The OpenSSH team surfaced a security issue earlier this month that specifically affects OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contains a memory double-free vulnerability (tracked as CVE-2023-25136) that can be reached pre-authentication by a remote attacker. Researchers, including JFrog and Qualys, have been investigating and providing proof-of-concepts of a denial-of-service scenario and remote code execution for the attacker.

What is the impact?

OpenSSH is a popular open source implementation of the SSH protocol and is available on many operating systems. While the installation base for OpenSSH is quite large (Shodan currently reports ~48k public-facing instances of OpenSSH servers running version 9.1), the potential impacts of this vulnerability are not yet fully understood and are still being investigated.

The denial-of-service attack vector may be successful against a number of operating systems running OpenSSH 9.1. However, it yields limited results because it only crashes the forked daemon instance that was spun up to handle the attacker’s SSH connection (leaving the parent ssh daemon still running to handle other incoming connections).

Exploitation of this vulnerability for remote code execution (RCE) is more complex, with a current proof-of-concept that only targets OpenBSD 7.2 without memory protections in place (such as ASLR, NX, or ROP defenses) and with code execution still contained within the ssh daemon’s sandbox. As researchers continue investigating RCE exploitation, other operating systems with attacker-bypassable memory malloc and double-free protections may be discovered. So, the ability to fully execute attacker-controlled code outside of the ssh daemon sandbox -even with memory protections in place– may be achieved.

Are updates available?

OpenSSH version 9.2p1 (a.k.a version 9.2) was released earlier this month and patches this vulnerability (CVE-2023-25136). For systems currently running OpenSSH 9.1, admins are encouraged to update to OpenSSH 9.2 or later.

How do I find vulnerable OpenSSH services with runZero?

To locate OpenSSH servers running the vulnerable 9.1/9.1p1 version in your network, use the following prebuilt query in your Service Inventory:

_asset.protocol:ssh AND protocol:ssh AND (_service.product:="OpenBSD:OpenSSH:9.1" OR _service.product:="OpenBSD:OpenSSH:9.1p1")

To local all OpenSSH servers in your network, use the folloing prebuilt query in your Asset Inventory:

product:”OpenSSH”

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Imagine: there’s a new security threat. How do you find out if your organization is affected? You might research the CVE to gauge the severity and impact of the vulnerability. You might perform a vuln scan — if there’s a vuln check available. At some point, you’ll eventually end up with a list of devices that you need to update.

What are your next steps?

The cost of not tracking asset ownership

In an ideal world, your asset inventory would be the first place you would look for information. However, the reality is: most organizations have their asset inventory data distributed across multiple solutions and maintained by different teams. So instead of being able to focus on mitigating issues, your security team spends an inordinate amount of time doing detective work. And for security practitioners, time is of the essence.

Asset inventory is the first step to getting context around a device: the hardware, OS, software, etc. But what about who owns it? More and more, knowing who is responsible for an asset is as important as knowing what an asset is. Without clear asset ownership tracking, you waste a lot of time going from team to team, person to person, trying to find out who is responsible for an asset.

Let’s take a look at three reasons why a lack of asset ownership can adversely impact your business.

Reason #1: Forgotten assets can be costly

One of the biggest obstacles to tracking asset ownership is humans. Humans are dynamic, often upgrading to new equipment, changing roles, or even leaving organizations entirely. As a result, assets are often left abandoned, unmanaged, and unowned. Documenting asset ownership manually, like in a spreadsheet, means that the data becomes outdated very quickly. Effective asset ownership tracking requires regular updates and attention. Without a major investment of time and resources to maintain asset ownership tracking, stale data will continue to plague your organization. For example, consider infrastructure that no longer has an owner, but is still racking up recurring expenses. These forgotten assets can be costly over time.

Reason #2: Lack of asset ownership can lead to service outages

Your business relies on having systems that are working efficiently. Systems need to be updated, upgraded, and maintained regularly to ensure that everything runs smoothly and outages do not occur. However, what would happen if a specific system needed a configuration update to continue to operate? How would you know who to go to?

Oftentimes, it’s a goose chase. You start with one person (or team) and hope they can point you in the right direction. While you’re chasing down the appropriate person to help you, access to the systems you need may be shuttered or months may have passed by. These consequences can be detrimental to business – especially if these systems directly impact revenue.

Reason #3: Wasted time slows down remediation

9 years ago: Shellshock.

5 years ago: Apache Struts.

1 year ago: Log4Shell.

Nearly a decade has come and gone between these major vulnerabilities, and yet, building comprehensive asset inventory and tracking asset ownership continues to be a challenge. One of the biggest challenges faced by security teams is that they often need to rely on asset owners to take action to update and secure their devices. However, tracking down the right asset owner can be a bit of a journey through a myriad of data sources – from CMDBs to VMs to EDRs to device logs to spreadsheets. The amount of time that security teams spend hunting for information is a hindrance to fast response and remediation times.

Tracking asset ownership with runZero

runZero 3.5 introduces the ability to track asset owners in your inventory. Asset owners can be anyone in your organization who can help you remediate issues. For most organizations, assets will likely have multiple owners, such as an individual, team, and business unit. For example, a laptop might have an assigned device user, business owner, IT owner, and security owner. Each of these assignments will help you zero in on the right person who can take action on the device, based on the situation. Let’s take a look at how runZero can help you track different types of owners within your organization.

What are ownership types?

In runZero, ownership types help you classify and assign ownership to assets. There is a default ownership type, called Asset Owner, which automatically pulls owner data from integrations you have configured. Otherwise, you can add up to nine custom ownership types based on what your organization needs. For example, you might want to have ownership types for the security owner, IT owner, and business owner.

When you create an ownership type, you will need to specify the following:

• Name – The name of the asset ownership type, such as IT owner.
• Reference – You can set the reference to user, group, or none. If set, you will be able to easily search within the user or group inventories for owners that match the display name.
• Visibility – You can set the visibility to hidden or visible. This setting controls the ability to view the asset owner from the asset inventory and asset details page.

After you have created your ownership types, you’re ready to start assigning owners within your asset inventory. Let’s take a look at how you can do this in runZero.

How to assign ownership to assets in runZero

There are a couple of ways to assign asset owners: manually or automatically through rules and the API. However, the most efficient way to apply ownership is through rules, which allows you to set up specific conditions and automate the assignment of asset ownership after each scan. For example, let’s say you want to assign an IT owner for all firewalls. Here’s how you can do it with rules:

1. From the Rules page, create a rule using the asset-query-results event type. Based on this event type, the query will run against the asset inventory after a scan completes.
2. Give the rule a descriptive name, like Automate IT ownership for firewalls.
3. Configure the rule with the following conditions:
   • Run the following query after a scan completes: type:firewall and the number of matches is greater than 0.
   • If there is a match on the query, take the following action: modify the asset and set the ownership of the matching assets. This value for the owner can be any name. For our example, we will assign the IT owner to someone on the team named Tim.
   • Make sure the rule is enabled. If it is not, it will not run.
4. Save the rule.

Each time a scan completes, this rule will check for matching conditions and perform the configured actions.

Viewing ownership data for an asset

Now that you’ve set up ownership types and automated ownership assignment, let’s take a look at how you can view this data in runZero. You can view ownership information from two areas of the console: the asset inventory and the asset details page.

There’s a new column in the asset inventory called Owners, which will list the owners for the asset. If there are multiple owners, there will be a plus (+) sign to indicate that there are more for you to view. The owner name that gets displayed in the inventory table depends on the order you have them ranked on the ownership types page. The highest ranked ownership type will take precedence. In our example, we have our IT owner ranked first, so we will see our IT owners displayed in the inventory table. Other owners will be viewable by hovering over the plus (+) sign. From the asset inventory page, you can select some assets then use the Manage asset ownership button to manually update the owner for those devices.

From the asset details page, there is a new ownership section that lists all the visible owners assigned to that asset. If the ownership type has a reference set (to user or group), you’ll be able to click on the magnifying glass next to the owner name to search within those inventories for matching results. From the asset details page, you can go to Manage > Asset ownership to manually update the owner for that specific device.

Searching the inventory for assets based on owners

Now that you have asset ownership data in your inventory, you can search for assets that match specific ownership criteria. To enable searching based on ownership attributes, the following new keyword terms have been added:

• owner – Filter by asset owner name, such as Tim.
• has_owner – Filter assets by whether or not they have an owner. Use t or f as your input.
• owner_count – Use a comparison operator (>, >=, <, <=, =)to filter assets by count.
• ownership_type – Filter by ownership type, such as IT owner.

Here are a few useful queries (based on some common use cases):

• has_owner:f – Searches for assets that don’t have an owner assigned.
• ownership_type:"IT owner" – Searches for assets by ownership type.
• owner_count:>1 – Searches for assets that have more than one owner.

For example, if you need to gauge the number of unowned (and likely unmanaged) assets in your inventory, the query has_owner:f would help identify assets that don’t have an owner. Inversely, you can use has_owner:t to see all the ones that do have an owner. Between these two results, you can discern how well you’ve got your asset ownership data covered. To see how well your organization is tracking asset owners, you can also check out the asset ownership goal from the dashboard.

Zero in on unowned assets on your network

Imagine: there’s a new security threat. Thankfully, you have an asset inventory that includes asset ownership data. With a solid program and solution in place to track asset owners, you’ve eliminated unnecessary time spent chasing down people. You can focus on remediation.

If you’re a runZero Enterprise customer, you can check out the ownership capabilities by going to the new Ownership page in your console. You’ll notice a new menu item for it under Global Settings. Otherwise, if you’re new to runZero, sign up for a free trial to test out this new feature for 21 days.

Popular hypervisor ESXi has been in the news recently due to fresh targeting by a new strain of ransomware. Known as ESXiArgs, this ransomware leverages a 2-year old heap overflow issue in the OpenSLP service that can be leveraged to gain remote code execution on exploitable targets (CVE-2021-21974). Many vulnerable public-facing ESXi servers have already been affected by this malware (currently over 1,900 via Censys search results).

What is the impact?

Targets of this new ransomware campaign are older ESXi servers running certain versions of 6.5, 6.7, or 7 releases and also have the OpenSLP service enabled (it has not been enabled by default in ESXi releases since 2021). Upon successful exploitation of CVE-2021-21974, the ESXiArgs ransomware will encrypt a number of file types on the target system, including VM-related files with extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. Ransom notes are saved as HTML files on compromised systems for admins and users to subsequently discover. While some of these ransom notes claim to have stolen data from vulnerable targets, no data exfiltration has been observed at this time.

Are updates available?

VMware made patches available when the OpenSLP heap-overflow vulnerability was initially reported in 2021. The following ESXi releases have been patched against this attack vector currently being exploited by the ESXiArgs campaign:

• ESXi version 7+ (ESXi70U1c-17325551 and later)
• ESXi version 6.7+ (ESXi670-202102401-SG and later)
• ESXi version 6.5+ (ESXi650-202102101-SG and later)

VMware also offers patched releases for Cloud Foundation (ESXi), which includes an ESXi component:

• Cloud Foundation (ESXi) version 4.2+
• Patching instructions for Cloud Foundation (ESXi) version 3.x can be found here

Patching (and also ensuring that your ESXi servers are running a supported, not end-of-life/end-of-support version) is the best course of action. If patching is not a near-term option, VMware has a recommended mitigation via disabling the OpenSLP service.

How do I find potentially vulnerable VMware ESXi assets with runZero?

From the Asset Inventory, use the following pre-built query to locate ESXi assets which may need remediation:

os.product:"ESX" and (os.version:="1.%" or os.version:="2.%" or os.version:="3.%" or os.version:="4.%" or os.version:="5.%" or os.version:="6.0%" or os.version:="6.5.0 build-4564106" or os.version:="6.5.0 build-4887370" or os.version:="6.5.0 build-5146843" or os.version:="6.5.0 build-5146846" or os.version:="6.5.0 build-5224529" or os.version:="6.5.0 build-5310538" or os.version:="6.5.0 build-5969300" or os.version:="6.5.0 build-5969303" or os.version:="6.5.0 build-6765664" or os.version:="6.5.0 build-7273056" or os.version:="6.5.0 build-7388607" or os.version:="6.5.0 build-7967591" or os.version:="6.5.0 build-8285314" or os.version:="6.5.0 build-8294253" or os.version:="6.5.0 build-8935087" or os.version:="6.5.0 build-9298722" or os.version:="6.5.0 build-10175896" or os.version:="6.5.0 build-10390116" or os.version:="6.5.0 build-10719125" or os.version:="6.5.0 build-10868328" or os.version:="6.5.0 build-10884925" or os.version:="6.5.0 build-11925212" or os.version:="6.5.0 build-13004031" or os.version:="6.5.0 build-13635690" or os.version:="6.5.0 build-13873656" or os.version:="6.5.0 build-13932383" or os.version:="6.5.0 build-14320405" or os.version:="6.5.0 build-14874964" or os.version:="6.5.0 build-14990892" or os.version:="6.5.0 build-15256468" or os.version:="6.5.0 build-15177306" or os.version:="6.5.0 build-15256549" or os.version:="6.5.0 build-16207673" or os.version:="6.5.0 build-16389870" or os.version:="6.5.0 build-16576879" or os.version:="6.5.0 build-16576891" or os.version:="6.5.0 build-16901156" or os.version:="6.5.0 build-17097218" or os.version:="6.5.0 build-17167537" or os.version:="6.7.0 build-8169922" or os.version:="6.7.0 build-8941472" or os.version:="6.7.0 build-9214924" or os.version:="6.7.0 build-9484548" or os.version:="6.7.0 build-10176752" or os.version:="6.7.0 build-10176879" or os.version:="6.7.0 build-10302608" or os.version:="6.7.0 build-10764712" or os.version:="6.7.0 build-11675023" or os.version:="6.7.0 build-13004448" or os.version:="6.7.0 build-12986307" or os.version:="6.7.0 build-13006603" or os.version:="6.7.0 build-13473784" or os.version:="6.7.0 build-13644319" or os.version:="6.7.0 build-13981272" or os.version:="6.7.0 build-14141615" or os.version:="6.7.0 build-14320388" or os.version:="6.7.0 build-15018017" or os.version:="6.7.0 build-15160134" or os.version:="6.7.0 build-15160138" or os.version:="6.7.0 build-15999342" or os.version:="6.7.0 build-15820472" or os.version:="6.7.0 build-16075168" or os.version:="6.7.0 build-16316930" or os.version:="6.7.0 build-16701467" or os.version:="6.7.0 build-16713306" or os.version:="6.7.0 build-16773714" or os.version:="6.7.0 build-17167699" or os.version:="6.7.0 build-17098360" or os.version:="6.7.0 build-17167734" or os.version:="7.0.0%" or os.version:="7.0.1 build-16850804" or os.version:="7.0.1 build-17119627" or os.version:="7.0.1 build-17168206" or os.version:="7.0.1 build-17325020")

Each ESXi asset returned in the query results should be checked if the OpenSLP service is enabled. If OpenSLP is enabled, then the asset is vulnerable to exploitation.

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Many OT engineers still believe that active scanning is not safe in OT environments. However, their assumptions don’t have a legitimate basis. 

Yes, regular network and vulnerability scanners can cause devices to act erratically. Printers start spewing out pages. Embedded systems freeze up or reboot. But it doesn’t have to be this way. If you observe a few key aspects and use a purpose-built scanner, actively detecting ICS and IoT equipment is entirely safe. runZero has proven that active scanning is safe, and it’s evident across numerous industries.

Digging into issues with legacy scanners

To better understand the challenges of active scanning, we analyzed why legacy vulnerability and network scanners destabilize systems. We found four different root causes:

• Malformed IP traffic
• Security probes
• Heavy scan traffic per device
• Snowflake devices

Let’s dig into each issue.

Malformed IP traffic

Legacy scanners often send intentionally malformed IP traffic to identify different flavors of operating systems. A robust TCP/IP stack on a Windows or Linux system will process the malformed traffic and respond in a specific manner that helps the scanner identify the flavor of the operating system.

Embedded systems often use legacy or custom TCP/IP stacks. When scanned with malformed IP traffic, these devices can freeze up or reboot because the unexpected traffic causes errors that are handled incorrectly by the stack.

Security probes

Vulnerability scanners send security probes, such as SQL injection exploits, to detect vulnerabilities in target systems. Embedded systems are often written without enough error handling built in, so the problem is similar as with malformed IP traffic: receiving unexpected network traffic can cause the devices to react erratically.

Heavy scan traffic per device

Legacy vulnerability and network scanners scan a large number of ports and can send several probes per port. This traffic is all sent to the end node in rapid succession. When all ports and probes are completed, the scanner moves on to the next host.

Enterprise IT hardware and mainstream operating systems can handle a lot of network traffic at once. OT equipment often doesn’t have a lot of processing power. Heavy scan traffic can overload the device, causing it to slow down or freeze up. In many industrial control applications, response times are critical. Even a slow down can have adverse effects on the overall environment.

Snowflake devices

When scanners avoid malformed IP traffic, security probes, and heavy scan traffic, most of the issues on OT networks can be resolved. However, there are a handful of particularly flakey devices that become unstable with even the most regular scan traffic. Serial-ethernet connectors, also known as print servers, tend to be among the worst “snowflake” devices.

Passive monitoring is expensive and lacks accuracy

That’s why by sticking with passive monitoring solutions instead of active scanning, OT engineers are inviting these issues into their projects:

• Longer deployment cycles – Connecting to SPAN ports or TAP appliances is more complex than deploying a software scanner in the environment.
• Higher cost – Requires lots of disk space and processing power, usually in the form of costly hardware appliances.
• Missing assets – You can’t inventory assets that are not communicating.
• Missing detail – Missing ports that are not communicating.
• Low accuracy – Spotty accuracy because passive monitoring is limited to analyzing existing traffic.
• Not future proof – The increasing amount of encrypted traffic makes passive monitoring solutions less viable over time.

Let’s take a look at the flip side and run through the key gains of leveraging an active scanning approach.

How to safely scan ICS environments

While legacy scanners cannot be used safely on OT assets, modern purpose-built scanners can safely scan ICS environments by following a few basic rules:

• Use only standard-conforming IP traffic – All traffic sent from the scanner must be completely RFC compliant.
• No security probes – Very easy. Just don’t use them.
• Throttle traffic per host – Limit the number of packets sent to each node. A good starting point is 40 packets per second. The best scanners keep overall scan times short by sending all traffic round-robin on the network when the threshold is reached.
• Probe for snowflakes – Detect snowflake devices before running a full port scan and adapt the scan for the particular model.

Now, let’s take a look at how these rules have been applied across different industries and what organizations have been able to uncover as a result.

Active scanning is a proven methodology across industries

Doing research in a lab is one thing, but proving a methodology in the field is another. This approach has been tested and deployed in production environments across many industries, including:

• Building automation
• Consumer and B2B electronics manufacturing
• Biomedical device manufacturing
• Telecommunications
• Broadcasting
• Universities (e.g., research instrumentation)
• Data center technology
• Transportation (e.g., train signals)
• City and state infrastructure (e.g., street signs, surveillance cameras)
• National labs
• Apparel manufacturing
• Car manufacturing
• Aerospace manufacturing
• Building material manufacturing
• Retail stores (e.g., POS systems, HVAC)
• Cattle and fish farms
• Utilities
• Saw mills
• Hospitals
• ICS equipment manufacturers

Some examples of equipment found in these environments include the following device types:

• PLCs
• Industrial control systems
• Serial-Ethernet converters
• HMI/HMI controllers/HDI
• BACNET devices
• Device servers
• Surveillance cameras
• Terminal servers
• Access control systems
• Intercoms
• KVMs
• Rugged WAP

Get started with active scanning of industrial control systems

You wouldn’t deploy a new piece of software across all of your devices without testing it first. The same is true for active scanning in ICS environments. As you’re considering rolling out active scanning technology, here are some tips to get you started:

1. Pick a purpose-built modern scanner – It’s unlikely that you will be successful with legacy network or vulnerability scanners as they send unsafe traffic. Pick a modern, purpose-built solution, such as runZero.
2. Start small and slow – If you have a small handful of devices in a lab, start there. Otherwise, pick a handful of devices to scan during a maintenance window and check their operational status afterwards. If you know you have snowflake devices, include them in your first scan. If it doesn’t work for them, it won’t work for the full network. Start with a very low network scan frequency, such as 1,000 packets per second from the scanner and 20 packets per second per host.
3. Try a bigger segment – Once you are comfortable with a handful of devices, scan a larger network segment during a maintenance window.
4. Plan your deployment – Deploy one scanner per network segment. Don’t scan through any network devices that filter traffic, otherwise the accuracy of your results will be impacted. Don’t scan through stateful devices because each IP/port connection will create another session and you may overload the device. Deploy the scanners on appropriate hardware or virtual machines. For a large network segment, you may want a dedicated host. For a medium-sized network, you can use an existing host. For small environments, you can even use a Raspberry Pi.

Hopefully, these tips will help you eradicate outdated and inaccurate perceptions against active scanning. Utilize these recommended best practices and you’ll be able to safely detect ICS and IoT devices via active scanning. runZero continues to prove this over and over again across multiple industries.

Printer manufacturer Lexmark recently published details on a vulnerability that affects over 100 of their printer models. Discovered by researcher Peter Geissler, this vulnerability can be leveraged to achieve unauthenticated remote code execution for an attacker. Firmware across devices in Lexmark’s small/medium business product line and also their enterprise product line have been found to contain this vulnerability.

What is the impact?

Lexmark assigned a CVSS score of 9.0 (“critical” severity rating) to this vulnerability (tracked as CVE-2023-23560), which allows server-side request forgery (SSRF) via the Web Services feature listening on port 65002 of affected printers. A successful attacker can exploit this vuln in a chain to gain code execution as root on vulnerable devices. Lexmark’s advisory states that, as of last week, they are not aware of anyone currently exploiting this vulnerability, but proof-of-concept exploit code is publicly available.

Are updates available? 

All firmware versions (release numbers 081.233 and prior) for affected printer models contain this vulnerability (CVE-2023-23560). Lexmark has made firmware updates available for each affected device, via release numbers 081.234 and later (see Lexmark’s advisory for specific release version details per affected printer).

If updating firmware isn’t a near-term option for admins/owners of affected printers, Lexmark does offer a straightforward mitigation:

Disabling the Web-Services service on the printer (TCP port 65002) blocks the ability to exploit this
vulnerability. The port can be blocked by following process: “Settings”->“Network/Ports”- > “TCP/IP”- > “TCP/IP Port Access” then uncheck “TCP 65002 (WSD Print Service )” and save.

How do I find potentially vulnerable Lexmark printer assets with runZero?

Please note that the following query relies on you having already performed a scan with our latest Explorer/scanner release (v3.4.22), which now includes the scanning of port 65002. Alternatively, you can perform a new scan using an older Explorer/scanner, just add port 65002 to the Included TCP ports list under the Advanced tab of your task settings prior to running the scan.

From the Asset Inventory, use the following pre-built query to locate Lexmark printer assets which may need remediation:

type:printer AND vendor:Lexmark AND tcp_port:65002

Query results can then be checked against Lexmark’s list of vulnerable models and firmware versions.

As always, any prebuilt queries are available from our Queries Library. Check out the library for other useful inventory queries.

Imagine: there’s a new security threat. How do you find out if your organization is affected? You might research the CVE to gauge the severity and impact of the vulnerability. You might perform a vuln scan — if there’s a vuln check available. At some point, you’ll eventually end up with a list of devices that you need to update.

What are your next steps?

The cost of not tracking asset ownership

In an ideal world, your asset inventory would be the first place you would look for information. However, the reality is: most organizations have their asset inventory data distributed across multiple solutions and maintained by different teams. So instead of being able to focus on mitigating issues, your security team spends an inordinate amount of time doing detective work. And for security practitioners, time is of the essence.

Asset inventory is the first step to getting context around a device: the hardware, OS, software, etc. But what about who owns it? More and more, knowing who is responsible for an asset is as important as knowing what an asset is. Without clear asset ownership tracking, you waste a lot of time going from team to team, person to person, trying to find out who is responsible for an asset.

Let’s take a look at three reasons why a lack of asset ownership can adversely impact your business.

Reason #1: Forgotten assets can be costly

One of the biggest obstacles to tracking asset ownership is humans. Humans are dynamic, often upgrading to new equipment, changing roles, or even leaving organizations entirely. As a result, assets are often left abandoned, unmanaged, and unowned. Documenting asset ownership manually, like in a spreadsheet, means that the data becomes outdated very quickly. Effective asset ownership tracking requires regular updates and attention. Without a major investment of time and resources to maintain asset ownership tracking, stale data will continue to plague your organization. For example, consider infrastructure that no longer has an owner, but is still racking up recurring expenses. These forgotten assets can be costly over time.

Reason #2: Lack of asset ownership can lead to service outages

Your business relies on having systems that are working efficiently. Systems need to be updated, upgraded, and maintained regularly to ensure that everything runs smoothly and outages do not occur. However, what would happen if a specific system needed a configuration update to continue to operate? How would you know who to go to?

Oftentimes, it’s a goose chase. You start with one person (or team) and hope they can point you in the right direction. While you’re chasing down the appropriate person to help you, access to the systems you need may be shuttered or months may have passed by. These consequences can be detrimental to business – especially if these systems directly impact revenue.

Reason #3: Wasted time slows down remediation

9 years ago: Shellshock.

5 years ago: Apache Struts.

1 year ago: Log4Shell.

Nearly a decade has come and gone between these major vulnerabilities, and yet, building comprehensive asset inventory and tracking asset ownership continues to be a challenge. One of the biggest challenges faced by security teams is that they often need to rely on asset owners to take action to update and secure their devices. However, tracking down the right asset owner can be a bit of a journey through a myriad of data sources – from CMDBs to VMs to EDRs to device logs to spreadsheets. The amount of time that security teams spend hunting for information is a hindrance to fast response and remediation times.

Tracking asset ownership with runZero

runZero 3.5 introduces the ability to track asset owners in your inventory. Asset owners can be anyone in your organization who can help you remediate issues. For most organizations, assets will likely have multiple owners, such as an individual, team, and business unit. For example, a laptop might have an assigned device user, business owner, IT owner, and security owner. Each of these assignments will help you zero in on the right person who can take action on the device, based on the situation. Let’s take a look at how runZero can help you track different types of owners within your organization.

What are ownership types?

In runZero, ownership types help you classify and assign ownership to assets. There is a default ownership type, called Asset Owner, which automatically pulls owner data from integrations you have configured. Otherwise, you can add up to nine custom ownership types based on what your organization needs. For example, you might want to have ownership types for the security owner, IT owner, and business owner.

When you create an ownership type, you will need to specify the following:

• Name – The name of the asset ownership type, such as IT owner.
• Reference – You can set the reference to user, group, or none. If set, you will be able to easily search within the user or group inventories for owners that match the display name.
• Visibility – You can set the visibility to hidden or visible. This setting controls the ability to view the asset owner from the asset inventory and asset details page.

After you have created your ownership types, you’re ready to start assigning owners within your asset inventory. Let’s take a look at how you can do this in runZero.

How to assign ownership to assets in runZero

There are a couple of ways to assign asset owners: manually or automatically through rules and the API. However, the most efficient way to apply ownership is through rules, which allows you to set up specific conditions and automate the assignment of asset ownership after each scan. For example, let’s say you want to assign an IT owner for all firewalls. Here’s how you can do it with rules:

1. From the Rules page, create a rule using the asset-query-results event type. Based on this event type, the query will run against the asset inventory after a scan completes.
2. Give the rule a descriptive name, like Automate IT ownership for firewalls.
3. Configure the rule with the following conditions:
   • Run the following query after a scan completes: type:firewall and the number of matches is greater than 0.
   • If there is a match on the query, take the following action: modify the asset and set the ownership of the matching assets. This value for the owner can be any name. For our example, we will assign the IT owner to someone on the team named Tim.
   • Make sure the rule is enabled. If it is not, it will not run.
4. Save the rule.

Each time a scan completes, this rule will check for matching conditions and perform the configured actions.

Viewing ownership data for an asset

Now that you’ve set up ownership types and automated ownership assignment, let’s take a look at how you can view this data in runZero. You can view ownership information from two areas of the console: the asset inventory and the asset details page.

There’s a new column in the asset inventory called Owners, which will list the owners for the asset. If there are multiple owners, there will be a plus (+) sign to indicate that there are more for you to view. The owner name that gets displayed in the inventory table depends on the order you have them ranked on the ownership types page. The highest ranked ownership type will take precedence. In our example, we have our IT owner ranked first, so we will see our IT owners displayed in the inventory table. Other owners will be viewable by hovering over the plus (+) sign. From the asset inventory page, you can select some assets then use the Manage asset ownership button to manually update the owner for those devices.

From the asset details page, there is a new ownership section that lists all the visible owners assigned to that asset. If the ownership type has a reference set (to user or group), you’ll be able to click on the magnifying glass next to the owner name to search within those inventories for matching results. From the asset details page, you can go to Manage > Asset ownership to manually update the owner for that specific device.

Searching the inventory for assets based on owners

Now that you have asset ownership data in your inventory, you can search for assets that match specific ownership criteria. To enable searching based on ownership attributes, the following new keyword terms have been added:

• owner – Filter by asset owner name, such as Tim.
• has_owner – Filter assets by whether or not they have an owner. Use t or f as your input.
• owner_count – Use a comparison operator (>, >=, <, <=, =)to filter assets by count.
• ownership_type – Filter by ownership type, such as IT owner.

Here are a few useful queries (based on some common use cases):

• has_owner:f – Searches for assets that don’t have an owner assigned.
• ownership_type:"IT owner" – Searches for assets by ownership type.
• owner_count:>1 – Searches for assets that have more than one owner.

For example, if you need to gauge the number of unowned (and likely unmanaged) assets in your inventory, the query has_owner:f would help identify assets that don’t have an owner. Inversely, you can use has_owner:t to see all the ones that do have an owner. Between these two results, you can discern how well you’ve got your asset ownership data covered. To see how well your organization is tracking asset owners, you can also check out the asset ownership goal from the dashboard.

Zero in on unowned assets on your network

Imagine: there’s a new security threat. Thankfully, you have an asset inventory that includes asset ownership data. With a solid program and solution in place to track asset owners, you’ve eliminated unnecessary time spent chasing down people. You can focus on remediation.

If you’re a runZero Enterprise customer, you can check out the ownership capabilities by going to the new Ownership page in your console. You’ll notice a new menu item for it under Global Settings. Otherwise, if you’re new to runZero, sign up for a free trial to test out this new feature for 21 days.

The deadline for CISA BOD 23-01 compliance is coming up on April 3, 2023. In less than two months, federal civilian executive branch (FCEB) departments and agencies must have implemented solutions to fully meet the requirements outlined in the directive, including the ability to automate asset discovery every 7 days and initiate on-demand discovery within 72 hours of receiving a request from CISA.

One of the key takeaways from the directive is the importance of identifying unmanaged assets on the network because of the risks they introduce. A fully comprehensive asset inventory is the only way to fully address the directive.

When CISA first issued this directive, we’d hear agencies say, “We already have an asset inventory through our CAASM. We’re in good shape!” While Cyber Asset Attack Surface Management (CAASM) solutions can definitely help with building asset inventory and reducing cyber risk, they may not be enough to meet the requirements in the directive–especially if they are leveraging an API-only approach.

Challenges with API integrations-only approach

Most CAASMs leverage an API-only (or a very API-dominant) approach to bring asset data from hundreds (or even thousands) of security and management tools into the solution. Theoretically, with a shared data set, security and IT teams can focus on improving their cyber asset hygiene and security posture, and not spending time tracking down information. However, the truth is: the information in the CAASM is often incomplete, and data quality may be unreliable.

Let’s dig into some of the key challenges of relying on CAASMs that only offer an API-based approach and what you can do instead.

Challenge #1: Finding unmanaged assets

Over and over again, we hear security teams say, “We can’t protect or manage what we don’t know.” Exacerbated by common issues like shadow IT, rogue access, and oversight, unmanaged devices continue to fly under the radar, creating potential entry points for attackers. Unmanaged devices are usually the first foothold for attackers because they tend to miss security controls and don’t have an owner maintaining them.

Many CAASM vendors claim that unmanaged devices can be solved by leveraging integrations with existing tooling. This approach ignores the fact that security teams have tried to use data from vulnerability scanners and EDR agents for asset inventory without success. These approaches cannot find unmanaged assets because they typically require credentials to scan or deploy, which are not available for rogue, IoT, and OT devices. As a result, these teams will continue to miss unmanaged devices if they rely on their vuln scanners or EDR agents for asset inventory.

Ultimately, the completeness and accuracy of the data in a CAASM will depend on the quality of the sources you use. While an integration-based approach is a good way to discover managed assets, it’s not the most effective one for unmanaged ones. The best way to discover unmanaged assets is through unauthenticated scanning.

Challenge #2: Getting accurate data

Most CAASMs build asset inventories from API imports with third-party solutions, like vuln scanners and EDRs; they don’t discover assets independently. Instead, they rely on their security and IT stack for asset inventory, so the data is only as good as the source itself. You can generally get a lot of depth about managed devices through integrations, but the quality may be inconsistent and/or inaccurate. Many solutions, like your vuln scanner and EDRs, are not purpose-built for asset inventory, so fingerprinting falls below expectations. Instead, you may get some basic information about the device, like the IP address, MAC address, and vendor, which isn’t significantly helpful for asset inventory. And on top of that, you’re completely in the dark about unmanaged devices.

According to Gartner, data quality affects labor productivity by about 20%. The lack of access to high-quality, accurate data impacts the ability for security teams to make decisions quickly, especially in the face of critical events. To deliver on its full promise, CAASMs need to complement these data sources with active discovery to accurately fingerprint assets.

Complement your integrations-based approach with active scanning for full asset inventory

CAASMs can help with comprehensive asset inventory–if complemented with unauthenticated active discovery. This approach ensures that you’re able to cover all your bases for the CISA BOD 23-01 directive. With a scanner that leverages a security-research based approach to accurately fingerprint devices with high-fidelity, you can feel confident that you have a comprehensive asset inventory of managed and unmanaged assets.

By combining active scanning with an integrations-based approach, managed assets get the benefit of being enriched with additional attributes, while unmanaged assets are identified and fingerprinted.

At runZero, a physical office isn’t what unites us–it’s our mission that brings us together.

We are proud of the fact we are a 100% remote team,distributed across 10 states. From software engineers to product developers, we aim to help organizations keep their networks secure–all from the comfort of our own homes.

People often ask me why we chose to be a fully remote company from the beginning. As we look to grow, I wanted to take time to elaborate on why we made this choice, the benefits to our company and employees, and how we cultivate our culture without a shared office space.

Why remote-only was the right choice

I joined runZero in late 2020, two years after our founder, HD Moore, started the company. We were in the middle of a pandemic, and our conversations quickly turned to the practicalities of running a startup remotely. Because the whole world was still working remotely due to the pandemic, opening an office just didn’t make sense at the time.

HD felt that he could run the engineering side of things remotely from Austin, TX, and he asked if I needed a sales office in Boston. With all the tools at our fingertips today, I knew I could accomplish most tasks remotely.

My perspective was that working in an office is only important for certain meetings and social interactions. It’s not required for individual, focused-work (unless you have a lot of people in your apartment and need a quiet place to work,but even then, there are other options to meet that need such as coworking spaces).

All that to say: my immediate instinct was runZero could run very well remotely.

Hybrid work is the worst of both worlds

Hybrid usually means employees are in the office around 3 days a week. Employers usually allow people to have some level of freedom over the days they choose to be in the office, so they still get the flexibility from remote work. As a result, it’s difficult to get everyone at the office at the same time.

These hybrid models work in theory, but to me, they seem to bring out the worst parts of each working environment. You still feel isolated (a challenge of remote work), even though you are technically back in the office. You’re able to meet with your colleagues in-person, but never at the same time. So what’s the point?

Hybrid models are also not conducive to productive meetings. Trying to optimize an audio and video setup for in-person and remote meetings is an exercise in futility. One person is drawing on a whiteboard you can barely see, and another is struggling to hear what’s going on through the dreaded Polycom.

Meanwhile, if everyone is on a Zoom call, we can all hear and see each other simultaneously and clearly. Video-conferencing software has improved drastically over the last few years and video and audio quality is heads and tails above typical conferencing options, which allows for efficient and productive meetings.

On a personal level, this is how I prefer to work. I don’t have to sit in a car for two hours a day to get to an office and to run between different meeting rooms at different times. I can prepare healthy meals and pop in a load of laundry in between writing up strategic reports.

Beyond that, however, there are tangible benefits to the company itself that made our decision to become 100% remote an easy one.

Remote work attracts the best talent and gives us an edge over the competition

As things slowly returned to normal in 2021, more companies began to ask employees to come back to the office. However, not all of them wanted to return.

We saw this as a competitive advantage for us. We offered a workplace that allowed for talented individuals to continue working independently, while also being part of a team that shared their values. The certainty that we were never going to ask people to come to an office was a big plus for a lot of people.

In turn, the talent pool we could choose from actually broadened. Now we could pick up people from companies that wanted employees to return when they didn’t want to. We weren’t restricted to a single city either. We could attract quality candidates nationwide and hire, onboard, and train them quickly and efficiently. That’s a cost advantage that we can reinvest in the company.

As a result, our employees have also shared feedback that they are able to maintain a better work-life balance, while also feeling connected to the company mission.

Staying Connected While Apart: How We Cultivate a Company Culture

Admittedly, a formidable challenge to not having a physical workplace is missing out on what I would call ‘water cooler chatter’: those impromptu conversations. Sometimes they were about work, other times about our personal lives. These moments are crucial to helping teams feel connected to a shared experience.

However, company culture is so much more than incidental conversations around the office. It’s about people feeling like they are truly a part of something, and that kind of culture is cultivated thoughtfully and holistically.

First and foremost, understanding our cultural values was key to helping us build a remote culture – or any company culture. Then, our focus shifted to understanding how we help connect people to those values, help people develop 1-on-1 relationships, and foster interpersonal communication that builds the fabric of the company.

Let’s talk about some practical ways we foster and maintain company culture across time zones and locations.

Practical Ways we Manage Culture (and the tools we use!)

We still see the value of in-person interactions. We choose differently.

Our approach to communication is if it involves simply transferring knowledge or information, it can be accomplished virtually (through Slack, Zoom, or recorded video).

For example, we host monthly virtual town halls, which all employees and executives attend. Town halls are an important way to keep information flowing. We are open about our standing as a company, where we are going, and what’s coming next. Transparency is an even higher priority when you operate as a 100% remote company, and that’s why it’s one of our core values.

To set the tone for our time together, we usually kick off each meeting with a soundtrack. One time, after we closed a big customer in the telecommunications space, we played Lady Gaga’s “Telephone”. We take our work seriously, but we also like to have a little fun.

Since our town halls focus mainly on sharing information, they can be virtual. Meanwhile, we reserve in-person events for culture-building activities and interactions.

For example, we had our first ever company-wide meeting in-person in October 2022 in San Diego, an event we plan to host yearly. We had two to three hours of scheduled time during the day that involved sitting in a room pouring over information. The rest of each day was dedicated to team building exercises and common activities to foster lots of unstructured interactions. We also plan to meet up a second time each year for a go-to-market kickoff.

We use communication tools effectively and creatively

As you can expect, we use Slack for work-related communications, including weekly one-on-ones and asynchronous communications on important work matters.

We also use it as a way for everyone to connect. Lots of people check in with each other in the morning on the #casual-random Slack channel. We have a channel for foodies, movies, books, pets, kids,and many other channels to help employees connect who live in the same geographical area and sometimes get together in-person.

When you work remotely, almost every interaction is scheduled, and it can start to feel too structured. To help with this, we use Donut.com; it picks two random people within the company’s Slack that haven’t chatted in a while and pairs them up that month for a 30 minute one-on-one meeting. This meeting has no specific business purpose; it is simply there to mimic–to some degree–those casual water cooler conversations. This tool is a great way to make those types of conversations happen, and we have received positive feedback from employees who have built relationships this way.

Another tool we have used is called Gather.Town. You walk around a room that looks like an 8-bit game. As you wander, you can hear and see people standing near you (virtually), similar to a cocktail party. It’s a fun, gamified way to have a sort of happy hour with colleagues.

Our Head of People, Madison Smiser, has also been organizing company coffees (some virtual, some in-person where possible), show and tells, and breakout groups. We certainly don’t have it all figured out, but we are always listening to feedback and trying out new things. We know that socializing is an important part of building culture inside a company (remote or not).

Is going remote the right choice for you?

Truthfully, remote work is not for everyone, and that’s okay. Some people don’t have the physical workspace or environment to work remotely, while others work in service-based industries or manufacturing where it’s not a feasible option.

There are certainly challenges to running a remote company, but at the end of the day it can contribute positively to employee satisfaction and culture. There is something fascinating about the level of trust that binds a team together when everyone works remotely. It’s a benefit that comes from being in completely different places and, yet, still feeling connected.

If you’re interested in joining a fully remote workplace that’s building culture in creative ways, check out our Careers page.

I once managed a product line when I didn’t even have access to revenue figures. Looking back now, that seems unthinkable. How was I supposed to manage a business when I didn’t even know how it was doing? I’m going to bet many others have a story like that too: where a culture of secrecy kept them from effectively doing their job.

In contrast, at runZero, we work at creating a culture of transparency: an environment where information flows between different levels of the organization and employees feel comfortable asking questions and sharing feedback.

When the executive team openly communicates with their employees, it builds trust and respect. In turn, employees are more likely to be productive and act in the best interest of the company. At tech companies, employees especially need access to accurate, up-to-date information to do their jobs well.

Ultimately, a culture of transparency leads to success because everyone is on the same page and working towards the same goals. Let’s dive into the specific values we’ve developed to promote and nurture transparency within our company.

Decentralize decision-making

At runZero, transparency is a fundamental part of the way we do business. We focus on openness, so everyone knows the expectations, trusts each other, and feels confident in their role.

This level of transparency plays out in a variety of ways. At our monthly virtual town halls, for example, we are open about our standing as a company, where we are going, and what’s coming next. Our town halls deliver detailed information on financials, business performance, and even our cash position. We intend to be as honest if our cash position ever changes for the worse (though it hasn’t happened yet at the moment). By building trust and being transparent, everyone at runZero will feel like they are part of our successes and solutions.

When it comes to strategic planning, leaders provide context on the business to the team ahead of time, even if final decisions aren’t made yet. Leadership needs to be vulnerable in order to do this. They need to be able to admit that they don’t have all the answers yet, but are willing to share where they are in the process. This approach fosters collaboration and invites feedback. These are key elements to solving complex problems. We also take this approach in our one-on-one meetings.

We don’t pretend to have all the answers and understand that our employees may feel some degree of ambiguity in the face of such openness. This mindset allows for a free exchange of ideas between leadership and staff and promotes an environment where key players can work together to come to a consensus. The openness and directness of our leadership encourages employees to participate in the brainstorming process, ensuring that we make decisions based on collective wisdom instead of individual opinion.

When employees are confident in the knowledge they have, they can make the informed decisions independently, instead of expending time and resources asking for approvals internally. Transparency is essential for creating an environment where autonomous decision-making is not only accepted but encouraged.

The line between confidentiality and transparency

While transparency helps keep everyone in the loop, there are certain aspects of any business that must remain confidential, such as employee data and other human resources type information. In these cases, full transparency is not always the best solution.

In fact, during times of rebranding or restructuring, it’s better to wait until the new direction is clear before sharing any information widely, so it doesn’t create confusion. Information shared in confidence, for example about performance or health issues, should also not be shared widely.

However, our internal communication will always strive to be as honest and transparent as reasonably possible. We trust our employees to handle sensitive matters with utmost discretion and integrity.

Foster transparency through sharing

Information hoarding and siloed decision-making leads to inefficient processes and mistrust inside an organization.

Employees often hoard information to protect themselves from negative perceptions or to make themselves more valuable in the organization. However, when employees feel secure and comfortable in their environment, information hoarding becomes unnecessary.

That’s why we model and reward information sharing and transparency. For example, runZero’s Google Drive is fairly open—almost any employee has access to the files, except for those pertaining to sensitive information like human resources or finance. Generally speaking, however, employees can dig around for all kinds of data: company stats, dashboards, Hubspot data, and more. If employees can investigate, they can find solutions. In turn, we give them recognition for finding those solutions.

By providing tools like these and encouraging employees to use them openly and confidently, we avoid the issue of information hoarding altogether.

Help candidates grow through transparency

Sharing feedback with a candidate during the hiring process can be one of the most challenging tasks for any leader. Not only do we have to choose our words carefully, so that the message is constructive, but we also have to pick information that is truly valuable for the candidate’s growth. We also give the candidate the option to decline feedback, as we know sometimes that it can be a hard pill to swallow, depending on their circumstances.

The most difficult type of feedback is about someone’s potential. Oftentimes, this feedback may not consist of more than general comments about their capabilities or capacity for growth. It can be hard to deliver this type of feedback without it being demoralizing. So, we try to encourage candidates, while giving clear guidance on what specific improvements to help them understand what we are looking for at runZero. You never know what could happen: a few years down the line, the candidate could improve with feedback, timing shifts, and they end up being just the right fit for runZero.

We want the best fit for everyone involved. Anyone interviewing a candidate for runZero will be open and transparent, and we look for that to be reciprocated. We really listen for people with a growth mindset and who value transparency as much as we do.

Be honest with customers

At runZero, we pride ourselves on our commitment to fair and transparent pricing. We are honest with our customers about what our product can do and if their requests exceed its capabilities, it’s best that everyone knows sooner rather than later. It saves everyone time in the long run. The sales team can disqualify the deal earlier and spend more time on deals with a higher likelihood to close. Disqualifying a deal builds trust and helps the customer understand the problems we can solve for them – and some return later when they are looking for a solution to those problems. The company experiences a higher renewal rate because customers weren’t oversold.

This approach benefits both parties in different ways: by being upfront about what our product can do, buyers benefit from a service that actually gives them what they need, while sellers don’t waste time trying to convince someone of a product that ultimately won’t work for them.

By committing to this type of customer service, we hope to help create an environment where buyers and sellers form trusting relationships.

The foundations of a great team and company

Open and honest dialogue is the cornerstone of any healthy team. Carrying out transparency in everything we do creates deeper connections between employees, leaders, and customers. We understand that fostering a supportive environment means that everyone should have access to information needed to be successful in their roles.

Creating a culture of transparency guides us at runZero every day. So if you’re looking for a role where transparency is in our DNA, we’d love for you to join us.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published the Binding Operational Directive 23-01 for Improving Asset Visibility and Vulnerability Detection on Federal Networks. CISA’s asset visibility requirements are doing a big part in moving the industry forward and evolving our approach to asset inventory while also highlighting the importance of asset inventory in relation to national or organizational security.

The directive covers both vulnerability management and asset inventory. This blog post only focuses on the relevant parts for asset inventory. However, there are some important areas where the two disciplines interact and asset inventory is better suited to fulfill the requirements.

CISA recommends unauthenticated scanning for asset discovery

Many organizations are using data sourced from authenticated vulnerability scans and installed EDR agents to derive asset inventory. CISA’s directive demonstrates that while this is a viable way to augment the data set, it is no longer sufficient:

“No special logical access privileges” translates to either unauthenticated active discovery or passive collection, which is confirmed in the following statement:

API queries are only recommended for software defined infrastructure, such as cloud-hosting other virtualized environments, but not for your physical network.

Log files can be a helpful way to augment breadth of asset inventory but they do not yield depth. DHCP and DNS logs don’t yield much more information than IP addresses, hostname, and MAC addresses. This misses the essence of what a device is: you know it’s there but you don’t know what hardware and operating system it’s running or what ports and services are active.

CISA directive solves for unmanaged devices

When talking to security teams about challenges with their asset inventory, they frequently cite unmanaged devices as the biggest headache. The CISA directive seems to optimize for unmanaged devices since these are the hardest to cover.

Many asset inventory vendors, particularly those in the CAASM (Cyber Asset Attack Surface Management) space, claim that you can magically solve for unmanaged devices via integrations with existing tooling. That is a great pitch, but it ignores the fact that security teams have tried to use the data from vulnerability scanners and EDR agents for asset inventory for a long time and failed. They do not provide the right data–we’ll get to why in part two of this series.

CISA is well aware of this fact and recently published a binding directive that requires more than just integrations for solving asset inventory.

We’ll take a deeper look into why that is throughout this blog series. Stay tuned for more details and subscribe to our blog so you don’t miss out.

Follow the story

Part two of this story was published on Tuesday, January 18, so be sure to follow the story. Also, don’t forget to subscribe for regular blog notifications.

Try runZero for free

See how you can comply with CISA BOD 23-01 using runZero.

Get started