The relationship between IT Asset Management (ITAM) and IT Security likely will grow stronger over the next several months as several major companies have had record-breaking issues with software vulnerabilities and are ending free support for antiquated products.

Oracle announced Jan. 14 that it had patched 334 vulnerabilities – including 43 critical ones – across all its products already this month. That number matches the record it set in July 2019. The announcement came the same day that Microsoft stopped supporting free updates for Windows 7 and sent out critical patches for its current PC operating system, Windows 10.

Other software, such as Adobe Flash, Windows Server 2008, Office 2010, Mozilla’s Firefox and more also either have stopped supporting their software, fixed critical patches or will stop supporting the software by the end of the year.

When patches require immediate attention, IT Security needs to know where to find the assets that require work. This is where the gap between ITAM and IT Security begins to close.

Because IT Asset Managers know the location of each asset in the IT environment, IT Security relies on them for information on how many assets it will need to address. The trend likely will continue through this year as security threats dominate the news and products still in service around the world are taken off life support.

Roles and Responsibilities

The relationship among various branches of Information Technology always has been close, but different. While IT Service takes care of installing and maintaining IT assets, IT Security works on vulnerabilities and threats. ITAM, meanwhile, supports both through its inventory tracking and document retention policies and processes.

The International Association of IT Asset Managers, Inc. (IAITAM) since its inception has been a driving force behind enhancing the relationship among all three groups. With IT Security in particular, knowing where assets are in a timely manner was the catalyst to IAITAM’s development of its Certified Asset Management Security Expert (CAMSE) course. The association recently refreshed the course for 2020 with new information about the interdependencies between them. But the foundation – 12 Key Process Areas (KPAs) IAITAM developed nearly two decades ago – for a successful ITAM program remain the same.

Within these KPAs, the elements that underline the necessity of ITAM’s supportive role to IT Security become essential when outbreaks of threats occur, and vulnerabilities are found.

“Cybersecurity dominated the news in 2019, with Ransomware being one of the most problematic IT Security issues,” said Dr. Barbara Rembiesa, President and CEO of IAITAM. “Security experts predict problems will be worse this year. So far, the first two weeks of the year have proven them to be correct.”

Software Soreness

There are two truths about software and security. One is that no software ever will be perfect because programs are designed and coded by people. The second is that no IT environment is ever 100% secure. Software also has more room for error than hardware when it comes to vulnerabilities.

The fact that the news about Microsoft releasing the patch for Windows 10 on a Tuesday is not really a surprise. The Redmond, Washington-based technology company generally releases its patches on a Tuesday. But the corresponding events – end of life for Windows 7 and Server 2008, and the Oracle report, along with other reports of threats and attacks from malware and viruses – are more alarming.

In the case of the Microsoft, patches for Windows 10 and Server 2016 were critical and urgent. The National Security Agency (NSA) found and disclosed the fact that the vulnerability existed. It was a rare find for the agency, and it stressed the urgency of installing the patch immediately.

“[We are] recommending that network owners expedite implementation of the patch immediately as we will also be doing,” said Anne Neuberger, head of the NSA’s Cybersecurity Directorate. “When we identified a broad cryptographic vulnerability like this we quickly turned to work with the company to ensure that they could mitigate it.”

Although similar free patches for Microsoft’s two legacy systems no longer are available, the company still develops them. Those who want to continue to use them can purchase an extended update program at a cost per machine for three years. But the Total Cost of Ownership (TCO) and Return on Investment (ROI) of doing so likely outweigh an upgrade to a newer platform.

At the moment, Microsoft still offers updates to Windows 10 for free if you know where on the company’s site to find it and how to install it. But IAITAM predicts that ability will end soon.

Meanwhile, similar messages were sent out when a Chinese company discovered the vulnerability in Firefox just a few days prior. Installing the update was critical, and the browser already was under attack as the story came to light.

The same was true with Oracle, which issued patches for its entire family of products.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible,” the company said in a pre-release statement.

When threat protection systems fail and an attacker accesses the vulnerability, all it takes is one asset in the environment to potentially infect the entire environment. Finding, isolating and updating the software becomes an essential business function. Without it, organizations sometimes can find their entire IT infrastructures ruined in seconds.

That is why the IT Asset Manager’s discovery tool and repository are so important. When used properly, the tools can tell a practitioner exactly where the software is and provide that information to IT Security. Time is of the essence. An incorrect inventory jeopardizes the organization’s ability to do business.

Future Faux Pas

As awareness spreads about the danger of the types of threats that are out there, vendors are becoming quicker about releasing patches to fix the bugs and let people know that they need to update. Simultaneously, those people are listening more closely now than ever before.

Security threats are not going away, and neither are vulnerabilities. But the IT Asset Manager has the power to prevent the threat by following the KPAs and establishing a mature ITAM program. Through this, IT Security has a chance to mitigate the damage before it’s too late.

References:

[1] Mackie, K. (2020, January 14). Window 7 isn’t the only product losing support this year. GNC. Retrieved from https://gcn.com/articles/2020/01/14/windows-7-end-of-support.aspx

[2] Newman, L. H. (2020, January 14). Windows 10 Has a Security Flaw So Severe the NSA Disclosed It. Wired. Retrieved from https://www.wired.com/story/nsa-windows-10-vulnerability-disclosure/

[3] Seals, T., & Seals, T. (2020, January 14). Oracle Ties Previous All-Time Patch High with January Updates. Threatpost. Retrieved from https://threatpost.com/oracle-cpu-all-time-patch-high-january/151861/

[4] Whittaker, Z. (2020, January 10). Mozilla warns Firefox users to update after ‘targeted attacks’. TechCrunch. Retrieved from https://techcrunch.com/2020/01/10/firefox-security-bug-zero-day/