Asset categorization, also known as asset classification, is the process of placing business assets with similar characteristics into the same group. This helps a business shape how it works with each asset, such as how it prioritizes what assets receive the strongest security protections. From the perspective of a pen tester, categorizing assets is a helpful step in determining how to approach exploitation efforts. You might treat assets that belong to one category as less relevant to the test, even if their vulnerabilities will be easier to exploit. On the other hand, assets belonging to a different category might be of higher importance and worth the trouble to target. Some might even be more susceptible to a broader tool set.
The categories that businesses or pen testers use will vary from circumstance to circumstance. Some common categories in the realm of cybersecurity include:
- Public assets, which present no risk to an organization if disclosed, but do present a risk if modified or not available.
- Private assets, which present some risk to an organization if possessed by competitors, modified, or not available.
- Restricted assets, which might be limited to a very small subset of the organization primarily at the executive level (e.g., corporate accounting data), where unauthorized access might cause a serious disruption to the business.
- Confidential assets, which would have significant impact to the business and its clients if disclosed. Client account information like user names and passwords, personally identifiable information (PII), protected health information (PHI), and payment card information (PCI)/cardholder data (CHD) would be in this category.
It's important to note that these categories all flow from one particular classification scheme. Basically, all of these categories are describing the sensitivity of an asset in terms of the cybersecurity protections it needs. This is certainly valuable to a pen tester, because such categories help you make decisions about what assets are potentially the most challenging to compromise, the most likely to be targeted by attackers, the most valuable to an attacker, and the most devastating to the business.
There are, however, other approaches to categorization. For example, you might categorize assets in terms of the role they play in the business. Such categories might include:
- People, particularly personnel, customers, and other business stakeholders.
- Hardware, particularly computing equipment and peripherals.
- Software, particularly operating systems and applications.
- Data, particularly proprietary data or data about people.
- Physical environment, particularly the office and where it is located.
- Processes, particularly processes that enable the business to provide products and services directly to customers.
- Third parties, particularly business partners and members of the organization's supply chain.
As a pen tester, you might use this particular classification scheme because it breaks down the fundamental components of a business. Being able to exploit one or more roles might have a greater or more wide-reaching impact on the target business.