WOLF//SEC
← Domain 4
OBJECTIVE 4.2 Explain

Explain the security implications of proper hardware, software, and data asset management

You can’t protect what you don’t know about. Asset management is the foundation of every other security operation — vulnerability management, patching, incident response, and access control all depend on knowing what assets exist and their state.

Asset Inventory

Hardware Assets

  • Servers, workstations, laptops, mobile devices, network equipment
  • IoT devices, printers, cameras, HVAC controllers
  • Removable media, external drives, USB devices
  • Challenge: Shadow IT — devices connected to the network without IT knowledge

Software Assets

  • Operating systems and versions, installed applications, libraries and dependencies
  • Licensed vs. unlicensed software (compliance and legal risk)
  • SaaS applications in use (sanctioned and unsanctioned)

Data Assets

  • Databases, file shares, cloud storage, email archives
  • Classified by sensitivity level (public, internal, confidential, restricted)
  • Data owners assigned for each asset

Enumeration and Classification

  • Automated discovery tools for network-connected assets
  • CMDB (Configuration Management Database) as the central record
  • Each asset tagged with: owner, classification, location, criticality, lifecycle stage

Acquisition and Procurement

Secure Procurement

  • Purchase from authorized/trusted vendors only
  • Verify hardware integrity (tamper-evident packaging, supply chain verification)
  • Evaluate software security before deployment (SCA, vendor security assessment)

Standardization

  • Approved hardware models and software versions reduce attack surface variety
  • Standard builds/images ensure consistent security baselines
  • Deviation from standards requires security review and approval

Assignment and Accounting

Ownership

Every asset must have an assigned owner responsible for its security.

  • Hardware: assigned to individual users or departments
  • Software: licensed and tracked
  • Data: classified with a data owner who makes access decisions

Tracking

  • Asset tags (physical and logical), serial numbers
  • Check-in/check-out procedures for mobile and shared assets
  • Geolocation tracking for mobile devices (MDM)

Monitoring

Usage Monitoring

  • Software license compliance (overuse = legal risk, underuse = waste)
  • Hardware utilization (underutilized assets may be candidates for decommission)
  • Data access patterns (who’s accessing what, when)

State Monitoring

  • Patch level and vulnerability status
  • Configuration drift from baseline
  • End-of-life/end-of-support status tracking

Media Sanitization

When storage media is reused, donated, or disposed of, data must be irrecoverably removed.

Methods (in order of increasing assurance)

  • Clear: Overwriting with zeros/patterns. Protects against basic recovery tools. Sufficient for internal reuse.
  • Purge: More thorough — cryptographic erase, block erase (SSD), or degaussing (magnetic media). Protects against laboratory recovery. Suitable for leaving organizational control.
  • Destroy: Physical destruction — shredding, incineration, disintegration, melting. Highest assurance. Required for highest-sensitivity data.

Documentation

  • Certificate of sanitization/destruction for compliance audits
  • Chain of custody maintained until destruction is confirmed

SSD Considerations

Traditional overwriting doesn’t reliably work on SSDs due to wear leveling. Use:

  • Manufacturer’s secure erase command
  • Cryptographic erase (destroy the encryption key)
  • Physical destruction for highest assurance

Asset Disposal and Decommissioning

  • Remove from network and all management systems
  • Revoke all access credentials and certificates
  • Sanitize or destroy storage media
  • Update asset inventory and CMDB
  • Return leased equipment according to vendor procedures
  • Risk: Forgotten assets that are decommissioned from use but not from the network continue to run unpatched

Offensive Context

Asset inventory gaps are attacker opportunity. Unmanaged devices don’t get patched, monitored, or hardened. Shadow IT creates unmonitored attack surface. Improper media disposal has led to high-profile data breaches — hard drives from decommissioned servers appearing on eBay with recoverable data. An attacker performing reconnaissance is building their own version of your asset inventory — and they’re often more thorough than the organization’s.