating with the wrong team can raise your spending due to irrelevant services, recurring security issues, data backup problems, and downtime.

Therefore, you need to be extra careful when selecting your team. The only way to avoid disappointment is to avoid these eight common mistakes when looking for the right IT provider.

THE EIGHT MISTAKES

MISTAKE #1 – INSISTING ON THE NEWEST TECHNOLOGY

Many advertisers want to trick you into believing that the latest technology will resolve all your issues. While the newest virtualization or cloud offerings can boost operations in many enterprises, they might not suit your business. Hence, don’t let the hype surrounding new products dazzle you.

Carefully consider the results your IT provider will help you achieve and determine if the investment enables you to fulfill them. Your provider shouldn’t confuse you with state-of-the-art features – they should guide you and allow for seamless integration.

MISTAKE #2 – FAILURE TO CONSIDER THE RESPONSE TIMES

Determining the response times of your prospective IT providers is essential. You need to ask them how long they usually take to reply to queries and resolve problems. Be sure to gauge their onsite support efficiency, too. Not inquiring about their availability is another grave error. Your IT team should provide specialists that will monitor your system. Constant monitoring and availability can help ensure you can detect IT issues early. With this, the provider can immediately administer patches and updates to safeguard against disasters. Furthermore, your IT provider should offer simple access to their desk support. You should be able to contact them via email, phone, and chat for instant guidance.

MISTAKE #3 – NEGLECTING THE SECURITY ASPECT

Disregarding the security features of your IT provider might be the most severe mistake. Teams with improper defense mechanisms can’t shield your system from cyber attackers, increasing the risk of losing data and access to resources. To avoid this, look for IT providers that can protect you from malware and other threats. They also need to prioritize protecting your business’s confidential data, like trade secrets and customer information.

When it comes to specific security measures, your IT provider should have features that prevent data intrusions instantly upon detection. The list includes phishing attacks simulations, web content filtering, DNS security, endpoint protection, mobile device management, and dark web protection.

In addition, responsible teams should eliminate point-of-sale and network intrusions before they compromise your system. Making sure they abide by security compliance and government regulations is also paramount.

MISTAKE #4 – FORGETTING THE BUDGET

Many IT companies operate under pay-as-you-go pricing schemes. Although this helps you minimize upfront investment, adopting a large number of technologies simultaneously without considering the recurring costs can cripple your finances.

Thus, think twice before signing on the dotted line.

Research your providers thoroughly and draft your budget with professional assistance. These steps can prevent considerable frustration down the line.

MISTAKE #5 – NOT DETERMINING SCALABILITY

One of the biggest impediments to growing your company is choosing an IT provider with poor scalability.

By contrast, scalable IT teams allow your business to evolve and grow. They can continually extend their services to accommodate your company’s goals, even if these goals change.

MISTAKE #6 – OPTING FOR A NON-RESPONSIVE SERVICE LEVEL AGREEMENT

Service level agreements (SLAs) hold IT providers accountable for their services. It establishes standards for responsibilities, quality, scope, and delivery time in writing. Without it, you’ll have no way of ensuring transparent collaboration.

When selecting your IT provider, find one with a responsive agreement. It can help guarantee the SLA scales with their services while rendering continual improvement.

MISTAKE #7 – LACK OF TEAM TRAINING AND FEEDBACK

The story doesn’t end once you’ve found and partnered with a trustworthy IT provider. New technologies won’t magically increase your bottom line and decrease outputs.

To accomplish your goal, your employees will still need to understand how to use your new tech solutions. But bear in mind that not every team member may be able to grasp new tools easily. Some may even prefer the existing platforms. Fortunately, you can hire IT experts to train them. These professionals should simplify any complex steps and advise your staff on making the most of your new investment.
Also, some enterprises set up regular training but fail to monitor their team’s performance. This is a huge mistake, as it keeps you from assessing your employee’s response to new technologies.

So, conduct questionnaires and other forms of feedback collection to determine and address any weaknesses.

MISTAKE #8 – IGNORING EXPERIENCES WITH PREVIOUS CLIENTS

Choosing an IT provider is similar to buying standard products and services. Failure to check user reviews can lead to disappointment.
To get a clear picture of your IT team’s capabilities, analyze their current and previous clients from similar industries. Look for reviews, testimonials, and ask the provider for a list of projects and references.

After doing your due diligence, you should be able to tell whether an IT provider is an ideal match for your company. However, keep in mind that every IT team is different. For instance, they might be well-versed in the healthcare industry but have no experience working with retailers. That’s why as mentioned, stick to IT providers servicing your industry to get the best results.

FIND THE RIGHT FIT

Nobody wants to end up with a poor IT provider that can’t deliver great results, leaves your company open to cyberattacks, and causes other vulnerabilities. Your investment goes down the drain, and your operations suffer.

Luckily, we can show you a way out.

Let’s arrange a quick, 10-15-minute obligation-free chat. We can discuss more ways on how to find the right IT provider for you and ensure you get your money’s worth. Feel free to schedule a quick call with a Morefield specialist to discus what is right for your organization.

Article used with permission from The Technology Press.

by Rob Gratowski

Wireless connectivity for most enterprise environments has matured from a convenient mode of connectivity to a mission critical mode of connectivity. So how do we ensure that our wireless user experience is in line with the increased criticality of our wireless network?

All too often wireless networks are deployed by just picking spots and placing access-points. While this approach will most likely give you wireless coverage, it will also most likely not give your wireless user a great wireless experience. For wireless users to have a great wireless experience you need to have a wireless design not a random wireless deployment.

So, this is where most people say, “I need a wireless survey.” While a wireless survey is a component of a wireless design, by itself, it is not a complete wireless design.

Components to consider when performing a wireless design

Important wireless Design and Development Questions:

• What applications will be used on the wireless network?
• Will the wireless network need to support voice, video, or location?
• How many wireless clients do you expect your wireless network to support?

These are all important questions needed to establish parameters that you will use in your wireless design.

Wireless Clients

Wireless clients come from many different manufacturers and use many different components. It is important to know what wireless client you intend to use and the capabilities of that client.

Identify the “most important, least capable” client and frame your design to support this client.

Choosing the Best Access-Points

Let’s consider this question, can you pull a horse trailer with a car? Sure, but should you? Probably not. A truck would be a much better choice for pulling a horse trailer – same applies to access-points. If you need to support enterprise activities, you should be using an enterprise grade access-point. Remember, components matter. Choose an access-point make and model that will satisfy your intended use and design using that access-point. Never design using an access-point that will not be used in the actual wireless deployment and never design using the “mythical” generic 802.11 wireless access-point.

How will you know if you met your wireless design requirements?

You will know you’ve met your wireless design requirements with validation. Every good wireless design should include an onsite validation component. Using the initial wireless design requirement as performance indicators, you should be able to validate the deployed wireless network against the wireless design requirements. This is also a good time to assure that the “most important least capable” wireless client also performs as desired.

Need Help with Your Wireless Design?

Contact Morefield Communications to learn how we can help with your wireless needs. Our team of IT experts have been providing best-in-class solutions across client networks and IT support for decades. Reach out online or give us a call at (717) 761-6170 to speak with an expert about possible solutions for your problem.

What Does Infrastructure as a Service Mean?
About the IaaS Architecture?
How Does IaaS Work?
What Are the Benefits of IaaS?
How Should You Choose the Right IaaS Partner?

Organizations need reliable, flexible platforms to support their applications, which is why so many have realized the benefit of migrating towards infrastructure as a service. Infrastructure as a Service (IaaS) ensures your business has efficient, easy-to-use, compute, data storage, virtual hardware, and network management, so your critical applications are optimized to accommodate your specific needs.

What Does Infrastructure as a Service Mean?

Infrastructure as a service (IaaS) is a common cloud computing offer that delivers virtual computing resources over the Internet.  IaaS service providers offer managed information technology (IT) infrastructure as a monthly subscription to companies.  The infrastructure service is the combination of components required to run IT operations such as compute, data storage space, networking, managed in such a way to keep software and hardware running efficiently.

When your company subscribes to an IaaS service, you’re only responsible for running your own operating systems on the virtual servers, and your provider is the one who is responsible for all maintenance and repairs.

IaaS is important for companies that house business and customer information in the cloud. IaaS allows companies to deliver application services to employees, partners and customers while securely managing the content.

About the IaaS Architecture?

IaaS architecture is the structural design that delivers cloud resources to organizations customized to their particular requirements. Architectures are flexible enough to rapidly scale, so when your company consumption exceeds initial specifications  your IaaS provider’s services can grow with you.

Cloud computing is architected with a dynamic multi-point framework that allows the IaaS service to accommodate a variety of end users. IaaS architecture allow your line of business applications to easily adapt to company changes, serving all your fluctuating needs at optimum efficiency levels. A well-designed Cloud compute architectures will guarantee that your business always has access to the computing resources it requires.

How Does IaaS Work?

Elements of infrastructure include resources such as virtual hosts, networks, as well as virtual hardware and software for data storage. After subscribing to the services from a IaaS provider, companies have access to these resources with minimal upkeep on their part.

Other infrastructure resources include network connections, also known as cross-connects, virtual processors, memory, storage, IP addresses and bandwidth. Providers have clusters of servers and interconnecting networks housed in multiple data centers across the United States. They maintain these hardware resources while the clients use the virtual components in their individual platforms through remote cloud access via an Internet connection.

What Are the Benefits of IaaS?

IaaS is just what your business needs to use cloud computing effectively. The many advantages of infrastructure as a service include:

• No maintenance responsibilities: Managed IT services provide professional network support and serviceso your IT team can focus more on the business. The provider takes care of the underlying real estate, hardware, network, cooling, and uninterruptible power so your business only reaps the virtual benefits.
• No maintenance costs:consuming your infrastructure as a service from a provider is cheaper than building your own infrastructure using your IT department and company resources, to include office space, electricity, and cooling. The management services include network maintenance and repairs. IaaS helps you reduce total costs, saving you money in the long run. Some elements of IaaS services are offered at a flat rate to allow for a predictable IT spend versus fluctuating costs to fix issues on your own as they occur.
• On-demand access: Paying for IaaS through a provider allows you to use resources whenever you need them and only pay for what you use.
• Remote services: IaaS providers monitor your systems remotely, giving you 24/7 support from wherever you are. The remote nature of IaaS means your users can access these resources while operating from anywhere, globally, with an Internet connection and overlaying security to protect sensitive information.
• Scalability:You can adjust your infrastructure as a service plan to reflect your specific business demands. Services are available as you need them, so you won’t pay for resources than you do not use, and you can quickly scale resource capacity to meet your company’s growing needs.
• Constant monitoring: IaaS gives you consistent peace of mind by keeping track of your cloud systems around the clock and preventing issues whenever possible.
• Less downtime: Downtime renders your technology or servers unusable for a period, costing your business valuable resource and lost opportunity. IaaS can prevent the issues that cause downtime, failed hardware, loss of power, and weather events, so you can stay focused on your business’s larger goals and avoid costly mishaps.
• Help from experts: IaaS providers offer professional cloud management services monitored by their knowledgeable employees. Providers exist to offer you the best services possible, and their teams are trained in this exact area of expertise.

How Should You Choose the Right IaaS Partner?

To find the best provider for you, you must first understand your company’s needs and the type of service that works best for your data.

In public clouds, IaaS providers offer infrastructure to many customers, meaning all the customers are tenants on a hyperscaled platform rely on shared resources across different accounts. With private clouds, the provider builds a solution dedicated to the specific needs of just one company, including protecting their sensitive company data. Hybrid clouds combine the features of public and private where businesses manage multiple platforms and decide where data should be stored.

When searching for a specific IaaS provider, keep these important factors in mind:

• Know what you will need from the IaaS provider: Begin by identifying what application workloads are moving to the cloud.  Then, list the amount of compute, memory, and storage that you expect will be required for each application.  Finally, review the list of applications in total, decide how much bandwidth will be required to cross-connect these applications to employees, customers, and vendors.
• Have a plan for file backup and disaster recovery: While these services are not mandatory, many IaaS builds include backup services for file / folder recovery and disaster recovery services to include workload replication across multiple datacenters.  Replicating workloads in bi-coastal data centers can account for major weather events or other regional disruptions that could impact the operation of one datacenter.
• Be familiar with your industry regulations: if your organization operates within a regulated industry, make sure to include this in your discovery discussion with a potential supplier. Some IaaS suppliers are better suited to accommodate specific industry segments and the overlying regulatory commissions.
• Find a service level agreement that works for you: Providers should clearly state what they’re able to offer their clients. By setting clear client and provider expectations at the beginning of your partnership, you’ll know whether a specific provider’s services are right for your business.
• Work with people who know your industry: Businesses operate in a range of industries, and their technology services should reflect the specific work they do. Businesses in all fields can benefit from infrastructure as a service. Find an IaaS provider with experience working with other companies in your industry so you know you can trust them to manage your information and meet your goals effectively.
• Use a service dedicated to helping you grow: As your business grows and changes, you’ll want a partner that can sustain your new advancements and help you further expand when the time is right. Look for providers with innovative ideas and forward-thinking approaches so you can feel confident knowing you’ll always receive the most current solutions.

Partner With Morefield Communications

Using cloud-based technology in your business can maximize efficiency and set your company on a successful trajectory. Infrastructure as a service makes it possible for your business to use high-quality networks without being responsible for time-consuming and costly maintenance.

Morefield Communications offers a variety of IaaS solutions your business can customize to suit your needs, goals and growth. Our expert team works with your company to provide top-of-the-line cloud management that includes technological organization and integration. We’ll help you guard your data, increase efficiency and free up time for your staff to focus on making your business thrive.

Partner with Morefield Communications as your infrastructure as a service provider to ensure your company’s technology runs smoothly!