{"id":68418,"date":"2023-06-26T16:40:03","date_gmt":"2023-06-26T08:40:03","guid":{"rendered":"https:\/\/version-2.com\/?p=68418"},"modified":"2023-06-26T16:43:22","modified_gmt":"2023-06-26T08:43:22","slug":"the-limitations-of-vulnerability-scanners-for-cyber-asset-management","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2023\/06\/the-limitations-of-vulnerability-scanners-for-cyber-asset-management\/","title":{"rendered":"The limitations of vulnerability scanners for cyber asset management"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Keeping assets safe is a big part of security programs. But how can you keep your assets safe if you don\u2019t even know about them? That\u2019s where asset inventory comes in. Some people try to build an asset inventory using vulnerability scanners. Others combine that vulnerability data with information about their unmanaged assets<\/a>, even orphaned and rogue devices. That\u2019s what cyber asset attack surface management (CAASM) or cyber asset management is about.<\/p>

\"Magnifying<\/p>

How vulnerability scanners fail at asset inventory <\/i><\/h2>

Theoretically, security teams can scan their entire local network for vulnerabilities. In practice, it\u2019s too difficult operationally. Let\u2019s dig into this.<\/p>

  1. Corporate IoT and OT equipment<\/strong>
    Many vulnerability scan configurations exclude IoT and OT devices. Offices contain many IoT devices like your printers, thermostats, and surveillance cameras. Robotic arms, biomedical devices, and traffic signs are examples of operational technology (OT) devices. They often rely on archaic or uncommon network stacks that can\u2019t handle unexpected input from an aggressive security probe. The device easily freezes or crashes, so security teams exclude them from most vulnerability scans. Some vulnerability scanners are smart enough to detect and automatically exclude fragile devices, but in doing so they also leave a gap in the asset inventory.<\/li>
  2. Long scan times<\/strong>
    Vulnerability scanners need to cover hundreds of thousands of exposures, each of which requires time and bandwidth to complete. Extrapolate this requirement to your entire enterprise and it\u2019s not a surprise that some vulnerability scans can take weeks to complete. These slow scan cycles lead to stale asset data, and becomes even more so when a scan needs to be split across multiple maintenance windows.<\/li>
  3. Phantom assets<\/strong>
    Some vulnerability scanners have trouble differentiating between a response from an actual device and an intermediate firewall response or proxy reflecting the traffic. You end up with non-existent devices in your inventory, sometimes even with operating system details.<\/li><\/ol>

    The point of cyber asset management is to have a full and accurate inventory of what is connected to your network, from IT to OT, cloud to remote devices. If your data is incomplete or inaccurate, it\u2019s just a list of some assets, not an inventory. Leading vulnerability scanners do not provide a full, accurate, current asset inventory in everyday practice.<\/p>

    Insufficient details from credential-less vulnerability scans <\/i><\/h2>

    Many vulnerability scanners support a discovery-only mode, or \u201chost discovery mode\u201d, that avoids using credentials and security probes. While it avoids using credentials, is faster, and can uncover more unmanaged devices, the results are only marginally better than an ICMP response.<\/p>

    Here\u2019s an example of device details detected by a discovery-only scan of a leading vuln scanner:<\/p>