In today's connected world, organizations don't just have computers and servers anymore. They have smart TVs, security cameras, thermostats, printers, and countless other Internet of Things (IoT) devices. Each of these is an "asset" that needs to be managed and secured.

Think of asset inventory as creating a complete map of everything connected to your network. You can't protect what you don't know exists! This room will teach you why this matters, how to identify assets, and specifically how to handle the unique risks posed by IoT devices.

Why This Matters in Cybersecurity

IoT devices add complexity because they often connect without IT department knowledge and may have weak security by default.

Learning Objectives

By completing this room, you will:

• Understand what asset inventory is and why it's essential
• Identify different types of IoT devices and their risks
• Learn basic methods for discovering assets on a network
• Apply simple risk assessment to prioritize security efforts
• Develop a mindset for ongoing asset management

Prerequisites

• Basic understanding of computer networks (from previous rooms)
• Familiarity with common office devices
• No prior security experience needed

How to Approach This Room

This room builds concepts step by step. Start with understanding what assets are, then learn about IoT-specific risks, followed by practical discovery methods, and finally basic risk assessment. Take your time with each concept before moving on.

Optional Video

This optional video covers the fundamental concepts of asset inventory and IoT security. It's helpful but not required to complete the room.

Asset inventory is the process of identifying, cataloging, and tracking all technology assets within an organization. Think of it as creating a detailed "what's what" list of every device, application, and digital resource that connects to your network or stores your data.

Just like a library needs to know every book it owns (title, author, location, condition), a cybersecurity team needs to know every asset: what it is, where it is, who uses it, and how it's configured.

Types of Assets in Modern Organizations

Modern organizations have four main types of assets:

1. Hardware Assets: Physical devices like computers, servers, routers, and IoT devices
2. Software Assets: Applications, operating systems, and cloud services
3. Data Assets: Information stored anywhere (databases, files, cloud storage)
4. IoT Assets: Special category of hardware that includes smart devices, sensors, and connected equipment

The Asset Inventory Lifecycle

Asset inventory isn't a one time task. It's an ongoing cycle:

1. Discovery: Finding all assets (we'll cover methods in Task 4)
2. Catalog: Recording details about each asset
3. Track: Monitoring assets for changes or movement
4. Update: Keeping the inventory current as assets change

Below is a visual demonstration of the continuous asset inventory process:

Common Asset Details to Record

Information Type	Examples	Why It Matters
Basic Info	Device name, type, serial number	Identification and tracking
Location	Physical location, network segment	Access control and monitoring
Owner/User	Department, individual responsible	Accountability and support
Configuration	OS version, installed software	Vulnerability assessment
Network Details	IP address, MAC address, connections	Network security and monitoring
Security Status	Updates applied, security software	Risk assessment

Benefits of Proper Asset Inventory

• Better Security: You can't protect what you don't know exists
• Cost Management: Avoid paying for unused software or devices
• Compliance: Meet regulatory requirements for asset tracking
• Efficient Support: Faster troubleshooting when you know what's where
• Informed Decisions: Better planning for upgrades and security investments

Real-World Analogy: The Digital Library

Think of asset inventory like managing a library. The librarian must:

1. Know every book (discovery)
2. Catalog each with details (title, author, ISBN)
3. Track who borrows what (usage monitoring)
4. Update when new books arrive or old ones retire (continuous process)

Your network assets are the "books" in your digital library.

Scenario Continuation: Expanding the Office Inventory

Back to our small office: You start with the obvious: 15 computers, 3 servers. But as you look closer, you find: 5 network printers, 2 wireless access points, a video conferencing system, 3 smart TVs, and an internet-connected coffee maker in the break room. Each gets added to your inventory with details like location, owner, and security status.

Understanding IoT Devices

IoT stands for "Internet of Things." These are everyday objects that connect to the internet to send or receive data. Unlike traditional computers, IoT devices are often designed for specific tasks (like monitoring temperature or streaming video) and may have limited computing power and security features.

What makes IoT devices unique is that they're often installed without IT department knowledge and may remain operational for years without updates or security checks.

IoT Devices in Different Environments

Environment	Common IoT Devices	Security Concern
Office	Smart TVs, video conferencing, smart lighting, HVAC controls	Often purchased by non-IT staff, rarely updated
Home (in office)	Personal smart speakers, fitness trackers, smart watches	Bring Your Own Device (BYOD) risks, mixing personal/business
Industrial	Sensors, monitors, control systems, manufacturing equipment	Critical operations risk, often outdated software
Retail	Digital signage, inventory scanners, payment terminals	Customer data exposure, compliance issues

Why IoT Devices Are Security Risks

IoT devices introduce several specific security challenges:

1. Default Passwords: Many ship with simple passwords like "admin/admin" that users never change
2. Lack of Updates: Manufacturers may stop providing security updates quickly
3. Always-On Connectivity: Constantly connected, providing persistent attack opportunities
4. Limited Security Features: Often can't run antivirus or advanced security software
5. Invisible Operation: Work in the background without user interaction, so problems go unnoticed

The Expanded Attack Surface

Every connected device increases your "attack surface", the total number of places where an attacker could try to enter your network. IoT devices often expand this surface dramatically because:

• They're numerous (dozens or hundreds in a medium office)
• They're diverse (many different brands and models)
• They're vulnerable (often weaker security than computers)

Below is a visual demonstration of how IoT devices increase attack surface:

Real-World IoT Security Examples

• Smart Camera Breach: Default password never changed → attacker accesses camera → uses it to spy or move to other network devices
• Printer Vulnerability: Unpatched printer firmware → exploited to intercept printed documents or launch attacks
• Thermostat Compromise: Smart thermostat with weak security → used as entry point to access corporate network
• Digital Signage Hack: Unsecured display system → shows inappropriate content or steals Wi-Fi credentials

The IoT Security Gap

Traditional security often focuses on computers and servers, leaving IoT devices as the "weakest link." Attackers know this and increasingly target IoT devices as their first step into a network.

Below is a visual demonstration of how unmanaged IoT devices create security gaps:

Comparing Managed vs Unmanaged Assets

Asset Type	Managed	Unmanaged
Office Computer	IT department knows it exists, has security software, gets regular updates	Unknown to IT, may have outdated software, potential security risk
Network Printer	Documented, monitored, configured securely	Connected without IT knowledge, default passwords, unpatched
Security Camera	Registered, firmware updated, access controlled	Installed by facilities team, never updated, weak credentials
Smart Thermostat	Approved device, configured securely, monitored	Purchased by office manager, never assessed for security

Scenario: IoT Risks in Our Office

Our small office now has identified several IoT devices:

• 3 smart TVs (never updated, default settings)
• 5 IP security cameras (weak passwords, outdated firmware)
• 1 smart thermostat (no security configuration)
• 2 wireless printers (open connectivity, no access controls)

Each device represents a potential entry point. The security cameras are particularly risky - they're always on, connected to the network, and often have remote access enabled for monitoring.

Finding What's on Your Network

Asset discovery is the process of identifying all devices connected to your network. This is the first practical step in building your asset inventory. You need to know what's there before you can secure it.

Think of asset discovery like conducting a census for your digital city. You need to find every "resident" (device) to know who needs protection and services.

Manual Discovery Methods

These involve human effort and observation:

1. Physical Walkthroughs: Physically check each room and location
   • Pros: Finds devices that might not be network-visible
   • Cons: Time-consuming, may miss hidden devices
2. Interviews and Surveys: Ask department heads and employees
   • Pros: Gets user context and device purpose
   • Cons: Relies on memory, may be incomplete
3. Purchase Record Review: Check procurement and expense records
   • Pros: Documents official purchases
   • Cons: Misses personal or unauthorized devices

Network-Based Discovery

These use technical methods to find connected devices:

1. Ping Sweeps: Sending signals to check if devices respond
   • Simple method to find active devices
   • Like calling out "Is anyone there?" on the network
2. Port Scanning: Checking which network "doors" (ports) are open
   • Reveals what services devices are running
   • Helps identify device types by their open ports
3. Network Traffic Analysis: Monitoring data flows to see what's communicating
   • Finds devices even if they don't respond to scans
   • Identifies communication patterns

Below is a visual demonstration comparing discovery methods:

Automated Discovery Tools

Tool Type	What It Does	Best For
Network Scanners	Automatically finds devices on network	Regular, comprehensive discovery
Agent-Based Tools	Software installed on devices reports back	Managed computers and servers
Cloud Discovery	Identifies cloud services and SaaS apps	Modern, cloud-heavy environments
Specialized IoT Scanners	Specifically designed for IoT device detection	Finding smart devices and sensors

Discovery Methods Comparison

Method	Speed	Completeness	IoT Detection	Skill Required
Physical Walkthrough	Slow	Low-Medium	Low	Low
Interviews	Medium	Low	Very Low	Low
Ping Sweeps	Fast	Medium	Medium	Medium
Port Scanning	Fast	High	High	Medium-High
Traffic Analysis	Medium	Very High	High	High

Special Considerations for IoT Discovery

IoT devices can be tricky to discover because:

• They may only connect intermittently
• They might use unusual network protocols
• They could be on separate networks (like guest Wi-Fi)
• They may not respond to traditional discovery methods

Documentation Best Practices

When you discover assets, record:

1. Basic identification (name, type, location)
2. Discovery method used (how you found it)
3. Date discovered (for tracking inventory age)
4. Initial risk assessment (high/medium/low based on obvious factors)

Scenario: Discovering Our Office Assets

Applying discovery methods to our small office:

• Physical walkthrough finds: smart TVs, security cameras, thermostat
• Ping sweep finds: 45 responding devices (more than expected!)
• Port scanning identifies: 3 devices with outdated web interfaces
• Traffic analysis reveals: 2 unknown devices communicating externally

Understanding Risk Assessment

Risk assessment is the process of evaluating how much danger each asset poses to your organization. For IoT devices, this is especially important because they often have unique vulnerabilities. Think of it as creating a "most wanted" list for your security efforts - which devices need attention first?

The Simple Risk Formula

A basic way to think about risk is:

Risk = Threat × Vulnerability × Impact

Let's break this down for IoT devices:

1. Threat: How likely is someone to attack this device?
   • Example: Internet-facing security cameras have high threat (easily found by attackers)
2. Vulnerability: How easy is it to compromise the device?
   • Example: Default passwords create high vulnerability
3. Impact: What damage would occur if compromised?
   • Example: A compromised HVAC control could cause physical damage (high impact)

Applying Risk Assessment to IoT

When assessing IoT devices, consider these factors:

• Internet Exposure: Is the device accessible from the internet?
• Default Configurations: Are passwords or settings still at factory defaults?
• Update Status: When was it last updated? Can it even be updated?
• Data Handling: What sensitive data does it collect or transmit?
• Network Position: What other systems can it access if compromised?

Below is a visual demonstration of prioritizing IoT risks:

Prioritizing IoT Risks

Use this simple priority system:

High Priority (Fix Immediately):

• Internet-facing devices with default passwords
• Devices handling sensitive data (cameras, microphones)
• Critical infrastructure controls (HVAC, electrical)

Medium Priority (Fix Soon):

• Internal devices with weak security
• Devices that can access other systems
• Older devices no longer receiving updates

Low Priority (Schedule Fix):

• Isolated devices with limited access
• Devices with minimal data collection
• Newer devices with good security defaults

Simple Risk Matrix

Impact/Likelihood	High Likelihood	Medium Likelihood	Low Likelihood
High Impact	🔴 Fix Immediately	🟡 Fix Within Week	🟡 Fix Within Month
Medium Impact	🟡 Fix Within Week	🟢 Fix When Possible	🟢 Monitor Only
Low Impact	🟡 Fix Within Month	🟢 Monitor Only	🟢 Accept Risk

Basic Mitigation Strategies

For common IoT risks:

1. Default Passwords: Change to strong, unique passwords
2. Unpatched Devices: Update firmware or replace if unsupported
3. Unnecessary Features: Disable remote access or unused services
4. Network Exposure: Isolate on separate network segments
5. Lack of Monitoring: Enable logging and alerting

Creating a Simple Risk Register

A risk register is just a list of risks with their assessment:

Device	Risk Level	Reason	Action Required	Due Date
Security Camera 1	High	Default password, internet-facing	Change password, firewall	Immediate
Conference Room TV	Medium	Outdated firmware, internal only	Schedule update	1 week
Smart Thermostat	High	Critical system, weak authentication	Strengthen auth, monitor	Immediate

Scenario: Assessing Office IoT Risks

Back to our office inventory:

• Security Cameras: High risk (internet-facing, default passwords, sensitive data)
• Smart TVs: Medium risk (internal only, but outdated, could be used to access network)
• Thermostat: High risk (controls critical system, weak security)
• Wireless Printers: Medium risk (internal, but often have management interfaces exposed)
• Coffee Maker: Low risk (isolated, minimal data, but still a concern)

Congratulations! You've completed the Asset Inventory & IoT Risk Management room. You've learned how to identify, catalog, and assess the security of technology assets, with special focus on the growing challenge of Internet of Things devices.

Key Takeaways

• Asset Inventory is Foundation: You can't secure what you don't know exists. A complete asset inventory is the first step in any security program.
• IoT Devices Are Different: Smart devices introduce unique risks through default passwords, lack of updates, and often being installed without IT knowledge.
• Discovery Requires Multiple Methods: No single method finds everything. Combine physical checks, interviews, and network scanning for complete coverage.
• Risk Assessment Guides Action: Not all risks are equal. Use simple assessment to prioritize what needs immediate attention versus what can wait.
• Continuous Process: Asset management never stops. New devices connect, software updates, and threats evolve - your inventory and assessments must keep pace.

In cybersecurity, visibility is everything. You've taken the first crucial step toward better security by learning how to see what's on your network. Every secured device, every changed default password, every documented asset makes your digital environment safer.