Keeping assets safe is a big part of security programs. But how can you keep your assets safe if you don’t even know about them? That’s where asset inventory comes in. Some people try to build an asset inventory using vulnerability scanners. Others combine that vulnerability data with information about their unmanaged assets, even orphaned and rogue devices. That’s what cyber asset attack surface management (CAASM) or cyber asset management is about.

How vulnerability scanners fail at asset inventory

Theoretically, security teams can scan their entire local network for vulnerabilities. In practice, it’s too difficult operationally. Let’s dig into this.

1. Corporate IoT and OT equipment
   Many vulnerability scan configurations exclude IoT and OT devices. Offices contain many IoT devices like your printers, thermostats, and surveillance cameras. Robotic arms, biomedical devices, and traffic signs are examples of operational technology (OT) devices. They often rely on archaic or uncommon network stacks that can’t handle unexpected input from an aggressive security probe. The device easily freezes or crashes, so security teams exclude them from most vulnerability scans. Some vulnerability scanners are smart enough to detect and automatically exclude fragile devices, but in doing so they also leave a gap in the asset inventory.
2. Long scan times
   Vulnerability scanners need to cover hundreds of thousands of exposures, each of which requires time and bandwidth to complete. Extrapolate this requirement to your entire enterprise and it’s not a surprise that some vulnerability scans can take weeks to complete. These slow scan cycles lead to stale asset data, and becomes even more so when a scan needs to be split across multiple maintenance windows.
3. Phantom assets
   Some vulnerability scanners have trouble differentiating between a response from an actual device and an intermediate firewall response or proxy reflecting the traffic. You end up with non-existent devices in your inventory, sometimes even with operating system details.

The point of cyber asset management is to have a full and accurate inventory of what is connected to your network, from IT to OT, cloud to remote devices. If your data is incomplete or inaccurate, it’s just a list of some assets, not an inventory. Leading vulnerability scanners do not provide a full, accurate, current asset inventory in everyday practice.

Insufficient details from credential-less vulnerability scans

Many vulnerability scanners support a discovery-only mode, or “host discovery mode”, that avoids using credentials and security probes. While it avoids using credentials, is faster, and can uncover more unmanaged devices, the results are only marginally better than an ICMP response.

Here’s an example of device details detected by a discovery-only scan of a leading vuln scanner:

• IPv4 address: 192.168.40.248
• MAC address: 00:0c:29:59:c4:65
• Public: No
• First seen: 05/24/2023 10:39AM
• Last seen: 05/24/2023 10:39AM

It essentially only includes the IP and MAC addresses of the discovered device – not enough information to be useful for asset inventory.

Potential limitations of vulnerability scanners for managed devices

Vulnerability scanners are a giant collection of security probes you hope can find all the vulnerabilities before the adversary. A vulnerability scanner should be able to collect a ton of information on the devices it can log into. However, vulnerability scanners are not purpose-built for asset inventory and don’t collect as much information as you need in a cyber asset inventory.

Here are the details for the same device as above with a standard authenticated scan by the same product:

• • IPv4 address: 192.168.40.248
  • MAC address: 00:0c:29:59:c4:65
  • Public: No
  • First seen: 05/24/2023 10:39AM
  • Last seen: 05/24/2023 10:39AM
  • Installed software:
    
    • cpe:/a:apache:http_server:2.4.41
    • cpe:/a:apache:http_server:2.4.99
    • cpe:/a:openbsd:openssh:8.2
    • cpe:/a:elasticsearch:logstash:7.17.6
  • Vulnerabilities:
    
    • High, Ubiquiti UniFi Network Log4S…, 10, 9.3, 05/24/2023
    • Medium, TLS Version 1.0 Protocol Det…, , 6.1, 05/24/2023
    • Medium, SSL Certificate Cannot Be Tru…, , 6.4, 05/24/2023
    • Medium, SSL Medium Strength Cipher…, 6.1, 5, 05/24/2023
    • Medium, SSL Certificate Cannot Be Tru…,, 6.4, 05/24/2023

125 additional vulnerabilities…

Asset information from this leading scanner includes more details on software and vulnerabilities but few additional asset details, such as exact operating system version or hardware platform.

And the same device scanned by runZero:

Comparing scans

Let’s compare and contrast what each solution found:

	Host Discovery Scan	Full Vuln Scan
First seen	⏺	⏺	⏺
Last seen	⏺	⏺	⏺
IP address	⏺	⏺	⏺
Secondary IPs	○	○	⏺
MAC address	⏺	⏺	⏺
Seen by sensor/scanner	⏺	⏺	⏺
Device type	○	○	⏺
Operating system	○	○	⏺
Hardware	○	○	⏺
Outlier score	○	○	⏺
Vulnerabilities	○	⏺	⏺
Hostnames	○	○	⏺
Domain names	○	○	⏺
Ownership	○	○	⏺
Recent user	○	○	⏺
Open ports	○	○	⏺
Searchable banners	○	○	⏺
Protocols	○	○	⏺
Software products	○	⏺	⏺
Upstream switches & ports	○	○	⏺

runZero creates an asset inventory from multiple sources, one of which is its proprietary scanner, which does not require credentials. Though it’s an unauthenticated, active scanner, it gathers more details than a vulnerability scanner’s authenticated active scanner because it was purpose-built for asset inventory.

Beyond a lack of detail, vulnerability scanners sometimes simply get it wrong. A large telecom customer used a leading vuln scanner and runZero to scan the same device. The leading vuln scanner fingerprinted it as a CentOS Linux device, but runZero accurately identified it as an F5 load balancer, which happened to be running a CentOS-based firmware. Though the vulnerability scanner was superficially accurate, the shallow detail misled the security team to de-prioritize the risk from that device. A public-facing load balancer and a smart light bulb with a private IP address are meaningfully different for a security team. Knowing the operating system is simply not enough.

Unintended risk exposure while verifying vulnerabilities

Vulnerability scanners must use authenticated active scanners to get onto devices to verify on-box vulnerabilities. Unfortunately, if an adversary has compromised or added any device on the network, they can collect and reuse those credentials for privilege escalation or lateral movement. Limiting the scan scope and only scanning trusted devices makes sense, but that further widens the gaps in your asset inventory.

Risks and uncertainty due to missing devices

You can’t even pretend to manage your security posture if you don’t have a full asset inventory. How can you find end-of-life (EOL) devices, insecure configurations, and vulnerabilities if you don’t even know what’s on the network?

Gaps in your asset inventory mean uncertainty. Vulnerability scanners are superb at probing devices to verify the presence of CVEs, as long as you scan everything you should. Scoping scans without knowing where all devices are means you are not scanning your whole network. It is no surprise that the assets missed by vulnerability scans are often unmanaged devices that are behind on patches; after all, the scanner doesn’t have the credentials to authenticate to them so it cannot do a full assessment. These are the types of devices that an adversary hunts for when looking for a foothold in the environment.

CAASM solutions leverage vulnerability data but go far beyond.

You now understand why vulnerability scanners alone cannot answer the question of asset inventory. However, they can be part of the solution.

CAASM solutions combine vulnerability data with other sources:

• Corporate security solutions via APIs: Many CAASM solutions integrate with EDR, MDM, vulnerability management solutions, and even productivity tools such as Google Workspace to cover all managed devices.
• Modern network scanners: Some of the best CAASM solutions also use specialized network scanners optimized for asset inventory to find unmanaged IT and OT devices.

As a best practice, all organizations should scan for vulnerabilities wherever possible, prioritize quickly, and remediate them swiftly. An effective vulnerability management program is an essential defensive undertaking for any mature security organization. A full asset inventory stands alongside vulnerability scanning as a core component of the overall program. Learn more about how asset inventory can improve vulnerability management.

A cyber asset management solution that covers assets from IT to OT, cloud to remote devices

runZero is a cyber asset management solution that includes CAASM functionality. It combines integrations with vulnerability management and other sources with a proprietary network scanner that is fast and safe even on fragile IoT and OT networks.

runZero scales up to millions of devices, but it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices. Find out what’s connected to your network in less than 20 minutes.

What’s new with runZero 3.9? 

• Goals!
• Attack Surface Management preview
• Rapid responses

Goals!

runZero Professional and Enterprise customers can now use Goals to set time-bound and query driven targets that are customizable to what matters most to your team. Huge thanks to all of the folks who provided feedback on this feature during the public preview phase.

Goals can be created based on any queryable attribute within runZero. This includes standard fields like operating system versions, end-of-life status, exposed services and protocols, as well as new fields like asset risk, criticality, and ownership. If you can query for it in runZero, it can now be a Goal!

Common goals include:

• Managing expiring TLS certificates
• Tracking end-of-life devices and operating systems
• Remediating Critical Risk on assets within a set timeframe
• Keeping open management services off of your public facing assets

Attack Surface Management preview

Attack Surface Management (ASM) is the process of discovering, classifying, and assessing the risks across different surfaces of your IT infrastructure. Although runZero supports ASM efforts through external scanning, internal RFC 1918 discovery, and integrations, the platform did not offer a unified workflow or dashboard until now.

The preview version of ASM provides a simple path to define different attack surfaces throughout your organization, providing an overview of risk and coverage along with several custom goals to monitor and communicate your progress. This feature will be in preview until August and will launch publicly as part of runZero 4.0.

If you are a runZero Enterprise customer and are interested in reviewing this feature and providing feedback, please reach out to your CSE or or runZero Support. Participants will be asked to complete a short feedback form after reviewing the feature. You can find additional information about our preview program in the Preview Program FAQ.

Rapid Responses

The runZero research team has shared three new Rapid Response posts since 3.8. These posts cover critical, actively exploited vulnerabilities:

• Zyxel network devices
• Barracuda Email Security Gateways
• MOVEit File Transfer Services

Protocol improvements

runZero now supports the InterMapper and Room Alert protocols, as well as legacy protocols such as time, daytime, chargen, and quote of the day.

runZero’s printer support has been improved, enabling protocol detection on ports normally associated with direct print services. This change allows for more accurate detection of Elastic Search, Neo4J, and LogStash services.

In addition to the changes above, runZero now consistently normalizes the AirPlay protocol fields and gathers even more details using the DNS protocol.

Fingerprint improvements

New fingerprints were added for products by Allen-Bradley, Alma, Amazon, Apple, Avaya, Avigilon, Avocent, Axess TMC, Bodot, Bond, Canon, Canonical, Cisco, ComNet, Dell, Digital Loggers, Eaton, Epson, F5, Fedora, FreeBSD, Fortinet, Google, Hanwha Techwin, Honeywell, HP, HPE, IBM, Johnson Controls, Konica Minolta, LG, Lidarr.Audio, LinkTap, Microsoft, MikroTik, Moxa, NetBSD, Oracle, Panasonic, Philips, Pioneer, Poly, Progress Software, Proxim Wireless, Proxmox, Radwin, Red Hat, RetailNext, Riverbed, Rocky, Samsung, Schneider Electric, Scientific, ScreenBeam, Siemens, Sierra Wireless, SMC Networks, Sony, Standard Networks, SUSE, Tait Communications, Traficon, Tulip, VivoTek, Western Digital, Vasion, Xiaomi, ZeeVee, and ZKTeco.

See runZero 3.9 in action

Release notes

The runZero 3.9 release includes a rollup of all the 3.8.x updates, which includes all of the following features, improvements, and updates.

New features

• runZero goals are now generally available. With runZero goals, users are able to create and monitor progress toward achieving security initiatives.
• Improved the goal progress chart display to work in various browser sizes.
• Goals now shows a pending calculation banner when goal metrics have not been calculated yet.
• Added source_count and custom_integration_count as searchable fields.
• Saved queries can now be created for tasks.
• The search keyword recur_last_task_status is now supported on the task pages.
• Improved the display of dashboard charts so that no partial rows, other than the last row, are visible to the user regardless of the number of charts displayed.
• Improved fingerprinting of Fortinet device firmware.
• Optimized database utilization and improved performance.

Product improvements

• Non-runZero asset sources can now be removed from assets via the asset details or asset inventory pages.
• Equivalent emails are now accepted for email updates.
• Dashboard cards for Asset Source and Custom Integrations should now correctly show only the top 10 counts for each, with a View more link added.
• A warning is now displayed if a Query is not attached to a Goal.
• Users with Viewer permission can now see and use the Sites page.
• Improved reliability of scans so they should stall less frequently.
• The activation email should display properly in a broader range of email clients.
• Improved operating system fingerprinting via SNMP Installed Software listing.
• The status indicator in the explorer datagrid now has text describing the status.
• External Asset Report Include screenshots toggle now requires that Include asset details is checked.
• External Asset Report now hides the Top certificate authorities section if Include TLS certificate details is not checked.
• Outlier calculations have been adjusted for performance and now include the TLS stack.
• Event rules that result in asset modifications now complete faster.
• The Npcap driver has been updated to version 1.75.
• Improved device type identification of Windows Server assets.

Integration improvements

• Improved SentinelOne matching to improve asset merging.
• AWS credential validation now always shows the results for each service.

New vulnerability queries

• Hardware: End-of-Life Cisco Small Business Switches
• Policy: Sun Solaris sadmind RPC service
• Policy: HashiCorp Consul (unauthenticated)
• Policy: Cisco Smart Install service
• Policy: CNCF etcd v2 (unauthenticated)
• Unpatched: Click Modular Router shell (unauthenticated)
• Unpatched: HID VertX/Edge controllers vulnerable to command_blink_on command execution

Bug fixes

• A bug causing Cisco 8xx Industrial Routers as well as Catalyst 94xx/95xx switches to be incorrectly merged has been fixed.
• A bug where the autocomplete drop down would not always appear on top of other elements has been resolved.
• A bug where integration sources in dashboard views are displayed as IDs instead of names has been resolved.
• A bug where data grid search text would propagate to other data grids has been resolved.
• A bug causing some text inputs to display an autocomplete user experience when it was not intended was resolved.
• A bug that could allow merging AWS, Azure, and GCP assets has been resolved.
• A bug which omitted some SNMPv3 scan attributes has been resolved.
• A bug which caused some project creations to return a 404 error page has been resolved.
• A bug causing incorrect HTTP response codes for the /org/metrics/{site_id} API endpoint has been resolved.
• A bug which cleared the organizations table screen when sorted has been resolved.
• A bug preventing vulnerabilities from sorting correctly on CVSS columns has been resolved.
• A bug where scan tasks on hosted zones couldn’t be stopped has been resolved.
• A bug preventing vulnerabilities from sorting correctly on CVSS columns has been resolved.
• A bug that could result in excessive memory usage has been resolved.
• A bug that resulted in certain models of Cisco routers being incorrectly merged has been resolved.
• A bug in which AWS probes fail when run outside of an AWS EC2 environment has been resolved.
• A bug which prevented IPv6 UDP SYN scans from working on FreeBSD and OpenBSD systems has been addressed.
• A bug where autocomplete suggestions would not update consistently has been resolved.
• A bug causing the “download task button” to show for tasks without a log has been resolved.
• A bug that could cause the SNMP probe to panic in rare scenarios has been resolved.
• A bug that could cause the SNMP probe to stall scans in rare scenarios has been resolved.
• A bug that caused scans to take longer than expected or stall in rare scenarios has been resolved.
• A bug that could prevent the organization dropdown from being clickable has been resolved.
• A bug that could prevent the rpcbind probe from completing successfully was resolved.
• A bug with copying some connector tasks has been resolved.
• A bug causing some connectors to be labeled as scans has been resolved.
• A bug causing the API /org/hosted-zones endpoint to return an empty list of hosted zones has been resolved.
• A bug that could result in an invalid asset ownership assignment has been resolved.
• A bug that could prevent a RUMBLE_CONSOLE override from working in the Explorer configuration has been resolved.
• A bug that prevented sites with more than 1000 subnets from being saved has been resolved.
• A bug that could result in odd dashboard chart behavior has been resolved.
• A bug that required self-hosted users to configure SMTP before setting up their initial account has been resolved.
• A bug that caused some scan task errors to be displayed twice has been resolved.
• A bug that could prevent bogus services from certain firewalls from being completely filtered has been resolved.
• A bug where Asset queries for exact strings was performing a fuzzy search has been fixed.
• A bug that could cause malformed auto-populated LDAP thumbprints for LDAP credentials has been resolved.
• A bug that prevented credential validation errors from displaying after verification in the console has been resolved.
• A bug where searching via clicking on a tag would not return the correct results has been resolved.
• A bug where multiple subtasks were incorrectly created for the same parent task has been resolved.
• A bug where filters were not retained when importing a Nessus scan configuration has been resolved.
• A bug that prevented copying of some connector tasks has been resolved.
• A bug with linking to the update page on some connector tasks has been resolved.

Fortinet warned customers this week of potential limited exploitation in the wild regarding a flaw affecting the SSL-VPN software component. This critical vulnerability (tracked as CVE-2023-27997) can be remotely exploited without authentication and can yield remote code or command execution to an attacker. Discovered by researchers Charles Fol and Dany Bach at LEXFO, disclosure-and-fix of this vulnerability coincided with an internal SSL-VPN audit-and-fix effort at Fortinet which covered this and five additional vulnerabilities.

What is Fortinet SSL-VPN?

Fortinet SSL-VPN is a VPN capability offered in some Fortinet products, including FortiGate firewall devices. This service provides secured network communications between a remote client and protected devices on an internal network. Several modes of operation are supported, including “tunnel mode” (which requires use of the FortiClient VPN client) and “web mode” (which does not require client-side VPN software).

What is the impact?

Of the six disclosed vulnerabilities, CVE-2023-27997 is considered the most severe with a “critical” CVSS score of 9.2. This pre-authentication vulnerability is rooted in a heap-based buffer overflow, seemingly similar to CVE-2022-42475 which was disclosed earlier this year as also affecting SSL-VPN (and did have reported exploitation in the wild). Attackers can exploit this vulnerability via a specially crafted request.

The complete list of recently disclosed-and-fixed Fortinet SSL-VPN vulnerabilities is as follows:

• CVE-2023-27997 (9.2, “critical) – pre-auth heap buffer overflow in SSL-VPN, exploitation could yield code/command execution
• CVE-2023-29180 (7.3, “high”) – null pointer dereference in SSLVPNd, exploitation could cause a denial-of-service condition by crashing SSLVPNd
• CVE-2023-22640 (7.1, “high”) – out-of-bounds write in SSLVPNd, exploitation could yield code/command execution
• CVE-2023-29181 (8.3, “high”) – format string bug in Fclicense daemon, exploitation could yield code/command execution
• CVE-2023-29179 (6.4, “medium”) – null pointer dereference in the SSLVPNd proxy endpoint, exploitation could cause a denial-of-service condition by crashing SSLVPNd
• CVE-2023-22641 (4.1, “medium”) – open redirect in SSLVPNd, exploitation could allow an attacker to redirect a user’s browser to a malicious URL

Are updates available?

Fortinet published new firmware versions a few days ahead of this disclosure. A variety of FortiOS, FortiOS-6K7K, and FortiProxy versions have been patched to fix the recently disclosed CVEs affecting SSL-VPN: CVE-2023-27997, CVE-2023-29180, CVE-2023-22640, CVE-2023-29181, CVE-2023-29179, CVE-2023-22641. Admins or owners of Fortinet appliances/products running affected firmware with SSL-VPN enabled should ensure they are updated to one of the newer firmware versions. If updating is not a near-term option, disabling the SSL-VPN service on affected appliances can mitigate the risk of exploitation.

How do I find potentially vulnerable Fortinet SSL-VPN instances with runZero?

From the Services inventory, use the following prebuilt query to locate Fortinet SSL-VPN instances in your network:

_asset.protocol:http AND protocol:http AND (http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%" OR last.http.head.setCookie:="SVPNCOOKIE%SVPNNETWORKCOOKIE%")

Results from the above query should be triaged to verify those assets are running updated firmware versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

An accurate and comprehensive asset inventory is vital for an effective cybersecurity program. Relying on basic spreadsheets for asset management could introduce severe risks to your entire organization.

Read on as we explore the downsides of using spreadsheets for cyber asset management and highlight the clear advantages of using a dedicated cyber asset management tool to empower your security program, rather than hinder it.

Spreadsheets are simply inefficient for cyber asset management

A recent study found that a staggering 73% of cybersecurity and IT professionals use spreadsheets to manage security hygiene and posture.

There are two primary reasons why one might use spreadsheets for asset management:

1. An asset inventory tool has never been used in your organization. 
2. You need to work around your current asset inventory tools.

While spreadsheets can adapt to numerous use cases since they handle all sorts of data, this dexterity also makes them less than ideal for IT asset management. Furthermore, while Excel and Google Sheets can be an easy first step to track asset data for an IT environment, they fail entirely as an efficient cyber asset management solution.

7 disadvantages to spreadsheets asset management

1. Manual data collection
   Spreadsheets require time-consuming manual updates. Without automation, they often become outdated. Reliance on tracking changes and identifying responsible parties manually introduces errors, hindering the detection and resolution of security incidents. This limitation makes it harder to monitor the integrity of the asset inventory and respond swiftly to cyber threats.
2. Inconsistent attributes
   Different departments and individuals have discrepancies in what attributes they prioritize for data collection. Security teams may focus on listening ports, while IT may prioritize warranty expiration. This can lead to confusion and inconsistent data collection over time.
3. Outdated information
   Asset records in spreadsheets can vary widely in age, ranging from a week to a year, depending on when someone bothered to update them. This significantly hampers effective incident response and security program management.
4. Lack of detail
   Due to the aforementioned points, spreadsheets often lack sufficient detail. Humans dislike repetitive manual work, and the limitations of spreadsheets prevent them from containing comprehensive information.
5. Incomplete inventory / managed-only devicesThe Achilles’ heel of any asset inventory program is unmanaged devices. Spreadsheets cannot be updated with assets that are unknown.

   According to a Deloitte research report, 32% of organizations believe that “Shadow IT” assets pose the greatest challenge for ITAM. Rogue devices installed by employees, third-party vendors, or through shadow IT lack standard security controls like EDR agents, making them easy targets for adversaries.

   The same report states that 18% of organizations are considering non-active or repurposed IT assets. With manual data entry, unmanaged devices can go unnoticed or neglected for extended periods, leading to uncertainty within teams regarding their significance or reluctance to invest effort in investigating them.

   Here are just some of the key problems unmanaged assets pose:

   • Audit violations
   • Cannot be patched
   • Cannot be upgraded
   • Cannot be automated
   • Cannot be turned off
6. Hard to shareSharing is not built into Excel. Sharing Excel sheets linked to other dependencies also causes all sorts of problems. In the meantime, Google Sheets copies come with a touch of showmanship, flaunting a prepending “Copy of” like a magician demonstrating a trick. However, with it being so easy to duplicate documents, one sleight-of-hand from a nefarious user could go easily unnoticed.
7. No version controlVersion control becomes a challenge as spreadsheets lack proper mechanisms to track changes and maintain data consistency. It is difficult and time-consuming to trace back who updated which asset in whose copy of which version of the spreadsheet.

   Multiple copies of the same spreadsheet create confusion and hinder the ability to have accurate and up-to-date information. This limitation affects data integrity and poses challenges in maintaining a reliable asset inventory. With Excel, sharing automatically creates a copy, and with Google Sheets, anyone with edit access can make a copy. These copies can take on a life of their own, resulting in various states of inaccuracy.

Spreadsheets are high-risk for sensitive information

As if the inefficiencies weren’t bad enough, spreadsheets lack sophisticated controls and are easily duplicated, increasing the risk of information exposure. In truth, using spreadsheets for any sensitive information is a liability. Storing asset details in a spreadsheet is perilous.

PeopleDAO, a group formed to buy a copy of the U.S. Constitution, lost 76.5 ETH ($120,000) after the accounting lead mistakenly shared a Google Sheet with edit access to a payout form on a public Discord channel.

Human error aside, hackers have a notorious history of exploiting enterprise products. In 2021, Microsoft fell victim to a malware attack spread through Excel spreadsheets, and in 2019, hackers bypassed Google filters to launch CSV malware via Google Sheets.

Both companies have continued to be victims of vulnerabilities and phishing campaigns over the years:

• Massive phishing campaign using malicious Excel macros to hack PCs (2020)
• A Google Docs Bug Could Have Allowed Hackers See Your Private Documents (2021)
• Google Docs Comments Weaponized in New Phishing Campaign (2022)

Access to just one spreadsheet could be the key to everything that a bad actor needs to compromise your entire network. The potential repercussions, including the costs associated with a data breach, loss of profits, expensive lawsuits, and customer and partner attrition, far exceed the investment required for a secure and comprehensive asset inventory solution.

Beyond spreadsheets – go CAASM

It is clear to see that there are significant downsides to using spreadsheets to manage cyber assets, yet organizations proceed to adopt this method with the support of other tools. However, EDRs, vulnerability scanners, CMDBs, NACs, and free asset management solutions all have asset management limitations. Not only do these tools lack comprehensive visibility into the asset landscape, but using spreadsheets to supplement or work around them only inherits the same limitations.

The manual process involved with spreadsheets introduces the risk of human error, especially as the number of assets and data sources increases. Managing access and enforcing the principle of least privilege, as well as restricting who can view, edit, or delete the inventory, becomes increasingly difficult. Without proper access controls, maintaining a secure environment and protecting sensitive information becomes a daunting task.

Correlating asset data from different sources poses challenges because each tool or data source uses its own format. It becomes arduous to accurately compare and analyze data when it is not normalized within the same time ranges. Without proper correlation and normalization, the ability to understand asset relationships, identify vulnerabilities or misconfigurations, and respond to security incidents in a timely manner is negatively impacted.

Although Google Sheets and Excel allow third-party plugins and extensions to enhance usability and functionality, granting this type of access is also high-risk. Third-parties gain access using an OAuth process. As part of this process applications can request specific scopes, gaining formidable privileges.

Example of an OAuth scope request from a third-party application for a Google product

The wrong plugin, developed with malicious intent, could wreak havoc by pilfering your sensitive information. Furthermore, once a third-party add-on has been granted access permissions, it will retain them until they are manually revoked. This means that forgotten add-ons, not used for several years, could still have access to your data. Managing this situation without a CASB or SSPM solution becomes a near-impossible task, adding yet another tool to your stack.

In contrast, a cyber asset attack surface management (CAASM) solution addresses all of these limitations, offering security, automation, integration, scalability, reporting, collaboration, and compliance support. One major benefit of CAASM is the ability to bring in data from multiple sources, allowing for automated data collection, correlation, and normalization. The best CAASM solutions also include active scan data. With a comprehensive view of all assets, organizations can prioritize security efforts, identify potential security gaps, and make informed decisions to protect their network. Correlation among different sources is not only a desirable feature but also a table stakes requirement for an effective cyber asset management solution. It enables organizations to have a holistic view of their assets, streamline workflows, and implement proactive security measures to effectively mitigate risks.

runZero is a cyber asset management solution that includes CAASM functionality, and can safely and securely integrate with other security tools and systems, such as vulnerability management platforms, Security Information and Event Management (SIEM) solutions, and Internet scanning services.

As a standalone solution, runZero performs unauthenticated active scans powered by high-fidelity fingerprinting to quickly and safely provide a complete and accurate asset inventory, even on fragile IoT and OT networks. As a whole, runZero is designed to effectively address the unique challenges and requirements of cybersecurity asset management, which a spreadsheet could never achieve.

Learn how Presidio eliminated spreadsheets for greater visibility across their internal and client networks with runZero

Read the case study

Spreadsheets vs runZero

As a whole, runZero is designed to address the unique challenges and requirements of cybersecurity asset management effectively, which a spreadsheet comparatively could never do. Below are the notable ways runZero far surpasses spreadsheets for cyber asset management:

Automation

Unlike spreadsheets, runZero automates the entire asset discovery, inventory and tracking process; offering real-time updates, accurate data synchronization, and a holistic view of an organization’s assets and network.

Scalability

Spreadsheets struggle to handle large-scale asset inventories, leading to performance issues and decreased efficiency. runZero is built to handle vast amounts of data, and millions of assets, providing a scalable solution to accommodate growing asset portfolios, from small business to large enterprise.

Advanced Security

Spreadsheets lack robust security features, making it easier for unauthorized individuals to access and manipulate them. runZero prioritizes security and provides robust features, offering advanced role-based access control (RBAC) and organizational hierarchies to ensure that only authorized individuals can access and modify the asset inventory. Our SSO and RBAC features are available in all editions. Our commitment to helping the world be more secure means we don’t gate security features in the higher tiers.

Reporting and Analytics

runZero has robust reporting and analytics capabilities, allowing organizations to generate detailed reports on asset inventory, services running on the network, current vulnerabilities, and more. This is essential when needing to provide insights and metrics that can assist in decision-making, resource allocation, and risk mitigation strategies.

Collaboration and Workflow

Spreadsheets make it difficult to collaborate and streamline workflows. runZero enables IT and security teams to work together more efficiently, share insights, and coordinate response efforts through asset ownership, alerts, third-party integrations, and canned queries for rapid zero-day response.

Compliance and Audit Support

It is near impossible to maintain an up-to-date asset inventory with spreadsheets. runZero helps organizations maintain exemplary cyber hygiene through automatic asset tracking, documenting information, changes, and security controls, making it easy to demonstrate compliance with industry regulations and standards.

Try runZero free

Upgrade your asset management.

Find out what’s connected to your network in less than 20 minutes with a 21-day trial, after which, downgrade to our free tier for personal use or for organizations with fewer than 256 devices.

Start trial

Reports of active exploitation of a zero-day vulnerability in the MOVEit file transfer software are making the rounds this week. The vendor, Progress Software, has released an advisory and this issue has now been assigned CVE-2023-34362. Attackers are abusing a SQL injection vulnerability in the web interface of MOVEit to deploy a web shell and gain access to the data stored within the platform. 

What is the MOVEit Managed File Transfer service?

The MOVEit Managed File Transfer is Windows-based application that supports secure file transfers through a web interface, as well as using SSH and SFTP. Progress Software states that “MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR”. MOVEit is widely used for transferring sensitive information between a regulated organization and outside parties. MOVEit services are exposed to the internet by design, as this is necessary for users outside of the organization to use the service.

What is the impact?

Multiple security service providers, including Rapid7 are reporting active exploitation of this issue, with the attack resulting in the installation of “web shell”, often accessed through the path “/human2.aspx”. Progress Software’s advisory indications that users should look for indicators of compromise (IoCs) going back at least 30 days, indicating that this issue may have been actively exploited for weeks, and is only now coming to light. A compromise of the MOVEit server can lead to full exposure of all files managed by the service, access to the user database of the service, and could provide a foothold into the organization’s network, depending on network segmentation rules.

Are updates available?

On May 31th, Progress posted an advisory, including a download link to a patch. This advisory also describe some of the indicators of compromise and what paths and types of logs to look for to determine if the system was breached.

How do I find potentially vulnerable Progress MOVEit Managed File Transfer services with runZero?

From the Service inventory, use the following prebuilt query to locate all Progress MOVEit Managed File Transfer web services across your network:

_asset.protocol:http protocol:http (http.head.setCookie:"MIDMZLang" OR favicon.ico.image.md5:9dffe2772e6553e2bb480dde2fe0c4a6)

Results from the above query should be reviewed for indicators of compromise and updated with the latest patch from Progress.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding MOVEit Managed File Transfer services?

Get started