Skip to content

runZero 如何在您的網絡上找到非託管設備

Unmanaged assets are connected to the network, but lack an identified owner and may exist outside the visibility of those responsible for the network. These devices can pose real security risks to a company or organization for numerous reasons, such as running older vulnerable operating systems or software, using insecure protocols, or having nefarious intent. Plus, they can be difficult to discover or locate, sometimes using unmanaged subnets within a network.
Arising from both intentional and inadvertent situations, unmanaged assets can be classified into several categories, including:

  • Orphaned – Assets that lost their original owner but are still present on the network
  • Shadow IT – Devices/systems that are connected to the network without permission

Transient devices, such as portable, mobile, or IoT devices that “come and go” on the internal network, including bring your own device (BYOD), might be better categorized as “unmanageable” rather than “unmanaged” and can also be easily discovered via runZero scanning.
Let’s take a look at how runZero is able to locate unmanaged devices on your networks.

Peek under the hood of our scan engine

At runZero, we intentionally built our offering around unauthenticated, active scanning, while complementing our technology through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices. To start, let’s dig into our scanning capabilities. Our built-from-the-ground-up scanning logic in runZero Explorers and scanners will reach out to elicit a response from devices connected to the network. Replies received from our scan traffic are then captured for processing.

Benefits to our approach

No prior knowledge required: Our active, unauthenticated scanning approach doesn’t assume any “prior knowledge” of network-connected devices (e.g., credentials to authenticate into devices, deployed agents on managed devices, etc.), rather our network discovery capabilities are research-driven to find-and-surface every network-connected asset, whether managed or unmanaged.
Highly configurable: Our scans allow you to go beyond basic subnet and speed settings. You can tune scans for specific ports or protocols that you want to know about, which can help quickly locate unmanaged devices that are running unsafe or company-prohibited protocols.
Standard packets: All of our scanning packets, including probes and port/service querying, is done using standard packets to keep things safe. We never send malformed or otherwise unusual packets.
Research driven: We use applied research to maximize scan result discoveries while still utilizing a “safe approach” for interacting with devices. This helps avoid any unexpected or unwanted side effects that are sometimes seen with other active scanning solutions, particularly when scanning ICS/OT and other traditionally sensitive devices/endpoints.

Comprehensive inventory of internal assets

A comprehensive asset inventory is not complete unless you know about the assets that aren’t managed by your organization. Here are some ways that runZero can help you zero in on assets you may not know about.

See your RFC 1918 coverage

runZero’s scans can help surface unmanaged subnets in your internal network, which may harbor a bunch of unmanaged devices. Our RFC 1918 scan capability can cover the entire IPv4 internal network address space (more than 21 million addresses), checking all potential places unmanaged devices could be hiding in your network. We’ve also developed a “subnet sampling” option as an informed approach to focus on statistically-likely-to-have-devices subnets so that the RFC 1918 scan runs in shorter time while still providing good coverage.
The interactive RFC 1918 coverage report presents discovered data in an easy-to-consume layout to show which subnets have been scanned, and includes additional data for unscanned subnets which might be active based on devices leaking secondary network interface information. This report allows you to “drill down” into subnets by clicking them to view discovered asset details within an address block.

Find unmapped assets

Unmanaged devices on your network can also surface in runZero as an unmapped asset. An unmapped asset is a MAC address connected to a switch, but not found in an ARP cache or through any of the other techniques runZero uses for remote MAC address discovery. Unmapped assets could be unmanaged assets, but could also be managed assets that were not included in the scope of a particular scan. You can get a visual overview of where unmapped assets appear on your network via the switch topology report, with each switch showing the number of assets (including unmapped assets) attached to it. A single click on a switch with unmapped assets will bring up a “View unmapped assets” link to the associated unmapped MACs report, which provides MAC details and the switch port the asset is connected to. This is potentially helpful for further investigation.

Search for devices missing agents in runZero

runZero uses applied research to identify other agent technologies that may be required on assets managed by your company or organization. You can find unmanaged assets that are missing these agents via runZero inventory queries. The following query example will surface any Windows assets on the network that are not running an Avast agent:

os:Windows and not edr.name:Avast

You can also search for unauthorized operating systems or applications on your network, which can be indicative of an unmanaged asset. For example, if all or your Windows systems are only allowed to be running Windows 11 or Windows Server 2022, you can create a query to surface any potentially unmanaged Windows assets not running these recent versions:

os:Windows and not (os:"Windows 11" or os:"Windows Server 2022")

Track unmanaged assets with tags

Tags are another runZero mechanism that can be used to surface unmanaged assets and also help “keep on top of” current asset ownership. This requires a bit of work up front to tag all managed assets, but requires little maintenance once in place.

Stay on top of unmanaged assets with alerts

Alerts are a powerful way to leverage queries into timely notifications in-app or via email or webhook. For example, we can build alerts for any of the queries used in this article. Rules are checked when a scan completes, and for any rule that evaluates as “true”, an alert can be generated. Check out our “Tracking asset ownership with tags” article to learn how to set up an alert rule.

Comprehensive inventory of external assets

Internal networks aren’t the only places unmanaged devices may exist. A public-facing web server could become orphaned, or a bad actor could DNS spoof/hijack a lesser-used company domain to redirect traffic to a phishing site they control. With just a domain name or ASN number set in the scan configuration, runZero can resolve the associated external-facing URLs and IP addresses to scan. And our hosted zone scanners can seamlessly run the scan, removing the step of installing an external-facing Explorer.

Uncovering unmanaged assets through integrations

At runZero, we understand the power of “better together”, and our development teams have been busy adding support for many product and service integrations. Some of these integrations can be leveraged to surface unmanaged assets in your network.
For example, let’s say your organization uses SentinelOne on all managed macOS assets. One day an employee connects their personal MacBook to the corporate network without authorization: a macOS device without SentinelOne installed. You can create a runZero inventory query to surface this asset (and any others like it):

os:macOS and not source:SentinelOne

As another example, let’s say your company uses Microsoft Intune on all managed Windows 10 and Windows 11 assets. You can create a runZero inventory query to surface any Windows 10 or Windows 11 assets connected to your network that are not known by your Intune integration:

((os:"Windows 10" or os:"Windows 11") and not source:Intune

Prefer to surface your runZero-discovered assets, managed and unmanaged, via another tool? We offer integrations for several popular services, including ServiceNow and Splunk, allowing you to leverage the power of runZero’s best-in-class discovery and asset fingerprinting with other applications.

Zero unmanaged assets

Getting a handle on unmanaged assets is important, but it can feel like “one more thing” to do in an already-lengthy list of responsibilities. At runZero, we’ve done our homework through research and development to make finding your unmanaged network assets quick and easy.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.


About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

2 個原因:適用於醫療保健組織的 M365 數據備份

It’s easy to get a false sense of security and assume that your Microsoft 365 data is safe and secure because M365 automatically backs up your SaaS data for simple recovery, right?

 

Well, not so fast.

 

While M365 and most other SaaS platforms offer some sort of data protection and recovery features, it’s bare bones at best. For healthcare organizations, this opens Pandora’s box for compliance and continuity issues that can end up costing hundreds of thousands of dollars in fines. And on top of that, add the inability to serve patients and conduct daily business.

 

It’s critical to have timely and secure access to patients’ highly sensitive personally identifiable information (PII), protected health information (PHI), financial information, intellectual property, and credentials. However, given how this information has grown exponentially, data loss prevention has never been more necessary to ensure business continuity.

It’s crucial to understand that retention requirements far exceed what SaaS applications typically deliver natively, making it vital to close the gap with a reliable backup and recovery tool.

For healthcare organizations, compliance and continuity are the two main factors driving the need for third-party SaaS backup.

Regulatory Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) makes healthcare delivery organizations legally obligated to preserve certain types of information for periods that exceed a SaaS service’s built-in capabilities.

As the HIPAA Journal explains, each state has its own laws governing the retention of patients’ medical records. To complicate things further, those retention periods can vary considerably. 50 states with 50 retention requirements: Is this something your healthcare organization wants to (or can afford to) manage?

Individual U.S. state laws govern the retention of patients’ medical records, while HIPAA imposes requirements on how long HIPAA-related documents must be retained.

According to the HIPAA Journal, “In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must retain them for seven years. In North Carolina, hospitals must maintain patients’ records for 11 years from the date of discharge, and records relating to minors must be retained until the patient has reached 30 years of age.”

The hard truth is that SaaS services do not deliver the level of backup and recovery required for healthcare organizations, and what they do provide isn’t seamless.

Business Continuity
Imagine the worst-case scenario where your mission-critical data is suddenly gone—it’s not hard to imagine since it happens to companies every day. Healthcare organizations rely on the information stored in SaaS systems to maintain their business continuity. If the information suddenly becomes unavailable, then significant disruption results.

Continuity Considerations
Things can (and do) go wrong with SaaS data: a simple misconfiguration can cause primary data sources to become unavailable, making accidental deletion a real risk, which may not be discovered until it’s too late to recover from the SaaS app – and may be unrecoverable even if you do find it quickly.

In fact, according to ESG Research, the most common reasons for data loss are service outages and accidental deletion, as seen here:

2 Reasons Why: M365 Data Backup for Healthcare Organizations
Compliance 26.10.22 9 Minutes
It’s easy to get a false sense of security and assume that your Microsoft 365 data is safe and secure because M365 automatically backs up your SaaS data for simple recovery, right?

 

Well, not so fast.

 

While M365 and most other SaaS platforms offer some sort of data protection and recovery features, it’s bare bones at best. For healthcare organizations, this opens Pandora’s box for compliance and continuity issues that can end up costing hundreds of thousands of dollars in fines. And on top of that, add the inability to serve patients and conduct daily business.

 

It’s critical to have timely and secure access to patients’ highly sensitive personally identifiable information (PII), protected health information (PHI), financial information, intellectual property, and credentials. However, given how this information has grown exponentially, data loss prevention has never been more necessary to ensure business continuity.

It’s crucial to understand that retention requirements far exceed what SaaS applications typically deliver natively, making it vital to close the gap with a reliable backup and recovery tool.

For healthcare organizations, compliance and continuity are the two main factors driving the need for third-party SaaS backup.

Regulatory Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) makes healthcare delivery organizations legally obligated to preserve certain types of information for periods that exceed a SaaS service’s built-in capabilities.

As the HIPAA Journal explains, each state has its own laws governing the retention of patients’ medical records. To complicate things further, those retention periods can vary considerably. 50 states with 50 retention requirements: Is this something your healthcare organization wants to (or can afford to) manage?

Individual U.S. state laws govern the retention of patients’ medical records, while HIPAA imposes requirements on how long HIPAA-related documents must be retained.

According to the HIPAA Journal, “In Florida, physicians must maintain medical records for five years after the last patient contact, whereas hospitals must retain them for seven years. In North Carolina, hospitals must maintain patients’ records for 11 years from the date of discharge, and records relating to minors must be retained until the patient has reached 30 years of age.”

The hard truth is that SaaS services do not deliver the level of backup and recovery required for healthcare organizations, and what they do provide isn’t seamless.

Business Continuity
Imagine the worst-case scenario where your mission-critical data is suddenly gone—it’s not hard to imagine since it happens to companies every day. Healthcare organizations rely on the information stored in SaaS systems to maintain their business continuity. If the information suddenly becomes unavailable, then significant disruption results.

Continuity Considerations
Things can (and do) go wrong with SaaS data: a simple misconfiguration can cause primary data sources to become unavailable, making accidental deletion a real risk, which may not be discovered until it’s too late to recover from the SaaS app – and may be unrecoverable even if you do find it quickly.

In fact, according to ESG Research, the most common reasons for data loss are service outages and accidental deletion, as seen here:

Still, accidents, misconfigurations, and other ‘innocent’ causes aren’t the only ways to lose data.

In recent years, ransomware gangs have set their sights on the healthcare sector and, unfortunately, have been successful in their efforts to disrupt and demand payment for the data’s return.

Fulfilling Regulatory Obligations
Few people like being told what to do, but it turns out that governments do have the authority to compel action.

In the U.S., federal and state laws impose strict requirements around data retention for different healthcare records and information types. Additionally, regulations are subject to change, adding more pressure to comply to avoid a regulatory audit and heavy fines. Failure to comply can lead to significant financial and legal exposure, such as lawsuits, fines, settlements, and certification losses, further increasing the risk of data breaches.

For Healthcare delivery organizations (HDOs) committed to minimizing or avoiding these risks, having a proper backup and recovery practice in place is key to compliance.

Third-party backup and recovery services help you stay compliant by ensuring your data remains immutable and tamperproof. Immutable data and metadata make it possible for you to document and recover not just all data but all data processing, ensuring that auditors have complete visibility of everything that has impacted the data.

If complying with laws (and avoiding potentially hefty fines) isn’t enough to secure the budget, there are other reasons to invest in SaaS backup, such as mitigating downtime and costs.

Protecting Business Continuity
In a presentation titled “Conti Ransomware and the Healthcare Sector,” the United States Department of Health and Human Services (HHS) relayed that:

the average length of a general ransomware incident is 19 days.
Cybersecurity provider Sophos reported that 25% of healthcare organizations disrupted by ransomware took up to a month to restore operations. Sophos’ research also suggests that:

the average remediation cost for healthcare organizations soared to USD 1.85M in 2021 (up from USD 1.27M in 2020).
Keeping services operational is essential for maintaining the revenue that sustains an organization. That’s why having reliable backups that can quickly and easily be restored is paramount.

Unfortunately, the reality is that data outages are a matter of when, not if, making your ability to recover key data (and fast!) a necessary part of business continuity planning. Additionally, the shorter the outage, the lower the recovery and remediation costs, making loss avoidance a compelling part of the value proposition.

Recovery processes and costs can also include Digital Forensics and Incident Response (DFIR) activities, whether mandated by cyber insurance coverage, necessary for root cause analysis, driven by a motivation to prosecute, or some other reason.

Third-party backups assist DFIR activities by providing trustworthy information that extends further back in time than what can be pulled from SaaS applications.

But being able to restore services quickly from a dedicated SaaS backup doesn’t just protect revenue and minimize recovery costs, it also means you avoid paying the ransom and lower your cyber insurance fees.

Protect Your SaaS Data Today
If you can recognize some of the data backup and recovery vulnerabilities discussed here within your own healthcare organization, the good news is that it’s easy and cost effective to address those challenges and help secure your organization’s data.

Unintentional and malicious data losses don’t offer the convenience of a “heads up,” so it’s a wise business decision to have a proper backup and recovery solution in place before you need it – and as such, it should be an integral part of your cybersecurity approach. Only backup allows you to go back in time and recover to before bad things happened!

If you’d like to learn more about compliance and continuity for healthcare organizations, access the

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

新品 Pandora FMS 765 RRR

Let’s check out together the features and improvements included in the new Pandora FMS release: Pandora FMS 765.

What’s new in the latest Pandora FMS release, Pandora FMS 765

NEW FEATURES AND IMPROVEMENTS

Improved network maps

Multiple changes have been made to network maps to improve the usability, performance and network map setup.

  • Map drawing and refreshing is automatic and dynamically reflects the changes in the network, highly improving the existing display in previous versions.
  • The possibility of deleting “Pandora FMS” node as well as all its relationships has been added. Usability has also been improved in manual relationship management between nodes.
  • Added linking between network maps. When there is a dummy node pointing to another network map, it will be possible to access that map from the options of the dummy node. 

New report type: System module inventory

The new type of report “System module inventory” has been created, through which you will see an inventory of the modules generated in your Pandora FMS installation registered by module name, remarking the necessary information for those modules that have the same module name.

Sending reports by mail as an alert action

A new feature has been added to Pandora FMS alert system whereby it is possible to send reports by email in PDF thanks to its incorporation as new actions/commands within Pandora FMS.

Support for Ubuntu 22.04

Ubuntu 22.04 is officially supported by Pandora FMS server

New scheduled downtime option. Disable modules

A new feature has been added within the scheduled downtimes. Now you may choose the option to disable modules without stopping the agent itself.

History database in Metaconsole

Just as it existed in Pandora FMS nodes, there is now the possibility of having a history database within the Metaconsole.

Pandora WMIC package for ARM systems

Usage in ARM environments is growing, and we have created an ARM-supported binary for environments that use the Satellite to remotely monitor Windows environments.

IP console access control

Diferentes usuarios solicitaron controlar el acceDifferent users requested to control access to the console by source IP, which can be defined individually by user. We implemented it so that masks can also be defined, e.g.: 192.168.100.*

Plugin imap open

Plugin with which emails can be filtered or the number of emails of an account through a series of filters. Useful for detecting whether an alert email arrived or to look for a certain email.

Plugin Azure Hubs enterprise

Plugin with which to monitor a space of names of Event Hubs. It returns several types of metric, like SuccesfulRequests, CapturedBytes or ActiveConnections.

Plugin Azure Postgresql enterprise

Plugin with which to monitor an Azure PostgreSQL data server and to receive metrics such as cpu_precent, memory_percent, storage_used or active_connections, among others.

Plugin Cisco inventario enterprise

Inventory plugin with which to show the configuration of a Cisco device.

Plugin Xenserver enterprise

Updated python2 plugin to python3. Added macros all_vm and all_sr to discard virtual machine agent and MR agent creation if required.

Plugin Openweathermap enterprise

Plugin with which to remove weather data from a zone through the openweathermap API, entering the area’s coordinates.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

讓 API 為您服務

Say you’ve taken the wise decision to have your corporate cloud data be backed up by the Keepit cloud solution: you’ve selected one of our many data centers, configured relevant connectors, and are now seeing how snapshots are blissfully parading into eternal archive as you log in to the Keepit web user interface. But perhaps you want a bit more assurance and perhaps you are not keen on logging into a separate web application several times a day to get that assurance.

Many of our customers have their own monitoring solutions and communication systems that they wish to enrich with information from their Keepit account. Luckily, we have a very elaborate API (Application Programming Interface) to allow for all sorts of queries on the state and history of your backups; while we do publish the full API documentation, some might find a small appetizer easier to comprehend.

If you’re already a Keepit customer and if you have an account and working connectors, then this blog post will guide you through creating a PowerShell API agent that prints the timestamp of the last completed backup on your screen. It is very simple: it will not integrate into any monitoring or alerting system, it will not print fancy messages in any messaging platforms, nor will it draw graphs on its own – but it is a small building block that you can extend and transform into whatever you might need.

Getting Access to the API

In order to make calls to the API, your script needs to have the proper credentials and those are obtained through the web user interface. So, log in with a user that has at least ‘Job Monitor’ privileges and create an API token by doing: Users -> Your user – Edit User (the grey cog wheel) -> Security -> Add API token. Give the token a name and decide when it should expire; the API token cannot outlive the user it is associated with. Click ‘Create’ – confirm your password and you will get an API token username and password. Those you need to store in a secure place.

You are now ready to make API calls. For this example, we will be using PowerShell, and the first API call to be made is the call to obtain your account GUID. Now, the account GUID is also available in the web user interface, but obtaining this via the API is a nice, small exercise to verify that the API token and your script is working. 

Launch your favorite text editor – it can be Notepad, Notepad++, VSCode, Vim, or whatever you fancy the most, create the file accountguid.ps1 and paste this code into it:

try {
        $username = '<API Token username>'
        $password = '<API Token password>'
        $basicauth = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes('${username}:${password}'))
        $headers = @{
            'User-Agent' = 'PowerShell-Keepit-API-Agent-1.0/jakob-dalsgaard'
            'Authorization' = 'Basic $basicauth'
        }
        
        $response = Invoke-WebRequest -UseBasicParsing `
          -Uri 'https://de-fr.keepit.com/users' `
          -Method:Get -Headers $headers -ErrorAction:Stop -TimeoutSec 10 
        
        $userlist = [xml]$response.Content
        $id = $userlist.user.id
        
        Write-Host $id
}
catch {
        $line = $_.InvocationInfo.ScriptLineNumber
        Write-Host 'Cannot query Keepit API due to: $_'
        Write-Host 'at line $line'
}

Make sure to get the backticks and single and double quotes correct – computers can be very pedantic. In this file, you need to put in the API Token username and API Token password where specified. On line 11, this example reads ‘de-fr.keepit.com’ – thus valid for a Keepit account on our German data center – please change this hostname to the hostname of the data center for your account (i.e., ‘dk-co’, ‘uk-ld’, ‘us-dc’, ‘ca-tr’ or ‘au-sy’). Then, in a command terminal, you execute the script by typing:

Powershell .\accountguid.ps1

Depending on your security setup, you might need to confirm that you really want to execute a script, but please do – and you should see the script print out your 20-character account GUID. This GUID can then be used, along with the API Token, to obtain the list of connectors available in your account.

Save the following code block as devices.ps1:

try {
        $username = '<API Token username>'
        $password = '<API Token password>'
        $userguid = '<Account GUID>'
        $basicauth = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes('${username}:${password}'))
        $headers = @{
            'User-Agent' = 'PowerShell-Keepit-API-Agent-1.0/jakob-dalsgaard'
            'Authorization' = 'Basic $basicauth'
        }
        
        $response = Invoke-WebRequest -UseBasicParsing `
          -Uri 'https://de-fr.keepit.com/users/${userguid}/devices' `
          -Method:Get -Headers $headers -ErrorAction:Stop -TimeoutSec 10 
        
        $devicelist = [xml]$response.Content
        foreach ($system in $devicelist.devices.cloud) {
                $name = $system.name
                $guid = $system.guid
                Write-Host 'Name: $name'
                Write-Host 'Guid: $guid'
                Write-Host
        }
}
catch {
        $line = $_.InvocationInfo.ScriptLineNumber
        Write-Host 'Cannot query Keepit API due to: $_'
        Write-Host 'at line $line'
}

Again, put in API Token username and password, the Account GUID, and correct the hostname. Then execute as:

Powershell .\devices.ps1

Your terminal will then be filled with a list of connector names and GUIDs, and among those you will have to select one that can be used in the final script that will be called latest.ps1– this script will print out the timestamp of the latest backup performed by one specific connector:

try {
        $username = '<API Token username>'
        $password = '<API Token password>'
        $userguid = '<Account GUID>'
        $connectorguid = '<Connector GUID>'
        $basicauth = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes('${username}:${password}'))
        $headers = @{
            'User-Agent' = 'PowerShell-Keepit-API-Agent-1.0/jakob-dalsgaard'
            'Authorization' = 'Basic $basicauth'
        }
        
        $response = Invoke-WebRequest -UseBasicParsing `
          -Uri 'https://de-fr2.keepit.com/users/${userguid}/devices/${connectorguid}/history/latest' `
          -Method:Get -Headers $headers -ErrorAction:Stop -TimeoutSec 10 
        
        $history = [xml]$response.Content
        $tstamp = $history.history.backup.tstamp
        if ($tstamp) {
            Write-Host $tstamp
        }
        else {
                Write-Host 'Backup not completed yet'
        }
        exit 0
}
catch {
        $line = $_.InvocationInfo.ScriptLineNumber
        Write-Host 'Cannot query Keepit API due to: $_'
        Write-Host 'at line $line'
        exit 1
}

Again, put in API Token username and password, account GUID, connector GUID, correct hostname, and then execute as:

Powershell .\latest.ps1

If your selected connector has completed a backup, you should now, in your terminal, see the timestamp of completion of the latest backup for this connector. It might look something like: 

2022-12-24T18:30:00Z

This would say that the latest backup completed on Dec 24, 2022, at 18:30 UTC. The timestamp is given in the ISO8601 format with the Z designator for UTC.

Further Integration

While such a neat PowerShell script is nice to have on the command line, it will bring much more value as part of a monitoring platform or other reoccurring automatic execution. For your business, it might make sense to execute this script once per hour and alert if no backup has been completed for 24 hours. You might want to explore our public API for more information and status.

About Keepit
At Keepit, we believe in a digital future where all software is delivered as a service. Keepit’s mission is to protect data in the cloud Keepit is a software company specializing in Cloud-to-Cloud data backup and recovery. Deriving from +20 year experience in building best-in-class data protection and hosting services, Keepit is pioneering the way to secure and protect cloud data at scale.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

介紹 Switch Commander – Portnox 用於交換機監控和管理的免費工具

Death by a Thousand Paper Cuts – The Daily Slog

The word “hero” gets thrown around a lot, but not usually for your average Network Administrator. However, if people knew how much work it truly takes to keep your corporate network humming along (securely, of course), there would probably be a national holiday. Maybe even a parade.

While you might not get the appreciation from the general public you deserve, Portnox has your back – we’ve created a new tool called Switch Commander to make everyday network administration tasks a little bit easier. Now you have one easy-to-use UI that covers all your switches.

And the best part – this tool is FREE! No trials, no credit card needed-just download it and become the commander of all your switches.

Vendor Agnostic

With Switch Commander, all you have to do is add your switch – we support SNMP v1/v2 and v3, Telnet, SSH, and HTTP/S logins. Once you’ve added all your devices, you can do simple daily administrative tasks like assigning ports to specific VLANs or seeing the status of all ports on the switch. The awesome thing is you don’t have to worry about command syntax – if your network is a combination of several different vendors (like 81% of the users we surveyed), you won’t have to remember if it’s shutdown, disable, or no power.

Getting Started with Switch Monitoring & Management

So, now that you’ve got your switches added – what can you do?

A good place to start is the Probe command – this will download all information from the switch and show it to you in a table format (the probe results are shown in the white area on the left in the screenshot above). You can see all ports, including their associated VLAN ID, and the MAC address of what is connected to them.

The Output panel (on right-hand side of the screenshot below) will show you a detailed overview of actions performed on the switch, and the Action panel shows the OID commands executed on the switch when an action is performed. This is super helpful if you’re using an SNMP-based switch monitoring system and need to see if a particular OID is supported.

From here you can enable or disable a port and set or change the VLAN.

Least Privileged, Most Useful

Another huge advantage is that once you’ve added in your switches, you can give other IT staff access to Switch Commander without having to give them credentials to the switches themselves. The login information for each device is encrypted and stored in the Switch Commander database, which has its own separate login. Now it’s safe to have your junior admin turn ports on and off or move VLANs around without them having the keys to the whole kingdom. You can also filter results so that one switch that has 10,000 ports isn’t so cumbersome to search through.

Lookin’ Fancy!

Look, if you have to stare at a screen all day, the least you can do is make it look nice with your favorite colors, right? And maybe throw on dark mode when it feels like your eyes just need a break from super bright white backgrounds! Well, Switch Commander has several different themes and skins you can choose from, so you can customize the look and feel to how you want it without burning your retinas.

Switch Monitoring & Management with Switch Commander

Doing basic network admin tasks on your switches may not save the world, but Switch Commander will save you valuable time keeping your network humming along, and that’s still pretty great. Download Switch Commander for free today and see how easy it can make your regular switch administration tasks.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

為什麼我們選擇 Astro 作為我們的營銷網站

When you build a website, it’s essential that you’re using the right tools. With countless UI libraries, bundlers, and frameworks available, engineers have never had so many tools at their disposal. But which ones are right for large, traffic-heavy marketing websites? We chose Astro. Here’s why.
Blog image 2022 10 20

Problems with our existing stack

My team at Nord Security is responsible for building and maintaining websites for the fastest VPN in the world, NordVPN. We have multiple marketing sites built by different people at different times. Some were made with Gatsby, and others with WordPress and a home-grown React-based SSG (static-site generator).

Those websites served us well. However, rapid scaling has caused issues with website performance, which has a direct impact on sales and marketing. It’s a proven fact that a reduction in website performance (for example, slower load times) decreases sales. This has been demonstrated in studies from WPO Stats.

As the business scaled, my team had the challenging task of researching and proposing a tech stack to rebuild our websites and achieve optimal marketing potential.

A challenge

There was a lot of work to be done. We had more than 20 locales, 10 currencies, and thousands of pages. Personalization had to be considered, and A/B testing implemented. Supporting an ever-expanding list of requirements while still achieving optimal performance felt like an impossible goal.

We tried different frameworks — Next.js, Preact, SvelteKit, and Elder.js — and even tried building server-side rendering and island architecture with Svelte. We had to find the best systems to satisfy the needs of content editors, data analysts, and engineers.

Of course, it’s not every day that a team gets a chance to rebuild their websites from scratch. We knew we could create something great, so we wanted to make the most of this opportunity.

Enter: Astro

As our research continued, it became clear that Astro, an all-in-one web framework, ticked all our boxes. We had initially ruled out Astro because it didn’t offer server-side rendering, but when this feature was added in 2022, we knew that we’d found our framework.

Astro is not a mainstream framework, of course, and when we were considering it, the framework was still in beta. Going down this route was a risk, but it was one we were willing to take. Why? Because not only did it fulfill almost all of our requirements, but it already had a vibrant and active community and a responsive developer team. New features are planned, implemented, and delivered several times a week.

Along with server-side rendering, Astro’s developers had added Node.js support and edge deployment. These factors facilitate streamlined continuous deployment and enhance the power of a globally deployed content delivery network, allowing for unmatched performance. Edge deployment with Cloudflare, Vercel, and Netlify involves only a few simple steps, but the impact is huge.

With just a few lines of code, we now had server-side rendering enabled on our desired deployment server:

1
export default defineConfig({
2
output: ‘server’,
3
adapter: node(), // cloudflare(), vercel() …
4
});










Benefits of Astro


During the research phase, we noted that Svelte syntax, being a superset of HTML, was much easier to work with than React syntax. The same went for Astro. We have hundreds of different components to implement, most of which require little to no JavaScript, so being able to convert them to the HTML-style syntax of Astro made those components more readable.


The complex components that required client-side JavaScript and reactivity were another story. Our main requirement of reaching optimal website performance pushed us to try something new: SolidJS.


SolidJS is performant-reactive and simple for building user interfaces. It uses JSX syntax, works well for server-side rendering, and offers outstanding performance. It does all this with a fraction of the size of other libraries that usually come shipped with a browser.


Furthermore, both Astro and SolidJS share the concept of so-called vanishing components. Components exist to organize your code and not much else. What is shipped to the client is pure HTML and CSS.


Client-side JavaScript is an opt-in feature in Astro. Unless you specifically use one of the client directives, the component is shipped with 0kb of JavaScript. Of course, you also have the option to bundle global or local scripts straight from the component code.


SolidJS and other framework components are inserted into Astro files using the “islands architecture” pattern. The pattern was proposed by Katie Sylor-Miller in 2019 and is expanded in this post by Preact creator Jason Miller.


Here are the possible client directives for making “islands” interactive:



    
 	
  • 

    

    client:load — Loads JavaScript and hydrates the component on page load.
    


    • 
 	
  • 

    

    client:idle — Loads JavaScript and hydrates the component after page load once the main thread is idle.
    


    • 
 	
  • 

    

    client:visible — Embraces the power of Intersection Observer API and loads JavaScript only if the component becomes visible.
    


    • 
 	
  • 

    

    client:media — Useful in cases where certain components should be visible and interactive only on certain screen sizes.
    


    • 
 	
  • 

    

    client:only — Skips server-side rendering and runs the code on the client. Be careful with this one because it can push down your SEO scores.
    


    • 



Some parts of the page can be fully static, without any JavaScript needed, while other parts, or islands, may require JavaScript. The process of resolving the component state is called hydration.


Though the JavaScript community is still split over whether hydration is the right approach compared to resumability, it solves our current problems nicely. More information about the hydration topic can be found in this great article.


With Astro, islands come with another benefit: various component framework support. It offers flexibility when choosing a UI framework and has integrations to work with React, Svelte, SolidJS, and Vue. Of course, you won’t typically mix those, but it gives you flexibility and room to maneuver.



The results


To see how well it worked, check out the Lighthouse scores for one of our new websites:








Blog image today 1






The other projects integrated well with our Cloudflare Pages, and more will be built soon!


The pace of releases, weekly community calls, RFCs, the involvement of the core team, and its vibrant community all serve to confirm that we made the right choice with Astro.







								

				

				

				

							
		

						

						

					

			

						

				

					
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.



Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
				

				

					

		

					

		

				

		
		

						

						

					

			

						

				

									
About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.
								

				

					

		

					

		

				

		

						

				

					

		

					

		

				

		
  
使用 GreyNoise、runZero、Thinkst Canary 和 Tines 自動關聯蜜罐警報
This is the very first post in our new runZero practitioner’s series. We’ve invited Justin Varner, who has been in the security industry for the past 17 years, to share his thoughts on the importance of asset inventory and how it can be leveraged alongside SOAR, threat intelligence, and detection technologies. He is currently part of the Thinkst Canary Partner Program and is an active speaker on the security conference circuit.


Better Use of Your Tines: How to map Canary alerts to assets in runZero 


As a Principal Solutions Architect, my job is to improve security programs and recommend ways companies can improve their breach detection capabilities.


One of use cases that comes up quite often is reducing operational overhead on incident response teams. These teams are usually overwhelmed with the number of alerts they’re getting and spend a ton of time chasing down false positives. In my role, I am constantly look for new ways to approach breach detection, and breaking away from the traditional paradigm of finding needles in a haystack. I often think about how teams can leverage automation to triage alerts more effectively and focus on the issues that are really going to impact them. How can I take a process, that is usually complex and manual, and streamline it so teams can stay on top of emerging threats?


There are an incredible number of tools out there that are in position to help teams who want to save time, and zero in on the critical issues affecting them. Some of these tools are changing the game in the asset inventory, threat intelligence, SOAR (security, orchestration, automation, and response), and detection technology space. Based on my experience using these tools, I am going to share how you can use Tines, a SOAR platform, to automate sending alerts generated by Thinkst Canary to GreyNoise for context. Then, extracting the metadata used by Greynoise to tag runZero assets, so that you can continuously maintain a comprehensive inventory with rich, full details.


Benefits of asset inventory and automation 


Here are some of the reasons why these tools and this approach will help you:


    

  • 

    Maintaining an accurate asset inventory is critical to managing your attack surface. As the old saying goes, “You can’t protect what you don’t know.” runZero excels at making sure you know what you need to protect. It’s the first product that can accurately identify assets and continuously update them in real-time.
    

    • 

  • 

    Canary alerts are typically some of the most important alerts that your organization will receive. It’s imperative to quickly understand the full context of the alert to determine the severity of the threat (this is where GreyNoise comes in) and respond accordingly.
    

    • 

  • 

    A variety of emerging threats loom every day that could directly impact your organization in a significant way. Solarwinds and Log4J are two recent examples of major threats that wrecked a multitude of organizations. If you happened to use GreyNoise and runZero back then, you had the benefit of the most current threat intelligence from GreyNoise coupled with the ability for runZero to dynamically check assets that were potentially vulnerable by searching for the Apache logging framework across your inventory.
    

    • 

  • 

    Once you add Tines to the mix, you have the ability to stay on top of these emerging threats and respond swiftly to mitigate the potential impact to your organization. Tines is a powerful security automation platform, but you don’t need to understand advanced programming concepts to use it like most of the other SOAR products out there. This makes a previously complex task of integrating multiple services with disparate APIs easy with Tines.
    

    • 



Set up all the tools 


The following walk-through shows how you can use Tines to automate sending alerts generated by Thinkst Canary to Greynoise to gather threat intelligence. Then, you’ll learn how to extract the metadata used by Greynoise to automatically tag runZero assets.


Let’s get everything ready.


Step 1: Create your Tines account 


Start by creating a free Tines community account, which provides a generous allotment of resources.


Tines uses the concept of stories that consist of a variety of actions used to automate various routine tasks that people shouldn’t have to do. You have more important work to do. Let Tines handle the mundane and error prone tasks.


Learn more about Stories, Actions, and the other elements of Tines.


Step 2: Create your Thinkst Canary account 


You’ll need a paid subscription to Thinkst Canary and the API must be enabled. Send an email to their amazing support team using support@canary.tools and they’ll get you sorted.


Step 3: Create a resource for Thinkst Canary in Tines 


In your Canary console, navigate to the API section under global settings to retrieve the domain hash and auth token. You’ll need to add these values to Tines in order to successfully run the story.


In Tines, create a resource named canary_tools_tenant_id with the value of your domain hash and a credential named canary_tools_api_key with the value of your auth token.


Step 4: Create your GreyNoise account 


GreyNoise provides a community API for free, but this particular story requires the GreyNoise enterprise API due to the metadata that we need to extract from the assets. Find your API key. You can start a 30 day trial to obtain a temporary API key.


Step 5: Set up a credential for Greynoise in Tines 


Create a credential in Tines named greynoise_api_key with the value of your Enterprise API key.


Step 6: Create a runZero account 


And finally you’ll need a runZero Professional or Enterprise account. You can start a 21-day trial of runZero Enterprise for access to all the features runZero has to offer, including the necessary API access needed for this tutorial.


Step 7: Set up a credential for runZero in Tines 


Go to the runZero console, generate an API token for your organization by navigating to Organizations. Click your organization name, scroll down to the API tokens sections, and click Generate API Key. Copy the API token.


Then, i

n Tines, create a credential named runzero_organization_api_key with the value of your organization’s API token from runZero.


Pull everything together with Tines 


Now, everything is in place to construct a Tines story that will orchestrate sending IPs from Thinkst Canary alerts to GreyNoise for context and tagging, and then finally, to runZero to build your asset inventory.


The following story is available in the Tines Story Library. Here is what the story will look like:


Tines story


The story consists of the following events:


    

  • [WEBHOOK] – An incoming webhook receives events from Canary whenever an alert fires
    • 

  • [HTTP REQUEST] – The webhook activates a call to the Canary API to pull down the relevant incident details
    • 

  • [EVENT TRANSFORMATION] – The IP is deduplicated to prevent redundant events from triggering
    • 

  • [HTTP REQUEST] – The public IP is extracted from the Canary incident and sent to GreyNoise for context
    • 

  • [HTTP REQUEST] – Asset metadata from GreyNoise is extracted and sent to runZero
    • 

  • [HTTP REQUEST] – runZero updates the tags associated with the asset based on the classification field reported by GreyNoise.
    • 



If the asset has not been seen in the wild then no tag is added. You can optionally send these alerts to a third-party endpoint of your choice like Slack or Jira.


Test this story by generating a web bug token and then pasting the URL in your browser and hit enter. The Canary alert will look similar to the following:


Canary trigger


And now we see the corresponding asset in runZero added and tagged with the data from Greynoise. Now, you’ve automatically added data from Greynoise into runZero, all orchestrated by Tines. Next time an alert triggers for this asset, your runZero inventory will automatically be updated. Automation FTW!


runZero asset


		

						

						

					

			

						

				

					
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.



Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
				

				

					

		

					

		

				

		

		

						

						

					

			

						

				

									
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
								

				

					

		

					

		

				

		


  
runZero 3.2:Microsoft 環境的 365 度全方位視圖
What’s new with runZero 3.2? 


    

  • Integrations with Microsoft 365 Defender and Microsoft Intune
    • 

  • Query and report on Active Directory users and groups
    • 

  • Fingerprint updates
    • 

  • User experience improvements
    • 



Complete visibility into your Microsoft assets 


Over the last few months, runZero has added support for Microsoft Azure cloud assets, Azure Active Directory and on-premise Active Directory users, groups, and assets, in addition to a community integration with Microsoft Sentinel. The runZero 3.2 release fills in the missing pieces by bringing endpoint visibility into the runZero inventory through new integrations with Microsoft 365 Defender and Microsoft Intune. runZero Enterprise users can view, search, analyze, export, and alert on attributes from the Defender and Intune metadata.


Mobile device management (MDM) solutions have become essential to organizations with a remote or transient workforce because of their ability to manage and secure devices even when they aren’t on the corporate network. Similarly, endpoint detection and response (EDR) platforms are commonly used on all sorts of assets for security monitoring and automatic response. While these IT management and security tools are an important part of many security stacks, reviewing what has been onboarded to those sorts of solutions only tells you about the devices that someone is already responsible for. Those lists can’t tell you about all the assets on your network that are unprotected or unmanaged, or all the assets disconnected from your network that haven’t been scanned.


Unprotected and unmanaged devices are the bane of many organizations, and runZero can help you find them. Quickly identify unmanaged assets through a runZero query: filtering on source:runzero AND NOT (source:ms365defender OR source:intune) will return a list of assets that were found by your Explorers, but are not registered onboarded to Defender or Intune.


The inverse of this query can be used to ensure off-network assets are included in your asset inventory: (source:ms365defender OR source:intune) AND NOT source:runzero. This will give you a list of targets that may be missing from your scans and can ensure you’re gathering all the available network and asset data.


With runZero’s unmatched active network scanning and an ever-growing list of integrations, you’ll have a complete asset inventory at your fingertips. To get started, set up a connection to Microsoft 365 Defender or Microsoft Intune.


Microsoft 365 Defender and Microsoft Intune integrations


Query and alert on Active Directory users and groups 


In addition to running searches in the Users and Groups inventories, runZero Enterprise users can leverage the Azure AD or Microsoft Active Directory integrations to quickly find accounts that match specific parameters. Quickly identify expired, disabled, or locked accounts, as well as managed service accounts and accounts with non-expiring passwords. These queries are included in the Query Library and can also be used to create alerts.


The Organization Overview report has also been updated to include counts of users and groups for the whole organization as well as per site.


Run queries about AD users or create an alert rule to find accounts of interest.


Query and Alert on AD Results


Fingerprinting Microsoft assets 


runZero includes fingerprints for the metadata returned by the Microsoft integrations. This leads to more accurate operating system and hardware data within the runZero inventory. These fingerprints cover every aspect of the Microsoft ecosystem, from Azure cloud VMs to off-network endpoints running Microsoft Defender.


In addition to Microsoft fingerprints, runZero has also improved the coverage of Tenable.io and Nessus assets, public and private AWS AMI images, and IMAP services. Additional support was added for products by Advidia, Aiphone, Apple, ARRIS, Fortinet, Honeywell, iDevices, Lutron, Midnite Solar, Netgear, Sapling, SEH, Silex, Yeelight.


User experience improvements 


The 3.2 release includes several changes to the user interface to improve the performance of the runZero console, as well as a change to how page navigation transitions happen. As a result, the pages will load faster as you move between sections like the inventories and asset details pages. Additionally, the asset details page provides better performance and efficiency when loading all of the details for an asset.


Enhancements have also been added to make using the data easier than ever. On the asset details pages, the “last loaded” timestamp indicates when the asset details were loaded, and a refresh button has been added to be able to quickly reload the data without refreshing the whole webpage. The Vulnerabilities and Software tables on these pages now perform and load faster. Additionally, the navigation list for the Services table now displays the protocols and ports as a navigation tree to make finding the information you’re looking for simpler and a button has been added to quickly bring you back to the top of the page from the services table. As we continue to make progress on the architectural modernization of the runZero Console, you will see improvements to the performance and user experience of the product.


Asset Details Updates


Release notes 


The runZero 3.2 release includes a rollup of all the 3.1.x updates, which includes all of the following features, improvements, and updates.


New features 


    

  • runZero Enterprise customers can now sync assets from Microsoft 365 Defender.
    • 

  • runZero Enterprise customers can now sync assets from Microsoft Intune.
    • 

  • Fingerprint updates.
    • 



Security fixes 


    

  • Three stored cross-site scripting vulnerabilities were identified and fixed as part of our annual third-party security assessment.
    • 

  • A bug that could lead to stored cross-site scripting in the scan templates view was fixed. This issue could be exploited by an authenticated, but unprivileged user to take over the session of another authenticated user.
    • 

  • A bug that could lead to stored cross-site scripting in the SSO group mappings view was fixed. This issue could be exploited by an authenticated superuser to take over the session of another authenticated user.
    • 

  • A bug that could lead to stored cross-site scripting in the team view was fixed. This issue could be exploited by an authenticated, but unprivileged user to take over the session of another authenticated user.
    • 



Product improvements 


    

  • SNMPv2 options have been moved to the Probes tab (now labeled Probes and SNMP).
    • 

  • The toggle switch to use or not use SNMP now correctly reflects whether it is overridden by the “Use defaults” option on the Probes tab.
    • 

  • The asset details pages now include a “last loaded” time indicator and the ability to refresh the page data.
    • 

  • Alert notifications, user invitations, and password reset emails are now sent from the runzero.com domain name instead of rumble.run.
    • 

  • The rumblectl utility now has a diagnostics command to run or save a diagnostic script for self-hosted customers to collect information for runZero support.
    • 

  • Inventory pages now offer “all” and “none” column visibility selection options.
    • 

  • The search keyword os_eol_expired is now supported on the Assets inventory.
    • 

  • The rumblectl command can now be used with self-hosted deployments to configure additional superusers.
    • 

  • Email notifications are now enabled for non-recurring Organization Overview reports.
    • 

  • Relative time searches now accept negative numbers.
    • 

  • Scan tasks and templates now allow empty SNMPv1 and SNMPv2 community strings.
    • 

  • Credential validation has been improved to prevent common misconfigurations.
    • 

  • Support for Explorer hosts running virtual machines has been improved.
    • 

  • MAC vendor display behavior on inventory datagrids has been improved.
    • 

  • Tooltips on datatable icons have been improved.
    • 

  • Changes to directory users and groups are now included in the task change report.
    • 

  • Error messages related to API tokens have been improved.
    • 

  • Asset exports now filter subnet results to those containing the assets’ addresses.
    • 

  • Improved LDAP connector and probe logging.
    • 

  • Added group_count keyword to Users search.
    • 

  • Improved grouping of inputs in connector forms.
    • 

  • Search keyword has_group is now supported on the Users page.
    • 



Performance improvements 


    

  • The asset details pages have been redesigned for improved performance.
    • 

  • Improved performance of asset exports with many subnets.
    • 

  • Improved loading times of the directory groups inventory page.
    • 

  • Improved loading times of the inventory screens, including multi-page selection.
    • 



Fingerprinting changes 


    

  • Improved Active Directory collected data and fingerprint coverage.
    • 

  • Improved LDAP attributes for Active Directory objects.
    • 

  • Added new queries for quickly surfacing various Active Directory scenarios.
    • 

  • Improved fingerprinting coverage of Azure AD assets.
    • 

  • Improved fingerprinting coverage of Tenable assets.
    • 

  • Improved fingerprinting coverage of public AWS AMI images.
    • 

  • Added custom fingerprint support for private AWS AMI images.
    • 

  • Improved fingerprinting coverage of IMAP services.
    • 

  • Additional support added-or-improved for products by Advidia, Aiphone, Apple, ARRIS, Fortinet, Honeywell, iDevices, Lutron, Midnite Solar, Netgear, Sapling, SEH, Silex, Yeelight.
    • 



Integration improvements 


    

  • Recent users from Microsoft Intune, SentinelOne, and CrowdStrike are now included on the asset details page.
    • 

  • The Azure AD integration now imports additional assets and no longer requires a Microsoft Intune license.
    • 

  • The Azure AD integration can now be configured to optionally import assets, users, and groups.
    • 

  • The Active Directory integration service options have been adjusted for consistency.
    • 

  • Directory users and groups can now be included in custom queries.
    • 

  • The Organization Overview report now contains summary information for directory users and groups when present.
    • 

  • The Tenable.io integration now supports a configurable API URL.
    • 

  • The Active Directory integration now supports optional import of assets, users, and groups.
    • 

  • The minimum TLS version supported by new Active Directory credentials has been increased from TLS 1.0 to TLS 1.2, with a configurable option to support older TLS versions.
    • 

  • The handling of Qualys concurrency and rate limiting has been improved.
    • 



Bug fixes 


    

  • A bug that could prevent repeated import of task data that includes directory users and groups has been resolved.
    • 

  • A bug that caused subnet sampling and screenshots to be enabled for all scan tasks has been resolved.
    • 

  • A bug that could prevent modifying the maximum concurrent scans setting was resolved.
    • 

  • A bug that could result in an inaccurate task count on the credentials page was resolved.
    • 

  • A bug that could result in inaccurate searches by credential on the tasks page was resolved.
    • 

  • A bug that could result in inaccurate reporting of credential reuse was resolved.
    • 

  • A bug that could cause certain browser extensions to prevent configuring scans was resolved.
    • 

  • A bug that could prevent reuse of SNMP credentials for recurring scans was resolved.
    • 

  • A bug that could prevent initializing a scan in some cases was resolved.
    • 

  • A bug that prevented recurring scans from being saved in some cases was resolved.
    • 

  • A bug that prevented the first_seen timestamp from being set has been fixed.
    • 

  • A bug that could cause large Qualys imports to fail has been resolved.
    • 

  • A bug that prevented import of Azure AD users and groups when missing an active Intune license has been resolved.
    • 

  • A bug that could result in partial import of Azure AD users and groups has been resolved.
    • 

  • A bug which prevented the report.changed value from working in notification rule templates has been fixed.
    • 

  • A bug that prevented the use of client tokens to authenticate to the API has been fixed.
    • 

  • A bug that could cause insight queries for hosted zones to fail has been resolved.
    • 

  • A bug in the Shodan integration asset-mode query has been resolved.
    • 

  • A bug that could cause MAC vendor names to be cut off in datagrids has been resolved.
    • 

  • A bug that could result in missing Shodan services has been resolved.
    • 

  • A bug that incorrectly imported Active Directory Managed Service accounts as assets has been resolved.
    • 

  • A bug that could cause the Switch Topology report to not show all switches in certain situations has been resolved.
    • 

  • A bug that could result in a 500 error when exporting assets from sites with many assets and/or subnets has been resolved.
    • 

  • A bug that could result in UI elements becoming unresponsive has been resolved.
    • 

  • A bug that could prevent some service values from being saved has been resolved.
    • 

  • A bug that could result in all subnet tags being applied to exported assets has been resolved.
    • 

  • A bug that could result in missing Shodan services has been resolved.
    • 

  • A bug that could cause Azure AD imports to fail for certain configurations has been resolved.
    • 

  • A bug that could cause excessive export sizes has been resolved.
    • 

  • A bug that could obscure task errors from the task log has been resolved.
    • 



		

						

						

					

			

						

				

					
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.



Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
				

				

					

		

					

		

				

		

		

						

						

					

			

						

				

									
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
								

				

					

		

					

		

				

		


  
為什麼非託管設備對 IT 和安全程序來說是一個挑戰
Unmanaged devices pose a significant challenge for many organizations. As the number of devices connecting to their networks increase, security and IT teams can easily lose track and sight of these devices. As a result, organizations struggle with so many devices flying under the radar, leaving them unprotected and creating potential footholds into a network.


Unmanaged devices can take many forms:


    

  • Shadow IT: Imagine a developer’s test box set up with permission of the engineering team but without central governance: The machine is not on the Active Directory, not getting group policies, maintenance updates, or security controls. Because it doesn’t allow access via domain admin passwords, it’s off the radar for most CMDBs.
    • 

  • Rogue devices: Rogue devices may include a WiFi access point set up by an employee to get better wireless reception in their corner of the office. These are hard to detect because IT cannot install agents on them and doesn’t find them with an authenticated scan because SNMP strings won’t work on the device.
    • 

  • Orphaned devices: These devices were once managed but have fallen off the radar, for example an open-source web app run by a department that has since been superseded by a SaaS application but is now continuing its zombie life without patching or oversight.
    • 



Asset inventory of unmanaged devices tends to be particularly difficult for Internet of Things (IoT) and operational technology (OT) devices, such as programmable logic controllers (PLCs) in a factory. In an enterprise environment, these devices include printers, IP phones and uninterruptible power supplies (UPS). These devices often don’t take centrally managed administrative credentials and don’t allow IT teams to install an agent on them. That’s why they are often not covered by the enterprise inventory database.


Rogue devices slow down IT troubleshooting 


The efficacy of IT helpdesks is often measured by how many tickets they can service. Anything that slows down troubleshooting impacts, not only that metric, but also the productivity of users and entire departments. An IT helpdesk person recently shared that they were investigating a networking issue with spotty connectivity for some users. The root cause was a rogue device with a static IP address that conflicted with other devices that received their address via DHCP in the same range. Without good asset inventory, that investigation would have turned into a wild goose chase.


Accidental network bridges bypass firewalls 


In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn’t identified ahead of time.


Unmanaged devices hinder incident investigations 


Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. In one case, an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command & control (C2) server. However, neither the SIEM nor the CMDB had any record of the bad/poor IP on the network, nor did the vulnerability management or EDR consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With good asset inventory that tracks IoT devices, the analyst would have saved time resolving this incident as well as been able to find other devices of the same make and model to check if they were using default credentials.


End-of-life devices are bad for uptime and potentially vulnerable 


Proactive IT lifecycle programs look for devices on the network that are approaching their end-of-life (EOL) or are outside the warranty period, replacing the devices before they become an issue. Manufacturers often no longer provide functional and security fixes for these devices, making them much more risky and difficult to service if something goes wrong. If unmanaged devices are not inventoried, IT and security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.


Shadow IT makes network updates and migrations more risky 


Carrying out updates and migrations of networks with a lot of shadow IT tends to be riskier because of potentially unknown applications and services. Having a full picture of all managed and unmanaged devices will de-risk the project because each part of the infrastructure can be planned and accounted for.


Rogue devices complicate governance of security controls 


Proper governance dictates that you have security controls on every device. It’s impossible to figure out coverage gaps without knowing all of the devices on your network.


Once you have a full inventory of devices on your network, overlay the data from security controls and look for gaps, for example, finding all Windows machines missing CrowdStrike or other EDR systems. This can be a huge step in getting ahead of security issues.


Unmanaged devices are often the first foothold for attackers 


Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These typically become great entry points for an attack, because these machines tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don’t have anybody minding the store. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.


Unmanaged devices are best discovered with unauthenticated scanning 


Authenticated scans and agents are not effective for uncovering unmanaged devices because they require centrally managed credentials to scan or deploy, which are generally not available for rogue, IoT, and OT devices. The best solution is to use an unauthenticated scan as a baseline, then layer other information on top, such as data from your security controls consoles.


runZero scans your network in minutes to identify unmanaged devices 


runZero offers free, professional, and enterprise plans to scan your network for unmanaged devices. It scales from home use to Fortune 50 companies. runZero uses a combination of unauthenticated, active scanning and integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.


With runZero, you can:


    

  • Identify rogue devices to accelerate IT troubleshooting
    • 

  • Find accidental network bridges that bypass segmentation
    • 

  • Conduct asset-centric incident investigations
    • 

  • Find operating systems and networking devices that are EOL or out of warranty
    • 

  • Plan your network upgrades and migrations
    • 

  • Ensure great coverage for security controls
    • 

  • Reduce your internal and external attack surface
    • 



You can try out runZero for free–no credit card required–for 21 days and up to 50,000 devices. Try our free Starter Edition for up to 255 devices to get more visibility into your small business or home network.




Get runZero for free


Do you know about the unmanaged assets on your network? Find them with runZero.


Get started


Join our team


		

						

						

					

			

						

				

					
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.



Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
				

				

					

		

					

		

				

		

		

						

						

					

			

						

				

									
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.