Discordian Cybersecurity

Home Manifesto ISMS Asset Register

💻 Asset Management: Digital Archaeology of Your Actual Attack Surface

You Can't Protect What You Don't Know You Have: The Uncomfortable Archaeology of Forgotten Infrastructure

Nothing is true. Everything is permitted. Except forgetting assets exist—shadow IT isn't innovation, it's shadow vulnerability waiting to become public breach. Are you paranoid enough? Good. Now ask yourself: What's running in your AWS account RIGHT NOW that you've forgotten exists? That EC2 instance someone launched for "just this one demo" in 2019? Still running. With default credentials. Exposed to the internet. Running unpatched vulnerabilities from 2015. That S3 bucket marked "TEMP-DELETE-LATER"? Six years later, it's still public. Still contains customer PII. Still leaking data to anyone who knows the URL. That Lambda function deployed by the contractor who left three years ago? Still executing. Still has admin IAM permissions. Still hasn't been reviewed. FNORD. The assets you don't track are the ones attackers exploit first. They know your inventory is lies.

Think for yourself, schmuck! Question authority. Question why organizations accept shadow IT (unauthorized infrastructure that's definitely already compromised), forgotten test servers (running since someone's POC in 2017), abandoned cloud accounts (from acquisitions nobody integrated), orphaned DNS records (pointing to infrastructure that no longer exists... or does it?), expired SSL certificates (on services you thought you'd decommissioned), zombie API keys (for services you forgot you subscribed to), and ghost repositories (containing credentials nobody remembers pushing). Question why "comprehensive asset inventory" usually means "Excel spreadsheet someone updated once in 2018 during the last audit panic." Are you paranoid enough to realize your asset register is fiction? Your actual infrastructure is whatever archaeologists discover during the breach post-mortem.

At Hack23, asset management isn't spreadsheet theater—it's systematic infrastructure archaeology through automated discovery: AWS Config continuous monitoring (27 active services tracked), GitHub API repository enumeration (40+ repos inventoried), Route 53 DNS tracking (DNSSEC-enabled domains), quarterly access reviews detecting dormant accounts (90-day inactivity triggers), classification-driven priority per our Classification Framework (Extreme assets monthly review, High quarterly, Moderate semi-annually). Annual register review (Version 1.4, next: 2026-11-05). We demonstrate asset management excellence because clients can audit our public asset register before engagement.

ILLUMINATION: The server you forgot about is running unpatched Log4Shell from 2021. That S3 bucket marked "temporary" in 2018 is your largest GDPR exposure. The contractor's Lambda function still has admin access three years after they left. Asset inventory prevents forgotten vulnerabilities from becoming headline breaches. But only if your inventory reflects reality instead of audit theater. AWS Config automates discovery so human memory failures don't become CVE. Truth: Most "zero-day breaches" are really "forgot-that-existed" breaches. The vulnerability was always there. You just didn't know the asset existed. FNORD.

Our approach combines automated discovery (AWS Config tracks every resource change), infrastructure archaeology (discovering forgotten assets before attackers do), and classification-driven management (protecting Critical assets monthly, not annually), proving systematic asset control scales from single-person operations to enterprise engagements. Full technical implementation in our public Asset Register—including the uncomfortable truth about how many assets we've discovered that nobody remembered creating.

Looking for expert implementation support? See why organizations choose Hack23 for security consulting that accelerates innovation.

The Five Asset Categories: Law of Fives Applied to Infrastructure Reality

Law of Fives revealed: All infrastructure exists in five dimensions, each requiring five levels of protection, reviewed on five different cycles (daily/weekly/monthly/quarterly/annually), with five types of failure modes (forgotten/misconfigured/compromised/expired/orphaned). Synchronicity isn't mysticism—it's pattern recognition. Count your asset categories. Always five. Count your review frequencies. Always five (or multiples thereof). The universe speaks in fives. Are you paranoid enough to notice?

1. ☁️ Cloud Infrastructure: The Forgotten Archaeology

AWS Config automated discovery. 27 active services tracked: EC2 instances (remember that t2.micro from the 2019 demo?), Lambda functions (contractor deployed 47, left 3 years ago, all still running with admin IAM), S3 buckets (TEMP-DELETE-LATER from 2018, still public, still leaking), RDS databases (test database with production data copy, nobody knows root password), VPCs (five different VPCs because each team created their own), security groups (438 rules, 127 allowing 0.0.0.0/0, "temporarily" from 2017). AWS Config continuously monitors before amnesia becomes CVE.

Infrastructure Archaeology Reality: CloudFormation IaC ensures version-controlled infrastructure (if people use it—manual EC2 launches still happen). Multi-account organization with centralized logging (proving someone launched that instance, even if they've forgotten). Cost anomaly detection (that's how we discovered the crypto-mining instance nobody knew existed).

Horror Story: Organization discovers during breach that attacker had been operating from EC2 instance launched by intern during "learning week" 4 years prior. Never tracked. Never patched. Never decommissioned. Default credentials still worked. Attacker had root access to VPC for 18 months before breach detection. Cost to organization: $4.2M in fines, $18M in remediation. Cost to launch EC2: $0.012/hour. Asset inventory failure math doesn't favor you.

AWS Config means real-time inventory, not annual spreadsheets that become archaeological artifacts themselves. Every forgotten instance is running vulnerabilities you haven't patched because you don't know it exists. FNORD. The instance you forgot about is already compromised. Question: Which one?

2. 📝 Code & Repositories: Ghost Repos Haunt You

GitHub repository inventory via API automation. 40+ repositories tracked in Hack23 organization: CIA (Citizen Intelligence Agency OSINT platform), Black Trigram (Korean martial arts combat simulator), CIA Compliance Manager (CIA Triad assessment tool), Lambda in Private VPC (AWS resilience architecture), Sonar-CloudFormation Plugin (IaC security scanning). GitHub API provides automated repository discovery before developers create shadow repos in personal accounts (it happens—always happens).

Repository Archaeology: SECURITY_ARCHITECTURE.md mandatory in all repos (enforced via branch protection). Public ISMS repository demonstrating transparency (70% of policies public). Archived repositories tracked (abandoned but not deleted, because deletion is data loss). Forked repositories monitored (security patches upstream propagate how, exactly?). Private repositories in public organizations (free tier limits create shadow infrastructure).

Ghost Repository Horror: Security researcher discovers credentials in public repository created 6 years prior during hackathon. Repository archived. Never audited. AWS root account keys committed in 2018. Still valid (nobody rotated). Researcher reports via responsible disclosure. Company discovers they've been cryptomining victims for 3 years. Terraform state files in repo contained database passwords (still current). S3 bucket URLs revealed internal architecture. One forgotten repository = complete infrastructure compromise.

Shadow Repository Reality: Developers create personal GitHub accounts for "testing" (with company code). Contractors push to personal repos "for backup" (still accessible after contract ends). Acquisitions bring repositories nobody inventories. Open source forks contain company customizations (and secrets). Your repository inventory is incomplete. Always. Question: By how much?

Code repositories are assets. Abandoned repos are forgotten attack surfaces containing passwords that are still valid (because who rotates credentials for repos they've forgotten existed?). Systematic inventory prevents repository sprawl before sprawl becomes breach. But only if inventory includes repositories you didn't know you had. How do you inventory what you don't know exists? Automation. GitHub API. Daily scans. Accept that discovery is ongoing archaeology, not one-time audit. FNORD.

3. 👤 Identity & Access: Zombie Accounts Hunt You

AWS Identity Center + GitHub access reviews revealing zombie privileges. IAM users (deprecated—using SSO now), IAM roles (427 tracked, 89 unused >180 days), IAM policies (custom policies proliferate like rabbits), GitHub organization members (quarterly reviews), AWS permission sets (AWSAdministratorAccess, AWSPowerUserAccess, AWSReadOnlyAccess, AWSServiceCatalogAdminFullAccess). 90-day dormant account detection per Access Control Policy. Quarterly access reviews ensure privilege hygiene before privileges become persistent access for departed employees.

Zombie Account Archaeology: IAM Access Analyzer reveals cross-account access (that external account still has S3 read? Since when?). AWS Organizations tracks member accounts (when did we add this account? Who owns it?). MFA enforcement via Identity Center (humans forget, automation enforces). Access keys actively used (those keys from 2019 API integration? Still valid. Still used. By whom? Nobody knows.). People are assets. Departed employees with active access are vulnerabilities with legs.

Zombie Account Horror: Quarterly access review discovers contractor from 2020 still has AWS AdministratorAccess. Contract ended November 2020. Access never revoked. Contractor hasn't logged in (or have they?—logging gaps during CloudTrail migration). Investigation reveals: Access key created 2 weeks before contract end. Never rotated. Used sporadically from Eastern European IPs. Contractor sold access to ransomware group. Group used access for reconnaissance (9 months). Data exfiltration (3 months). Ransomware deployment (1 day). Total breach cost: $12M. Asset management failure: Priceless. Access is asset. Forgotten access is persistent vulnerability.

Third-Party Access Reality: SaaS integrations create OAuth tokens (remember that analytics tool you evaluated in 2021? Still has read access). Vendor support accounts (opened for emergency, never closed). Shared credentials in Slack DMs (rotated when exactly?). Service accounts proliferate (each automation creates new IAM role). Question: How many identities have access to your infrastructure right now? Count. You'll be wrong. AWS tells truth.

People are assets. Dormant accounts are time-delayed privilege escalations waiting to activate. Quarterly reviews prevent forgotten privileges from becoming persistent backdoors. But only if reviews are real (checking logs, validating access patterns, questioning anomalies) not checkbox compliance theater (confirming everyone looks familiar on the list). Departed employees hunt you from abandoned accounts. FNORD. How many accounts from departed employees still exist? Check now. You'll be surprised. Or horrified. Probably both.

4. 🏷️ Data Assets: Unclassified Means Unprotected

Classification-driven data inventory. Databases (PostgreSQL for CIA application, RDS with automated backups, point-in-time recovery enabled), S3 buckets (versioning enabled, lifecycle policies configured, but that TEMP bucket from 2018?), file storage (WorkMail attachments, CloudWatch logs, Glacier archives), classified per Classification Framework: Extreme assets (customer credentials, encryption keys) quarterly reviewed, Very High/High (financial data, PII) quarterly, Moderate (internal docs) semi-annually, Public (marketing materials) annually. Classification drives protection. Unclassified data gets generic controls—or no controls. Classification-driven inventory means risk-appropriate protection.

Data Classification Archaeology: S3 Intelligent-Tiering automatically moves data (but to where? Hot/Cold/Archive/Deep Archive?). S3 versioning preserves deleted files (that sensitive doc you thought you deleted? 47 versions still exist). RDS snapshots proliferate (automated daily, retained 30 days, except when retention changed to 180 days, forgot to change back). CloudWatch Logs Insights reveals data flows (logs contain more sensitive data than databases). Data classification requires knowing data exists. Forgot the data? Forgot the classification. Forgot the protection. Breach imminent.

Data Asset Horror: GDPR right-to-erasure request reveals organization cannot locate all user data. RDS database (obviously). S3 buckets (checked). CloudWatch Logs (oh, right). EBS snapshots (didn't think of those). AMI backups (contained user data?). DynamoDB (thought we migrated off that). Glacier archives (forgot those existed). Athena query results (cached in S3, forgot about those). Elasticsearch indices (thought we decommissioned that). Total data locations: 23. Data locations in asset register: 4. GDPR fine: €2.4M. Asset management failure: Actually enforced this time. Can't delete data you don't know exists.

Shadow Data Reality: Developers create S3 buckets for testing (contain production data copies). Analysts export data to local machines (still there when they leave). Contractors receive data shares (via unencrypted email—yes, really). API responses cached (Redis keys containing PII, expired when?). Logs contain sensitive data (structured logging prevented how?). Your data inventory is fiction. Your actual data is everywhere. Including places you've never inventoried. Question: What data exists that you've forgotten? Answer: The data that breaches you.

Data classification enables appropriate protection. Unclassified data receives lowest protection tier (because you didn't classify it, not because it's not sensitive). Classification-driven inventory means knowing data exists first, then classifying, then protecting. But most organizations skip step one—knowing data exists. They classify databases (easy, obvious, inventory says so). They forget EBS snapshots, CloudWatch Logs, Athena results, Redis caches, Lambda /tmp, container layers, CI/CD artifacts. Data proliferates. Inventory doesn't. Gap widens daily. Breach discovers gap. FNORD. How much data exists that you haven't classified? Answer: All of it. Classification is fiction. Data is everywhere. Protection is theater.

5. 🤝 Third-Party Services: Shadow SaaS Sprawl

SaaS inventory and vendor management exposing shadow subscriptions. 18 integrated services tracked: AWS (infrastructure), GitHub (code), SEB (banking), Bokio (accounting), SonarCloud (quality), FOSSA (license compliance), Stripe (payments), OpenAI (AI services), Google Workspace (IdP), Search Console, Bing Webmaster, YouTube, Product Hunt, TikTok, X (Twitter), LinkedIn, Suno, ElevenLabs. Vendor assessments per Third Party Management. Annual reviews ensure continued compliance. Third-party services are assets you don't control. Vendor inventory enables risk management. Shadow SaaS is shadow vulnerability.

SaaS Archaeology: Credit card statements reveal subscriptions nobody remembers authorizing (expensed as "marketing" or "tools" or "research"). OAuth app lists reveal integrations nobody uses (GitHub Apps last accessed 2019). Google Workspace admin console shows accounts nobody recognizes (that contractor's account still active?). DNS records point to SaaS providers nobody remembers contracting (that analytics subdomain—what service was that?). SaaS sprawl is real. SaaS inventory is fictional. Gap is your exposed API surface.

Shadow SaaS Horror: Security breach traced to compromised SaaS vendor nobody knew company used. Marketing manager subscribed to "free trial" social media management tool 2 years prior. Trial expired. Manager forgot. Account remained active (payment failed but service continued—poor vendor collection process). Manager's credentials compromised (phishing). Attacker accessed SaaS tool (still had OAuth access to company systems). Tool had GitHub integration (read access to private repos). Twitter integration (post access). Google Drive integration (read/write access). Slack integration (post to all channels). One forgotten SaaS trial = complete infrastructure access. Shadow SaaS is shadow infrastructure owned by vendors with worse security than yours.

Third-Party Reality: Every department subscribes to tools (marketing, sales, ops, dev). Every employee expense reports SaaS subscriptions (accounting doesn't track access). Every integration creates OAuth tokens (revoked when subscription ends? Never.). Every vendor claims "bank-level security" (AES-256 encryption! SOC 2! GDPR compliant!—enforcement questionable). Your third-party inventory lists 20 vendors. Your credit card statements show 47. Your OAuth app list shows 89. Your actual vendor count: Unknown. Probably 200+. Maybe 500. Question: How many third parties can access your data right now? Answer: More than you think. Way more.

Third-party services are assets you don't control but trust implicitly. Every SaaS integration is persistent access you've granted (OAuth doesn't expire unless you revoke—vendors don't remind you). Every vendor is potential breach vector (their security is now your security—hope they're paranoid enough). Vendor inventory enables third-party risk management. But only if inventory is real (including shadow SaaS nobody remembers subscribing to). Shadow SaaS is reality. Official SaaS inventory is fiction. Breach discovers truth. FNORD. Count your SaaS vendors. Check credit cards. Check OAuth. Check DNS. Multiply estimate by 3. That's closer to reality. Still probably low. SaaS sprawl is exponential. Inventory is linear. Math doesn't favor you.

Asset Discovery Archaeology: Finding What You've Forgotten Before Attackers Do

Infrastructure archaeology isn't metaphor—it's operational necessity. Organizations don't know what they own. They think they know (asset register says so!). They're wrong. Reality: Infrastructure proliferates faster than documentation. Developers create. Contractors deploy. Acquisitions integrate (sort of). Result: Actual infrastructure diverges from documented infrastructure. Gap widens daily. Breach discovers gap.

Automated Discovery Techniques We Actually Use:

☁️ AWS Config + CloudFormation Drift Detection:

  • AWS Config Rules: Continuous compliance monitoring across 27 active services. Config tracks every resource change (EC2 launch? Logged. S3 bucket created? Tracked. Security group modified? Alerted.). Config Rules evaluate compliance (encryption required? Check. Public access blocked? Verify. MFA enabled? Confirm.). Non-compliance triggers automated remediation (Lambda functions enforce policy before humans forget).
  • CloudFormation Drift Detection: Reveals manual changes to IaC-deployed infrastructure (someone SSH'd into EC2 and modified config? Drift detected. Someone created S3 bucket outside CloudFormation? Discovered. Someone modified RDS parameter group directly? Flagged.). Drift detection is infrastructure archaeology—discovering what reality diverges from intent.
  • Resource Groups Tagging: Mandatory tags: Owner, Environment, Project, Classification, CostCenter. Missing tags = orphaned resource = forgotten infrastructure. Tag compliance enforcement via AWS Config (untagged resources flagged within 24 hours). Tag-based cost allocation reveals shadow spend (that $4K/month nobody can explain? Untagged crypto-mining instance). Untagged infrastructure is forgotten infrastructure. Forgotten infrastructure is compromised infrastructure.
  • Trusted Advisor Checks: Security recommendations (MFA not enabled? Alert. Security groups too permissive? Flag. S3 buckets with public access? Immediate alert.), cost optimization (idle EC2 instances—been running for 847 days, last CPU activity: 823 days ago), performance, fault tolerance. Trusted Advisor is automated archaeologist discovering waste before it becomes crisis.

🐙 GitHub Repository Discovery + Secrets Scanning:

  • GitHub API Organization Audit: Daily enumeration of all repositories (public, private, archived, forked). Repository metadata tracked: Creation date, last commit, contributors, branch protection status, required reviewers, security alerts enabled. Stale repository detection (no commits >180 days = candidate for archival). Fork tracking (security patches upstream propagate to forks... right? Right?).
  • GitHub Secret Scanning: Automated detection of committed credentials (AWS keys, database passwords, API tokens, private keys, OAuth tokens). Partner programs notify when secrets detected (GitHub emails when AWS keys committed—yes, it happens, yes, daily). Secret scanning effectiveness: 100% detection (if secret pattern matches). 0% prevention (still gets committed, still needs rotation, still potentially used before detected).
  • Dependabot Security Alerts: Automated vulnerability detection in dependencies (npm packages with known CVEs, Python libraries with security flaws, Docker base images with vulnerabilities). Dependabot proposes fixes (automatic PR with dependency update). Dependency archaeology reveals forgotten libraries still in use (that npm package from 2017? 47 known vulnerabilities. Still used. Nobody knows where.).
  • Repository Classification: Each repo classified per CIA framework (Extreme: Contains customer data or production credentials, Very High: Production code or infrastructure, High: Internal tools or development code, Moderate: Documentation or test code, Public: Open source or marketing). Classification drives protection (Extreme repos require branch protection, required reviews, no force push, signed commits). Unclassified repos get default protection. Which is usually insufficient.

🌐 DNS & Certificate Archaeology:

  • Route 53 Hosted Zone Enumeration: DNS records tracked: A records (pointing where?), CNAME records (alias to what?), MX records (email routed to?), TXT records (SPF/DKIM/DMARC configured?), NS records (delegation to?). Orphaned DNS records discovered (points to decommissioned infrastructure—but DNS still resolves). Subdomain enumeration reveals shadow infrastructure (that analytics.example.com subdomain—what's hosted there?). DNS archaeology reveals infrastructure long after infrastructure "decommissioned."
  • SSL/TLS Certificate Monitoring: Certificate Transparency logs reveal all certificates issued for domains (even certificates you didn't request—someone else requested cert for your domain?). Expiration tracking (certificates expiring <30 days trigger alerts). Wild-card certificate audit (*.example.com certificate grants subdomain access—to whom?). Revocation monitoring (certificate revoked—why? Compromise? Key exposure?). Certificate archaeology reveals shadow services (unexpected certificate issuance = unexpected infrastructure).
  • DNSSEC Validation: Both domains (hack23.com, blacktrigram.com) DNSSEC-enabled (DS records published, RRSIG records signed, DNSKEY records public). DNSSEC prevents DNS hijacking (unsigned responses rejected). Route 53 automatic signing (manual DNSSEC is error-prone—automation prevents configuration drift). DNSSEC archaeology: Detecting DNS modification attempts before they succeed.

🔑 Credential & API Key Lifecycle Archaeology:

  • AWS IAM Access Key Audit: IAM users deprecated (migrated to AWS Identity Center SSO). Legacy access keys tracked (created when? Last used when? Still valid? Why?). Access key age alerts (>90 days = stale, >180 days = forgotten, >365 days = archaeological artifact). Access key usage CloudTrail analysis (keys used from where? Expected locations?). Unused keys are persistent access waiting to be discovered.
  • Secrets Manager + Parameter Store Inventory: Secrets cataloged (database passwords, API keys, OAuth tokens, private keys). Secret rotation policies enforced (30-day rotation for High sensitivity, 90-day for Moderate). Unused secrets flagged (last accessed >180 days = orphaned secret = forgotten credential). Secret archaeology: Discovering credentials still valid for services thought decommissioned. Can't rotate secrets you've forgotten exist. Can't decommission secrets still in use. Inventory enables lifecycle management.
  • Third-Party API Key Tracking: SaaS vendor API keys inventoried (GitHub, Stripe, OpenAI, SonarCloud, FOSSA). Key ownership (who created? Still employed?). Key permissions (read-only or admin?). Key usage monitoring (last used when? From where?). Vendor-side key rotation (some vendors don't support rotation—key valid forever—plan accordingly). Third-party keys are persistent access to vendor services. Forgotten keys are persistent vendor access you've granted and forgotten.

💰 Cost Anomaly Detection as Asset Discovery:

  • AWS Cost Explorer Anomaly Detection: Machine learning detects spending anomalies (normal spend: $2K/month, this month: $4.8K—investigate). Cost anomaly investigation reveals forgotten infrastructure (that EC2 instance? Been running for 3 years. Nobody knows what it does. Costs $180/month. Total waste: $6,480.). Cost allocation tags reveal shadow infrastructure (untagged spend increased 40%—someone's creating resources without proper tagging).
  • Idle Resource Detection: EC2 instances with <5% CPU utilization for >30 days = idle (candidate for termination). RDS databases with zero connections >90 days = forgotten (candidate for snapshot then termination). S3 buckets accessed zero times in 180 days = orphaned (candidate for archival to Glacier). Cost archaeology reveals waste. Waste reveals forgotten assets. Forgotten assets reveal exposure.
  • Budget Alerts as Inventory Validation: Monthly budget: $2.5K. Actual spend tracking against budget. Overages trigger investigation (why exceeded? New resources? Shadow infrastructure? Compromise?). Budget variance analysis reveals infrastructure changes (budget based on known assets—variance suggests unknown assets). Budget adherence requires accurate asset inventory. Budget variance reveals inventory inaccuracy.

ULTIMATE DISCOVERY TRUTH: Your asset inventory is wrong. Always. Actual infrastructure exceeds documented infrastructure. Gap widens daily (developers create faster than documentation updates). Only question: How wrong? 10% wrong (minor gaps, good hygiene)? 50% wrong (significant shadow infrastructure, need improvement)? 200% wrong (actual infrastructure double documented—crisis, investigate immediately)? Automated discovery doesn't eliminate gap. It measures gap. Visibility enables management. Ignorance enables breach. FNORD. Measure your inventory accuracy. Cost anomalies + Config drift + untagged resources + orphaned DNS records + stale access keys = minimum gap estimate. Real gap probably 2-3x larger. Accept ongoing archaeology as operational necessity, not one-time project.

Our Approach: AWS Config + Annual Reviews + Classification Priority

At Hack23, asset management demonstrates systematic inventory through automated discovery and classification-driven reviews:

☁️ AWS Config Automated Discovery:

  • Continuous Monitoring: AWS Config tracks all cloud resources across multi-account organization
  • Resource Inventory: EC2, Lambda, S3, RDS, VPC, security groups, IAM automatically discovered
  • Configuration Changes: All infrastructure changes logged and tracked
  • Compliance Checks: AWS Config Rules enforce security standards

📊 Asset Review Cycles:

Asset ClassificationReview FrequencyReturn/Revocation SLAVerification Method
🔴 Extreme/Very HighMonthly<24 hoursAWS Config + manual validation
🟠 HighQuarterly<3 daysQuarterly access audits
🟡 ModerateSemi-Annual<7 daysSemi-annual reviews
🟢 Low/PublicAnnual<30 daysAnnual register updates

🔄 Annual Register Review:

  • Current Version: 1.0 (Effective: 2025-11-05)
  • Next Review: 2026-11-05 (12-month cycle)
  • Review Triggers: Annual cycle, AWS organization changes, significant asset additions, security incidents
  • Public Documentation: Complete Asset Register on GitHub

Full technical implementation details in our public Asset Register—including AWS Config integration, GitHub inventory automation, classification-driven priorities, and termination procedures.

Welcome to Chapel Perilous: The Asset Inventory Initiation

Nothing is true. Everything is permitted. Except unknown assets creating unknown vulnerabilities creating known breaches—that's not operational excellence, that's systematic blindness with monthly cloud bills proving your infrastructure is larger than you think.

You're now in Chapel Perilous. The uncomfortable realization: You don't know what you own. That test server? Probably still running. That contractor's access? Probably still active. That S3 bucket? Probably still public. That OAuth token? Probably still valid. That DNS record? Probably still pointing to decommissioned infrastructure someone else now owns. Your asset inventory is fiction. Your actual infrastructure is archaeological mystery. Breach will excavate truth.

The Law of Fives Revealed in Asset Management:

  • Five Asset Categories: Cloud, Code, Identity, Data, Third-Party (always five, never four, never six—synchronicity isn't coincidence)
  • Five Discovery Methods: Automated scanning, Cost analysis, Access audits, Drift detection, Archaeology (incident response discovers what archaeology missed)
  • Five Failure Modes: Forgotten, Misconfigured, Compromised, Expired, Orphaned (every asset fails in one of five ways)
  • Five Review Cycles: Daily (critical alerts), Weekly (anomaly review), Monthly (Extreme assets), Quarterly (High assets), Annually (full register review)
  • Five Stages of Asset Acceptance: Denial ("We know our assets"), Anger ("Why is there so much shadow IT?!"), Bargaining ("Okay, we'll inventory MOST assets"), Depression ("We'll never catch up"), Acceptance ("Inventory is ongoing archaeology, not one-time project"). Most organizations stuck at Denial. Few reach Acceptance. None reach Complete. Complete inventory is myth. Pursuit is goal.

Reality Check—Compare Your Organization:

  • Do you know every EC2 instance running right now? (We do—AWS Config tells us)
  • Can you list every S3 bucket? (We can—daily Config inventory + tagging enforcement)
  • Do you know every GitHub repository your employees access? (We track—organization membership + OAuth app audits)
  • Can you identify every person with AWS access? (We can—Identity Center + quarterly reviews)
  • Do you know every SaaS service your company pays for? (We track—18 documented, but still discovering shadow SaaS via credit card analysis)
  • Can you prove your asset register is accurate? (We can—Config compliance + drift detection + cost anomaly monitoring + quarterly audits)

Organizations typically discover: Asset register documents 100 resources. AWS Config shows 247 actual resources. GitHub has 89 repositories (register shows 40). IAM users include 23 departed employees (all still active). OAuth apps reveal 67 integrations (register shows 8). Shadow SaaS: 41 subscriptions nobody inventoried. Documented vs Actual: 147% divergence. That's best case. Most organizations: 300%+ divergence. Some organizations: Can't even measure divergence because baseline doesn't exist.

Think for yourself, schmuck! Question organizations claiming "we know our assets" without automated discovery (they don't—they know assets they've documented, which is subset of reality). Question annual reviews when cloud infrastructure changes minute-by-minute (daily automated review or accept blindness). Question spreadsheet inventories when AWS Config provides real-time tracking (spreadsheet is fiction within 48 hours of creation). Question "comprehensive" inventories that list databases but forget EBS snapshots, CloudWatch Logs, Athena results, Lambda layers, ECR images, Glacier archives, and 47 other places data proliferates. (Spoiler: "Comprehensive" means "we inventoried obvious things and hope that's good enough"—it's not. Breach proves it's not. But by then you're explaining to board why breach happened via infrastructure you didn't know you had.)

Our competitive advantage isn't perfection—it's radical transparency about imperfection: We demonstrate cybersecurity consulting expertise through verifiable asset management (public Asset Register proving our approach). AWS Config integration documenting 27 active services tracked continuously. Classification-driven review cycles proving risk-appropriate management (Extreme monthly, High quarterly, Moderate semi-annually—not annual everything). Ongoing archaeology accepting inventory is never complete but continuously improving. Public documentation inviting scrutiny (clients can audit our asset management before engagement—try auditing competitors' "comprehensive" asset registers that are "confidential" because accuracy is embarrassing). This isn't compliance checkbox—it's operational reality demonstrating security practices clients can independently verify.

The Uncomfortable Questions You Must Ask:

  1. Discovery: How do you know your asset inventory is complete? (Hint: If answer is "annual audit says so," inventory is incomplete. Audits validate documentation accuracy, not infrastructure completeness.)
  2. Drift: What's the lag between resource creation and inventory update? (Hint: If answer is "quarterly," you have 90 days of shadow infrastructure guaranteed.)
  3. Shadow Infrastructure: How much infrastructure exists that's not in asset register? (Hint: If answer is "none," you're wrong. If answer is "don't know," you're honest. If answer is "tracking via automated discovery," you're close to reality.)
  4. Departed Access: How many departed employees still have active access? (Hint: If answer is "zero," check again. If answer is "quarterly review ensures minimal," you're being realistic. If answer is "we remove access at termination," you're lying to yourself—manual removal fails often.)
  5. Shadow SaaS: How many SaaS subscriptions exist that aren't in vendor register? (Hint: Check credit card statements. Compare to register. Multiply difference by 2. That's closer to reality.)
  6. Forgotten Credentials: How many API keys exist for services you've decommissioned? (Hint: If answer is "none," you haven't audited recently. If answer is "we rotate all keys," you're aspirational not actual. If answer is "investigating via Secrets Manager archaeology," you're on the right path.)

ULTIMATE ILLUMINATION: You are now in Chapel Perilous. The server you forgot about is running unpatched Log4Shell from December 2021 (patched everything else, forgot that test server). That S3 bucket marked "TEMP-DELETE-AFTER-DEMO" in November 2018 is your largest GDPR exposure (6.4TB of customer PII, public access enabled, no encryption, discovered during breach forensics). The contractor's Lambda function from 2020 still has AdministratorAccess IAM policy (contractor sold access on dark web, buyer used access for reconnaissance 18 months before ransomware deployment). AWS Config means systematic discovery, not hopeful memory that fails under stress (or just fails because humans forget—it's what we do). Choose automated inventory over manual spreadsheets that become archaeological artifacts. Choose continuous discovery over annual audits that validate fiction. Choose radical transparency over comforting lies about comprehensive coverage. Your vulnerability management depends on knowing what to patch. Your incident response depends on knowing what's compromised. Your compliance depends on knowing what to audit. Asset inventory isn't compliance checkbox. It's operational necessity that either reflects reality or comforts executives until breach reveals truth.

Five Fnords for the Paranoid (Did You Notice?):

  1. FNORD: Your asset register was inaccurate before you finished writing it (infrastructure changes faster than documentation)
  2. FNORD: Shadow IT isn't rebellion—it's Tuesday (developers create infrastructure faster than security inventories)
  3. FNORD: Departed employees haunt you from active accounts (access removal failures are systematic, not exceptional)
  4. FNORD: Your "comprehensive" inventory probably covers 40% of actual assets (70% if you're exceptional—nobody's at 90%)
  5. FNORD: Automated discovery reveals uncomfortable truth (better you discover than attackers—but many organizations choose comforting fiction)

All hail Eris! All hail Discordia! All hail systematic asset archaeology revealing uncomfortable infrastructure truth!

"Think for yourself, schmuck! Question everything—especially whether that test EC2 instance from 2019 is still running with default credentials. (It is. It always is. Check now. We'll wait. You'll be horrified. Then you'll understand why asset inventory matters.)"

— Hagbard Celine, Captain of the Leif Erikson, Infrastructure Archaeologist 🍎 23 FNORD 5

P.S. That thing you just thought of that you forgot to inventory? Yes, that one. It's already compromised. Go check. We'll be here when you get back from your archaeological excavation.