Cybersecurity Control Review - Use DHCP Logging to Update Asset Inventories, CIS 1.4

Cybersecurity Frameworks - Cybersecurity Guides

Cybersecurity Control Review: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory, CIS 1.4

Summary:

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Company Asset Inventories, which is considered an Identification control, and is part of CIS Control 01: Inventory and Control of Enterprise Assets. Configure DHCP logging on all DHCP servers or leverage Internet Protocol (IP) address management tools to update the company's asset inventory, which is created as part of Control 1.1. The logs should be reviewed on a weekly basis, or more frequently and then the inventory should be updated to reflect any changes or updates identified.

Recommendations:

This is a pretty simple and straightforward Safeguard within CIS Control 01. Every organization should be utilizing DHCP either with a DHCP server or Firewall. The point of this control is to use an alternative source capturing up-to-date information on all the devices connected to your internal network. Control 1.1 was to create an inventory and control 1.2 was to use a discovery tool to identify devices and information for the inventory. This control now recommends using DHCP as a secondary method to collect device information to compare to the other discovery scans and the current inventory.

Because DHCP simply hands out available IP addresses to any device attempting to connect to the network (assuming they are authorized, if other preventative controls are in place), then ALL computers and mobile devices should be found in the DHCP logs automatically without any other configuration. It's possible that these devices are missing from the current inventory or were not included in the discovery scans conducted.

In order to make sure you can keep up with the logs and the information is accurate, the DHCP logs should be reviewed on a weekly basis at a minimum to look for any anomalies, unauthorized devices, or simply devices missing from the inventory that need to be added.

Keep in mind, you need to configure the logging with enough storage to retain all logs for at least one week so they can be reviewed, but it is recommended that they are retained for at least one month. Most organizations have the logs being sent to a Syslog server or SIEM and are retained for 90 days or longer. Have the logs go to a centralized repository also makes it easier to access and review, but we will discuss that further in a separate control.

See the list of references below

Review these sources for more information

1. Summary of Control 1.1 https://www.cyberoutlook.org/post/daily-security-control-dsc-manage-and-maintain-an-asset-inventory

2. Summary of Control 1.2 https://www.cyberoutlook.org/post/daily-security-control-dsc-address-unauthorized-assets

3. Summary of Control 1.3 https://www.cyberoutlook.org/post/daily-security-control-dsc-utilize-an-active-discovery-tool

4. CIS Controls https://www.cisecurity.org/controls