IT Asset Management (ITAM) und Cybersicherheit: Alles inventarisieren, alles schützen
Why comprehensive IT asset management is the foundation of every security strategy: CMDB concepts, software asset management, SBOM, hardware lifecycle, automated discovery tools, and how ITAM relates to ISO 27001, NIS2, and vulnerability management.
Table of Contents (6 sections)
“You can’t protect what you don’t know you have.”—this principle is the foundation of every security strategy. IT Asset Management (ITAM) ensures that companies maintain a complete, up-to-date overview of all IT assets: hardware, software, cloud resources, licenses, and their dependencies.
Why ITAM Is the Foundation of Every Security Strategy
The unpatched asset problem:
Scenario: Ransomware attack in October 2024
Entry point: CVE-2024-XXXX in Windows Server 2012 R2
Question: "Do we still have Windows 2012 R2 systems?"
Answer without ITAM: "We don't think so..."
Reality: 3 forgotten VMs in the basement ESXi
Why does this happen?
→ Organic IT growth over the years
→ No structured handover during staff turnover
→ Shadow IT: Departments make purchases without the IT department
→ Cloud sprawl: Teams create EC2 instances, then forget about them
→ Virtualization: VMs are cloned, renamed, and forgotten
CIS Controls 1 and 2 require exactly that:
Control 1: Inventory and control of enterprise assets
Control 2: Inventory and control of software assets
ITAM gaps = security gaps:
Unknown asset → no patch → known CVE → attack
Statistics:
→ 20% of IT assets in medium-sized companies are not inventoried
(Freshservice State of IT, 2023)
→ 67% of ransomware attacks exploit unpatched known CVEs
(IBM X-Force, 2024)CMDB - Configuration Management Database
CMDB Concept (according to ITIL):
Configuration Item (CI):
→ Any asset that is managed
→ Has attributes: Name, Type, Version, Owner, Location, Status
→ Types: Hardware, Software, Service, Document, Certificate
CMDB Structure Example:
CI: web-prod-01
Type: Physical Server
Model: Dell PowerEdge R750
OS: Ubuntu 22.04 LTS
IP: 10.0.2.10
MAC: 00:50:56:AB:CD:EF
Rack: Data Center DC1, Rack-03, U 12-14
Owner: IT Operations
Application: Nginx 1.24, Node.js 20.x, PostgreSQL 15
Last Patch: 2026-02-28
Next Patch: 2026-03-28
End-of-Life: 2027-06-30 (Hardware)
Dependencies: → load-balancer-01, → db-cluster-01
Relationships in the CMDB:
web-prod-01 → uses → nginx:1.24 (Software)
web-prod-01 → connected-to → db-cluster-01 (Server)
web-prod-01 → hosted-on → esxi-host-02 (if VM)
nginx:1.24 → has-vulnerability → CVE-2023-44487 (HTTP/2 Rapid Reset)
CMDB Tools:
Open Source:
→ iTop (CMDB + ITSM, free)
→ Ralph (excellent open-source ITAM tool)
→ NetBox (network/data center-focused)
→ Snipe-IT (asset tracking, very user-friendly)
Commercial:
→ ServiceNow CMDB (enterprise standard)
→ Freshservice CMDB (SME/mid-market)
→ Lansweeper (very good for automatic discovery)
→ Device42 (CMDB + Discovery + Dependency Mapping)Automatic Asset Discovery
How to find assets you don’t know about:
Network scan-based discovery:
Nmap for basic inventory:
# Discover all active hosts on the network
nmap -sn 10.0.0.0/16 -oX discovery.xml
# Identify operating system and services
nmap -O -sV 10.0.0.0/16 -oX inventory.xml
# Only specific ports (faster for large networks)
nmap -p 22,80,443,3389,445 10.0.0.0/16 --open
# Output to CSV for Excel/import
nmap -p 22,80,443 10.0.0.0/16 -oG - | \
awk '/Up/{print $2}' > live-hosts.txt
Nessus Essentials (free for up to 16 IPs):
→ Combined vulnerability scan + asset discovery
→ Identifies OS, patches, services, configuration issues
→ Export as CSV/XML for CMDB import
OpenVAS (free, unlimited):
→ Comprehensive vulnerability scanner
→ Asset discovery as a byproduct
→ Regular updates to the vulnerability database
Agent-based discovery:
→ Lansweeper Agent: installed on endpoints
→ Regularly sends complete hardware/software inventory
→ Also finds assets behind NAT / in remote offices
Cloud asset discovery:
AWS:
aws ec2 describe-instances --query \
'Reservations[].Instances[].[InstanceId,State.Name,
PublicIpAddress,PrivateIpAddress,Tags[?Key==`Name`].Value|[0]]' \
--output table
Azure:
az resource list --output table
GCP:
gcloud compute instances list
Multi-Cloud:
→ Prisma Cloud: all clouds in a single overview
→ Wiz: Cloud Asset Inventory + Risk Assessment
→ Combine AWS Security Hub + Azure Security CenterSoftware Asset Management and SBOM
Software Inventory - why it's so important:
Software inventory minimum requirements:
→ Name and version of every installed application
→ License information (compliance!)
→ Patch status and known CVEs
→ Installed for whom? (Asset association)
→ Installation date and last update
Automatic software inventory:
Windows (WMI):
wmic product get Name, Version, InstallDate, InstallLocation
# Via PowerShell (all installed programs):
Get-WmiObject -Class Win32_Product | Select Name,Version,Vendor |
Sort Name | Export-Csv software-inventory.csv
# Better: Also from the registry:
Get-ChildItem HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall |
Get-ItemProperty | Select DisplayName,DisplayVersion,Publisher |
Sort DisplayName
Linux (Debian/Ubuntu):
dpkg --list | awk '{print $2, $3}' > software-inventory.txt
# RPM (RHEL/CentOS):
rpm -qa --queryformat '%{NAME} %{VERSION}\n' > software-inventory.txt
SBOM (Software Bill of Materials):
What is SBOM?
→ Complete inventory of all software components
→ Includes all libraries and their dependencies
→ Standard formats: SPDX (ISO/IEC 5962), CycloneDX
→ Mandatory under a U.S. Executive Order (May 2021) for U.S. government software
→ Increasingly expected in the EU under NIS2 and the CRA (Cyber Resilience Act)
Generate an SBOM with Syft:
# Scan a Docker image:
syft myapp:latest -o spdx-json > sbom-myapp.json
# Scan a source code repository:
syft dir:./src -o cyclonedx-json > sbom-source.json
# Check SBOM for vulnerabilities with Grype:
grype sbom:./sbom-myapp.json
# Shows: all known CVEs in dependencies!
Log4Shell lesson: "Am I using log4j?"
Without SBOM: weeks of manual searching
With SBOM: grep "log4j" sbom-*.json → immediate answerHardware Lifecycle Management
Hardware Lifecycle and Security Risks:
End-of-Life (EOL) / End-of-Support (EOS):
EOL means: no more security patches!
Every known vulnerability remains permanently unpatched.
Critical EOL dates (2026):
Windows 10: October 2025 (EOS!) → migrate immediately!
Windows Server 2012: October 2023 (EOS!) → migrate immediately!
Windows Server 2016: January 2027 → Plan migration!
PHP 8.1: December 2025 → Upgrade!
CentOS 7: June 2024 (EOS!) → Migrate!
Python 3.8: October 2024 (EOS!)
ITAM Process for EOL Management:
1. Record all assets with OS/software version in CMDB
2. Automatically load EOL data from vendor feeds
3. Trigger alert when < 12 months until EOL
4. Budget planning: Allocate budget for migration/replacement
5. Document exceptions + accept risk + mitigate
Hardware replacement cycle:
Workstations: 4–5 years
Laptops: 3–4 years
Servers: 5–7 years
Network switches: 7–10 years (with firmware support!)
Firewalls: 3–5 years
Storage: 5–7 years
Why short cycles? Hardware security vulnerabilities:
→ Spectre/Meltdown: Hardware firmware update required
→ Log4Shell on embedded devices: rarely patchable
→ Older hardware: no TPM 2.0 → no Windows 11, no BitLocker
→ IoT devices: often no security updates after 2–3 yearsITAM for Compliance
ITAM requirements in standards and laws:
ISO 27001:2022:
A.5.9: Inventory of information and other assets
→ "Complete and up-to-date inventory"
→ Classification based on protection requirements
A.5.10: Acceptable use of information and other assets
→ Usage rules for classified assets
A.5.11: Return of assets
→ Exit procedure: return all assets!
NIS2 Art. 21:
→ "Assets and risks must be known"
→ Complete asset inventory as a basis
BSI IT-Grundschutz:
ORP.1: Organization
→ Asset inventory explicitly required
Audit documentation:
What auditors want to see:
□ Complete asset inventory (< 6 months old)
□ Asset owners for all critical assets
□ Classification by protection requirements
□ EOL/EOS management documented
□ Process for new assets (onboarding) and old ones (decommissioning)
□ Regular review (frequency documented)
Quick-win checklist:
□ Create inventory table (asset, owner, OS, version, IP)
□ Nmap scan against your own network: what unknowns are found?
□ Windows WSUS / SCCM: how many devices are missing patches?
□ Identify all devices that haven’t been updated in > 90 days
□ EOL check: which OS/software is running out of support?Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
