IT and security teams rely on an array of cybersecurity tools to manage their network assets. However, these tools often fall short of providing a comprehensive and detailed asset inventory. Consequently, as an organization’s attack surface evolves, the risk of undiscovered or unmanaged assets increases, heightening the potential for network infiltration. 

The 2023 State of Cyber Assets Report uncovered a remarkable 133% year-over-year growth in cyber assets for organizations, surging from an average of 165,000 in 2022 to 393,419 in 2023. This rapid increase in assets resulted in a staggering 589% rise in security vulnerabilities or unresolved findings, accentuating the snowball effect caused by more than doubling the number of assets.

As organizations incorporate an ever-growing number of devices, their attack surface inevitably expands. Thus, gaining a comprehensive understanding of the status of each connected asset becomes crucial.

Each article linked below highlights the limitations of various types of cybersecurity tools for asset management, contrasting them with runZero—an all-encompassing cyber asset management solution that surpasses them all by comparison.

Inefficient cyber asset management tools

1. Endpoint Detection and Response (EDR) agents
   

   EDR works well for endpoint protection but not asset inventory. When incident responders find assets that are compromised but can’t find them in the asset inventory, many teams realize that they went down the wrong path.

2. Spreadsheets
   

   Microsoft Excel and Google Sheets can be an easy first step to track asset data for an IT environment, but they fail entirely as an efficient cyber asset management solution. Spreadsheets require manual data collection resulting in inconsistent attributes, outdated information, lack of detail and incomplete inventory.

3. Vulnerability scanners
   

   Some try to build an asset inventory using vulnerability scanners. Beyond a lack of detail, vulnerability scanners sometimes simply get it wrong; crashing devices, providing a backward-looking view, finding phantom assets, among other concerns. Leading vulnerability scanners simply do not provide a full, accurate, current asset inventory in everyday practice.

4. Configuration Management Database (CMBD)
   

   CMDBs are designed to track data relating to managed IT assets, such as routers, switches, or servers. However, according to Gartner, only 25% of organizations achieve meaningful value with their CMDBs. Beyond incompleteness, data inaccuracy is also a major concern. If you are relying on your CMDB to be a source of truth, you need to be able to trust the information in it. The data in a CMDB will only be as good as its sources.

5. Network Access Control (NAC)
   

   IT and security teams often depend on data from NAC’s and associated network aggregation tools for asset inventory. However, they are designed to control access to the network, an entirely different task from building a comprehensive inventory of devices on the network. If a compromised asset cannot be found in the inventory, it indicates that NACs are suboptimal for asset discovery; a fundamental component of cyber asset management.

6. Free network scannersMost free network scanners don’t scale easily out of the box, often requiring custom databases and scripts to make them suitable for continuous monitoring and collecting inventory from multiple segments or sites.

Why effective cyber asset management matters

In the ever-changing digital landscape of an organization, prioritizing cyber asset management is essential for ensuring the resilience and continuity of operations, as well as safeguarding the reputation and trust of the organization, its stakeholders and the data with which it governs.

It’s foundational to cybersecurity 

You simply need to know about the assets on your network before you can manage them. Before effective asset management can take place, it is crucial to have a comprehensive understanding of the assets on your network. By accurately identifying, tracking, and protecting critical assets, organizations can proactively defend against cyber threats, minimize vulnerabilities, and ensure the confidentiality, integrity, and availability of sensitive information.

Preparation is key 

IBM’s Cost of a Data Breach Report 2023 shares that the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.

By integrating a comprehensive asset inventory into business continuity planning, organizations can effectively identify and prioritize the protection of vital assets crucial for maintaining operations during disasters or disruptions. This proactive strategy enhances the organization’s resilience during times of crisis.

It’s required by regulations and insurance

Various industries, including healthcare, energy, financial services, and government, are all subject to specific regulatory or insurance requirements related to asset management and data protection. A comprehensive asset inventory helps organizations ensure compliance. It enables them to demonstrate their efforts in safeguarding sensitive information and critical infrastructure, thereby avoiding legal penalties and reputational damage.

Take the SolarWinds supply chain attack in 2020, for example. This sophisticated attack involved hackers compromising the software supply chain of SolarWinds, a prominent IT management software provider. The attackers injected malicious code into SolarWinds’ Orion platform updates, which were then distributed to thousands of the company’s customers, major corporations, the Department of Defense, the Department of State, and the Department of Homeland Security to name just a few.

Not only did SolarWinds report upwards of $3.5 million in expenses related to incident investigation and remediation, they were subject to numerous lawsuits, domestic and foreign. Including an investigation into the possible breach of the European Union’s General Data Protection Regulation and other data protection and privacy regulations.

It’s the bedrock of business operations

On the financial aspect, maintaining an asset inventory empowers organizations to monitor their IT investments and infrastructure effectively. Comprehensive knowledge of all assets enables teams to make informed decisions regarding upgrades or replacements for outdated assets, prioritize patching and updates, and avoid unnecessary expenses on redundant or non-essential devices.

Presidio, a global digital services and solutions found immediate success with runZero, using it to onboard clients to their managed service programs. With runZero, they were able to eliminate spreadsheets, thereby reducing the amount of time spent manually collecting client data. Instead, they can focus on delivering outcomes for their clients.

runZero: a complete cyber asset management solution

runZero is a cyber asset management solution that includes CAASM functionality. It combines integrations with EDR and other sources with a proprietary network scanner that is fast and safe even on fragile IoT and OT networks.

runZero scales up to millions of devices, and it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices.

The OT (Operational Technology) sector faces significant challenges when it comes to network scanning. OT systems frequently utilize proprietary protocols that may not be compatible with legacy scanners. Consequently, this incompatibility significantly hinders the effective scanning and information gathering from OT devices. As a result, the asset inventory obtained is often incomplete or inaccurate, posing a major security risk.

Fortunately, runZero avoids aggressive scan tactics, which could destabilize certain IT and OT devices. With runZero, organizations of all types can safely create comprehensive and detailed asset inventories without any disruptions.

How does runZero safely scan OT environments?

runZero employs an innovative incremental fingerprinting approach specifically designed to identify and handle fragile devices effectively. When a fragile device is detected, the method is automatically adjusted to ensure safe scanning. Unlike other scanners that may utilize security probes, runZero’s proprietary scan technology solely utilizes well-formed IP packets. This approach eliminates the risk of disrupting critical operations or causing downtime.

Thanks to its unique and reliable method, runZero has garnered a large and satisfied customer base in various industries including manufacturing, energy, and healthcare. These customers confidently conduct regular scans in their OT environments without encountering any issues.

For a more in-depth understanding of runZero’s approach to OT environments, we invite you to listen to the two podcasts below, featuring runZero founders HD Moore and Chris Kirsch, respectively.

runZero’s approach to scanning ‘fragile devices’ – HD Moore and Dale Peterson on Unsolicited Response podcast

In this episode HD Moore and Dale Peterson spend the first third of the show talking about Metasploit; early reaction, OT modules, and whether Metasploit is still necessary and useful today.

The conversation then shifts to creating asset inventories in IT and OT environments, a core feature of runZero.

Below is a summary of the main talking points in this podcast:

• Why HD decided to run back into the cybersecurity startup world?
• How it started as a solo shop with HD writing all the code.
• How HD thinks Shodan and runZero are different.
• What technique runZero uses to ‘scan’. A term that many fear in OT.
• The OT reaction to this type of scanning.
• What role uses the runZero product?

runZero adds passive scanning for OT networks – Chris Kirsch on the Risky Business podcast

In this Risky Business News sponsor interview Tom Uren talks to Chris Kirsch about how runZero has evolved from an IT network active scanning product to one that can now discover assets on OT and cloud environments using both active and passive scanning approaches.

Play runZero OT minesweeper and win a prize!

There is still time left to play runZero’s OT Minesweeper!

The top three players will win one of the following prizes:

runZero is safe for OT environments, but legacy scanners are not!

In this game, you are a legacy scanner with 30 seconds (and ten total attempts) to recon the network without getting noticed in the fastest time. Just don’t crash any OT devices!

Play OT Minesweeper!

• Promotion ends: August 11th 2023 at 11:59 pm CST
• Winners will be announced at DEF CON 2023

This week, Eclypsium Research published findings on critical vulnerabilities discovered in AMI MegaRAC baseboard management controller (BMC) firmware. Adding to the portfolio of “BMC&C” vulnerabilities that Eclypsium has been discovering and surfacing since late 2022, these two new vulnerabilities (tracked as CVE-2023-34329 and CVE-2023-34330) can be exploited and chained together to yield unauthenticated remote code execution on vulnerable targets. These vulnerabilities could impact many devices, as MegaRAC BMCs are popular across a number of manufacturers and appear in products from AMD, Asus, Dell EMC, Gigabyte, HPE, Lenovo, Nvidia, and more.  

What is an A MI MegaRAC BMC? 

MegaRAC baseboard management controllers (BMCs) provide “lights out” management capabilities for remotely monitoring and managing servers. Manufactured by American Megatrends International (AMI), MegaRAC BMCs include a service processor and network connection that operate separately from the server they are connected to. Modern MegaRAC BMC firmware includes support for the Redfish API.

What is the impact? 

These two newly disclosed vulnerabilities involve the Redfish service running on the MegaRAC:

• Authentication Bypass via HTTP Header Spoofing (CVE-2023-34329; CVSS score 9.1 – “critical”)
• Code injection via Dynamic Redfish Extension (CVE-2023-34330; CVSS score 8.2 – “high”)

CVE-2023-34329 can be exploited with specially crafted HTTP headers to trick the Redfish service into believing the request is coming from an interface that does not require authentication, such as USB0. On systems which have the No Auth option enabled, these spoofed headers will allow attackers to access and interact with any Redfish API endpoints.

CVE-2023-34330 can be exploited via an HTTP POST action to execute arbitrary code on the MegaRAC processor. While this code-execution-via-POST was an intentional design choice by AMI, it likely was intended for internal development only. However, it is enabled by default in vulnerable versions of the firmware, making it available to a broader audience.

Chaining exploitation of the two above vulnerabilities together can provide attackers with unauthenticated remote code execution and full control over a vulnerable MegaRAC target. Following successful exploitation, attackers can establish persistence, perform data exfiltration, perform lateral movement in the network, deploy malware, and more. Attackers can also perform a denial of service by forcing the server into a reboot loop or even bricking the system so it will no longer properly function.

Are updates available? 

AMI has made patched firmware available in versions SPx_12.4 and SPx_13.2. Admins should update MegaRAC BMCs to the newer firmware as soon as possible.

Eclypsium Research also shared mitigations to help reduce the chance of a successful attack, including:

• Ensuring all remote server management network interfaces are NOT exposed externally and operate on networks dedicated to management traffic only.
• Ensuring access to remote server management network interfaces is restricted to administrative users via ACLs or firewalls per Zero Trust Architecture principles.

Additionally, U.S. government agencies and contractors legally required to comply with CISA’s Binding Operational Directive 23-02 should note required guidance to follow (similar to the aforementioned mitigation steps).

How do I find potentially vulnerable MegaRAC BMCs with runZero? 

From the Asset inventory, use the following prebuilt query to locate MegaRAC BMC instances in your network:

hw:megarac

Results from the above query should be triaged to verify if those assets are running updated firmware versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Knowing what’s connected to a network is important for securing your organization. There are a fair amount of free and commercial options out there. We see security teams using a mix of runZero, Nmap (sometimes with Zenmap), Angry IP and Masscan. 

In this article, we compare and contrast several free tools and provide our take on why we believe runZero is best suited for corporate security teams – particularly teams that are looking to gain continuous visibility into their asset inventory for risk management, incident response, and penetration testing purposes.

Best free network scanners compared (2023) #

runZero

runZero was founded in 2018 by HD Moore, the creator of Metasploit, to help solve the problem of discovering both managed and unmanaged devices on the network. The product has grown to a full cyber asset management solution that covers managed and unmanaged IT/IoT, OT environments, cloud assets, and remote devices. runZero offers a free enterprise trial that downgrades to the free Starter Edition, which is used by more than 20,000 individuals and organizations.

runZero is enterprise grade in terms of its user interface, query language, and ability to collect an inventory even in highly distributed environments without having to write scripts or maintain a custom database. Like all of the other scanners in this article, its scans are unauthenticated but yield a surprising amount of depth of information, such as fully searchable attributes for all services, hardware and firmware details, as well as layer 2 and 3 network topologies. In addition, the solution can use SNMP credentials as well as integrations with vulnerability scanners, EDR, MDM, directories and other solutions to provide deeper insights into cyber assets and their security posture. runZero also provides integrations with CMDB and SIEM solutions to enrich asset inventory on other platforms.

runZero’s scanning technology is safe to use in many OT environments, making it an ideal passive discovery option for critical infrastructure OT environments.

Nmap and Zenmap

Nmap has been around for 25 years and is the gold standard for ad-hoc network scanning. The free and open source utility is most often used for network discovery and security auditing. It integrates with many other security auditing tools, such as Metasploit.

Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap).
The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write simple scripts for network discovery, more sophisticated version detection, and vulnerability detection. NSE can even be used for vulnerability exploitation.

Angry IP

Angry IP Scanner is an open-source network scanner designed to be fast and simple to use. It scans IP addresses and ports. It is widely used by network administrators.

Angry IP is a good solution for teams that are looking for the fastest and easiest way to see which IPs are in use on a network. However the solution doesn’t provide a lot of information about each device, limited to IP, ping time, hostname, ports, TTL, MAC address, filtered ports, NetBIOS.

Masscan

Masscan is a port scanner that can cover the entire Internet in under 5 minutes by using asynchronous transmission, sending 10 million packets per second from a single machine. It is purely a command-line tool and its usage is similar to Nmap. While Nmap is more often used to scan individual machines and smaller IP ranges, Masscan is primarily used for very large IP ranges.

Recommended network scanner for security teams: runZero

Most free network scanners don’t scale easily out of the box, often requiring custom databases and scripts to make them suitable for continuous monitoring and collecting inventory from multiple segments or sites. Out of the mix of tools, only runZero comes with a central repository and a distributed system of Explorers to scan all parts of a network, from inside and outside the firewall.

While all of the scanners we looked at are robust and suitable for their specific use cases, runZero is the best option for corporate security teams. runZero wins on flexibility of deployment, ease of use, and scalability for larger organizations. If your security team consists of more than one person or your organization operates at more than one physical location, runZero is for you.

How to find OpenSSL 1.1 instances 

On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date.
That means that it will no longer be receiving publicly-available security fixes.
Users without a third-party extended support contract will no longer receive security fixes or updates.

With this end-of-life announcement, no versions of OpenSSL prior to 3.0.0 are publicly supported.

What is OpenSSL?

OpenSSL is a library that implements a large variety of security functionality, including the Transport Layer Security (TLS) cryptographic protocol that underlies most secure protocols on the Internet like HTTPS.
It also provides the cryptographic functionality needed to compute secure hashes, validate certificates, and perform various other critical operations involving cryptography.

(The early versions of TLS were known as the Secure Sockets Layer, hence “SSL” in the name.)

OpenSSL is extremely widely deployed, and is built into or included by default in a large number of operating systems and distributions.
It is present in countless embedded and mobile devices, and is used by the majority of websites on the Internet to secure their traffic.

Despite (or because of) its popularity, numerous vulnerabilities have been discovered in OpenSSL over the years.
Perhaps most famously, the Heartbleed vulnerability, disclosed in 2014, allowed for sensitive memory disclosure.

Are updates available?

OpenSSL 3.0.0 is available and publicly supported until 2026, while OpenSSL 3.1.0 is available and publicly supported until 2025.
A migration guide has been made available to ease upgrades to these new versions.

How do I find older versions of OpenSSL with runZero?

Detecting OpenSSL can be difficult, since it is a library used by countless other software products.
However, runZero’s advanced scanning and fingerprinting is often able to detect the OpenSSL version used by analyzing the telltale features of cryptographic exchanges.

To find services running on your network that use OpenSSL 1.1.1 or earlier, you can use the following query in the runZero asset inventory:

	tls.stack:"openssl=1.1"

Results from the above query should be triaged to determine if they require patching or vendor intervention.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

What’s new in runZero 3.10: #

• Integrations page and menu updates
• Redesigned Explorer detail page
• Coming soon!

Integrations page and menu updates #

Redesigned Explorer detail page #

Coming soon: Want to see what we’ve been devOTing ourselves to lately? #

Protocol improvements #

• Improved discovery of SSDP services providing visibility into devices that may need those services disabled
• Added additional data extraction capabilities to our SSDP and UPnP probes
• Added detection of SOCKS proxies
• Improved our detection and handling of spoofed/invalid NTLMSSP versions in the SMB probe

Fingerprint improvements #

Rapid response #

Release notes #

New features #

• An integrations page has been added to improve visibility and simplify configuration.
• An update to the Trends tab of Attack Surface Management graphs has been added to show enhanced date and time data.

Product improvements #

• Assets with hostnames starting with a numeric prefix are now allowed to merge.
• Inventory searches using keyword organization properly warn that it cannot be used unless either that specific organization or the All Organizations option are chosen from the drop-down in the upper right of the console.
• Improved detection of various printer models.
• The Explorer details page has been redesigned.
• Improved database performance for asset, site, and organization delete operations.
• Improved database performance for outlier and vulnerability processing.
• Improved database performance for concurrent integration processing.
• Additional MAC address detection through SSDP and UPnP services.
• Improved operating system and hardware fingerprinting of Palo Alto Networks devices.
• Trial accounts can now create Custom Integrations.
• Discovery of SSDP services has been improved.
• Improved handling of email send errors.
• Asset correlation has been improved for switches with overlapping MAC addresses.
• Improved detection of AIX systems.
• Reduced OS fingerprinting false positives against assets with non-Microsoft SMB stacks.
• Improved handling of login tokens.

Integration improvements #

• Improved import of assets from Azure Active Directory.

Bug fixes #

• A bug that could cause the MDNS probe to panic in limited scenarios has been resolved.
• An issue that could result in the old Explorer details pages being shown has been resolved.
• A bug preventing Microsoft 365 Defender OAuth Client Credential tokens from accessing Azure government environments has been resolved.
• A bug that could result in invalid Last Seen values for Rapid7 assets has been resolved.
• A bug that could lead to stale service entries has been resolved.
• A bug causing some goals to return an error has been resolved.
• An issue that could prevent alert rule actions from modifying asset ownership based on software, service, or vulnerability query results is resolved.
• An issue where dynamic content did not have the header Cache-Control: no-store has been resolved.
• A bug has been fixed that could cause scans to be dropped with explorer failed to queue task when the Explorer was already handling the configured maximum number of simultaneous scans.
• A bug causing the task start time to be shown for the scan start time has been resolved.
• A bug that could prevent the creation of new goals has been resolved.
• A bug that could prevent those with the annotator role from viewing or modifying Asset Ownership has been resolved.
• An issue that could prevent navigation to the Account settings page has been resolved.
• A bug causing JavaScript errors to be thrown when adding or editing Google Workspace connector tasks has been resolved.
• A bug with thumbprint validation for the LDAP integration has been resolved and the related error messages have been improved.
• A bug where the link to help for query syntax led to a missing page has been resolved.
• A bug preventing the Explorer interface and addresses from being populated has been addressed.