This blog explains what we mean by online assets, why they can be difficult to manage, and how that could impact security. Most importantly, it explores how Hexiosec ASM helps organisations of all sizes discover and manage their online assets.
What are online assets?
Simply put, online assets are resources directly connected to the Internet. For most companies, that means websites and cloud applications and services.
On-premises servers and appliances often host services that are exposed to the Internet - especially VPNs, network appliances, or remote access services. Others are typically only accessible over a local network or an incoming VPN connection.
Laptops and mobile devices aren’t normally considered online assets since they connect via a router. However, certain applications and services running on these devices can still be detected over the Internet.
Why online asset discovery and management is challenging
Many organisations struggle to keep track of their online assets, usually more for operational rather than technical reasons.
- IT teams may be under-resourced, making it difficult to manage a wide range of assets and infrastructure.
- Multiple teams may share responsibility for IT and online assets, but are not perfectly coordinated as to who does what.
- Employee turnover can lead to lost knowledge and unclear ownership of assets.
As a result, websites and other online assets can become forgotten and unmanaged. This often includes beta or development versions of sites that are accidentally made public or aren’t taken down when no longer required.
Why online asset discovery is important
Online assets, by their nature, are prime targets for external attackers. Discovering and managing them is a crucial first step in understanding and improving the cyber security of an organisation.
Unmanaged or forgotten assets are more likely to be unpatched and not maintained, making them more susceptible to exploitation via public vulnerabilities.
Some platforms and services have a high risk of exposure - take Apache for example. The National Vulnerability Database recorded 61 public vulnerabilities for Apache in just the last three months.
This is why attack surface management is key to security – you can’t have unpatched services connected to the Internet and expect them to go unnoticed by attackers.
Whilst there is little you can do to prevent zero-day vulnerabilities from being exploited in online assets, a raft of big attacks over the last few years all came from exploiting older vulnerabilities in network-connected appliances such as firewalls and file-sharing appliances (see our blog on this topic).
How Hexiosec ASM discovers assets
A core feature of Hexiosec Attack Surface Management is asset discovery – it uses a wide range of public and proprietary techniques and sources of information to find websites, cloud resources, and public records. Any discovered asset serves as a starting point for more discovery and deeper analysis - for example, a discovered website is inspected for its TLS certificate, components and more.
As well as continually improving how we discover assets and their properties, we are always adding new features to improve how assets are grouped and displayed in the application. Recently, we introduced a new page to display, filter and manage IP addresses.
The new IPs page groups all discovered information around identified IP addresses, complementing the existing domain-focused view.
Keeping things clear
Asset management is complex enough without having to decipher what an attack surface management tool is telling you. From day one, Hexiosec ASM has been designed to not only provide rich data but also present this is in a clear and quickly understandable way.
Our platform provides multiple views on the data, starting with a concise overview that highlights key remediation actions. For deeper insights the Graph page visualises asset relationships, allowing users to filter by asset type and trace connections from seed domains to related assets.
We continuously improve Hexiosec ASM based on customer feedback, with updates and enhancements published in our monthly blogs.
How this helps you manage your security
Understand your assets
With the increasing ease of setting up online assets and the dynamic nature of cloud deployments, asset management is becoming more complex. Knowing what you have online is part of the problem, but you also need to know what components a domain or service is hosting and if this might be at risk. Hexiosec ASM helps you understand which assets are hosting certain components (e.g. nginx) and their versions. This allows you to assess exposure to known vulnerabilities and ensure your patching strategy covers all online assets.
Discover RDP and exposed services
Hexiosec ASM reports on any discovered Remote Desktop Protocol (RDP) ports and identifies any open ports on scanned servers. Risks are raised for ports associated with plaintext or legacy protocols.
Identify hijacked sites
The web presence view includes screenshots of all discovered websites, making it easy to spot unusual or suspicious web pages on an organisation’s domains. Here is a real-world example that our consulting team spotted on a customer engagement: a highjacked domain for a large organisation that was directing visitors to a site selling tickets for a football event:
During the same engagement, Hexiosec ASM also detected RDP running on two exposed servers, along with an SMB service on one of them. One of these servers had “SECURE” in its name - a clear indication that it should not have been publicly accessible. Generally, you very rarely want RDP or SMB exposed directly to the Internet, as they are prime targets for hackers and ransomware gangs. Best practice is to implement IP allow-listing or hosting such services behind a VPN or authenticating proxy.
Identify misconfigured resources
Another recent example came from a UK government customer, who when browsing Hexiosec ASM’s web presence view spotted a clear visual indication of a service issue. A website, which itself is for an online security service, was displaying incorrectly and clearly not working as intended. The user was previously unaware of this issue as it was hard to spot through other means - this feature helped them quickly spot and fix the issue, along with an obvious typo on the page!
Wrap-up
Asset discovery and management is both a wide and a deep topic. We’ve hopefully helped to set the scene for those who are new to the subject, and shared some interesting insights for more seasoned readers. Regardless of your understanding and requirements, there’s a good chance we can help. So get in touch!
Whatever your organisation’s needs, Hexiosec can help you. Get in touch for a free consultation!
Related Posts
