enterprise security

SecurityTrails Blog · Mar 14 · by Esteban Borges

The Pitfalls of Incomplete IT Asset Lists

Reading time: 8 minutes
Listen to this article

In today’s IT landscape, security challenges are always evolving. While initial challenges included incorporating components such as firewalls and VPNs (which have now become commonplace in almost all areas of IT), newer challenges involve managing an ever-expanding list of virtual assets—often created by the various automated processes found within an organization itself.

While CI/CD processes have helped to automate a lot of testing, ensure code compliance, and save time compared to the manual processes of the past, they have also led to numerous unknowns in terms of assets created and destroyed by these processes.

As with any in-development software, vulnerabilities and errors are commonplace, especially when compiling and testing bleeding-edge code, leaving containers and virtual machines created by CI/CD processes vulnerable to exploits as well.

Maintaining an automated, up-to-date and complete virtual asset list can ensure that you save time by not scanning out-of-date hosts, allowing you to identify these risks within your organization as quickly as possible. CI/CD and other automated processes run 24/7 and even a single missed automated process can lead to a huge number of virtual hosts running vulnerable code exposed to the public.

The dangers of not keeping a complete IT asset list

Physical assets are often viewed as easier to manage as they are physically acquired, seen, accounted for and come with a chain of ownership. They can’t be created out of thin air within seconds, unlike virtual assets.

During the past few years, virtual assets have become effortless to create, since they can be created by automated processes as well as by manual processes. For example, the rise of automated testing and CI/CD processes that can create subdomains means a rise in virtual machines with preinstalled operating systems and compiling software for easy testing or deployment of code.

Multiply this with the number of CI/CD processes within your organization and you can already imagine the number of virtual machine instances created/destroyed over a short time.

Asset lists are the foundation of your organization’s security outlook

Without a complete asset list, it’s impossible to secure your organization. You aren’t scanning every part of it.

The Dangers of Incomplete Asset Lists

Let’s take a look at some of the dangers of incomplete asset lists:

  • Without having an accurate and complete overview of all of your internet-facing assets, it’s possible to overlook a vulnerability on an asset, which can lead to data leak, or even a data breach. Furthermore, when a CVE is observed in the wild, it can be hard to discover and mitigate that vulnerability if you don’t know what assets you have.

  • In the case of a cyber attack or a data breach caused by a vulnerable asset, not having an inventory of all of your assets can make the mean time to identify (MTTI) a threat that much longer, leading to a more disruptive incident, resulting in larger monetary losses.

  • Every organization has regulations and policies they need to be compliant with. As many of the regulations dictate how you need to secure your IT assets, without knowing what asset you have in your infrastructure can lead to missed misconfigurations, further resulting in non-compliance.

At the same time, current security processes often involve using disparate tools like network scanners, pen testing, and vulnerability scanners with “human glue” to integrate siloed data and act on it. While this may work for smaller organizations, one can imagine the number of hosts that may exist within an organization as you scale into using CI/CD processes, virtual desktops, VPNs, remote databases, virtual machines within high availability clusters, and DNS servers.

Going beyond asset lists: continuous IT asset monitoring for your organization

As asset lists are always somewhat static, but the attack surface is always dynamic, using Attack Surface Intelligence takes you one step further with access to a continuous and complete overview of your organization’s digital footprint, allowing you to account for every digital asset within your organization with ease.

Under the Explore tab, you’ll find a wide range of information such as:

  • Hosts by ASN: This allows you to filter hosts/IPs via a specific autonomous system number (ASN), in turn allowing you to find services running on different networks.
  • Hosts by IP: As certain IP ranges are frequently allocated to specific teams, the ASI tool allows you to filter and list hosts on a per-IP range basis as needed.
  • Hosts by Open Ports: Open ports can help identify the service running on it—certain ports like 80/443 are frequently associated with web servers, other ports like 21 are associated with FTP, and so on. Having a list of the exact ports open within your organization can help reduce the time required for your organization’s various security processes, as scanning typically takes the most amount of time.
  • SSL Common Name: SSL certificates can be issued on an organizational level or a team level, especially during testing when certificates can be issued with different common names.
  • Self-Signed Certs: While using self-signed certificates is usually okay for internal testing and temporary usage, accepting and ignoring self-signed SSL certificates over time can lead to issues within your organization’s safety.
  • Server: The server option allows you to filter by the web server software in use on your various hosts. This lets you find the exact web server software version running on your server as well, helping you find out-of-date or possibly vulnerable software at home.
Explore tab

Clicking on the Inventory tab should give you a general overview of your organization’s hosting providers. You can also keep track of which country your assets are hosted in, which hostnames point to local (ie, 127.0.0.1), remote access entry points and VPN hosts.

Automated CI/CD processes

The Risks tab can help find exposed database ports within your organization. While there are times when databases may need to be exposed to the public internet, misconfigured or vulnerable ACL bypassing vulnerabilities exist, and using an additional layer of security such as a hardware/software firewall to whitelist only certain hosts from accessing your database results in a much more secure environment.

Beyond exposed databases, we also see self-signed SSL certificates and staging and dev subdomains; these two are often seen together when CI/CD processes are used within an organization to automatically compile, test, and review code.

This work-in-progress code can be vulnerable as well. While most CI/CD processes do destroy their temporary virtual machines/containers once the process is complete, sometimes due to errors or timeouts, staging and dev subdomains remain running and can go unchecked and cause various security issues.

Inventory tab

Automated CI/CD processes use Linux containers as they are lightweight, fast, and easy to set up. At the same time, the code being tested on CI/CD processes isn’t final and hence not always secure, considering the recent Linux cgroups vulnerability, which can impact Linux containers by allowing users to escape and enter into your organization’s host systems. Exposing staging and dev subdomains to the public and leaving them unnoticed/unaccounted for can lead to various levels of security risks for your organization.

work-in-progress code

Understanding usage patterns within your organization is another key aspect to consider when optimizing your organization’s security processes. Hostnames may be created and destroyed before they can be scanned, but knowing that these hostnames exist can help find misconfigured services within your organization.

For example, if your organization has hostnames being created during non-working hours, it can help identify security lapses or misconfigured CI/CD processes utilizing unnecessary resources.

Going even further, with ASI you will be able to not only have a full overview of your IT assets, but also be informed about any critical vulnerabilities and misconfigurations on them.

With Risk Rules, all the vulnerabilities are ranked by their severity so your organization will never be blindsided by an attack you could have prevented as you will know exactly which risks need immediate attention and mitigation.

Risk Rules

Summary

With the rise of online attacks and compromises, organizations now keep a keen eye on IT security policies and processes. With this, a new challenge arises: an organization may know how to secure its assets, but if it does not know what assets exist to secure, an incomplete and gray area within its security process and overall security detail is sure to follow.

Maintaining a complete, current, and automatically updated virtual asset list has become the core of modern security. It allows an organization to stay ahead of attackers by not wasting time in finding hosts from out-of-date lists, and allows organizations to find usage patterns and potentially insecure practices, allowing organizations to plan and set up security policies ahead of time.

SecurityTrails ASI provides your organization with a complete and automated overview of its virtual assets, letting you prioritize vulnerabilities, optimize its security processes and reduce the overall time needed to secure its assets.

Simply put, incomplete asset lists bring with them a host of dangers for your organization. What is unknown to you cannot be secured.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

X