runZero 3.6:引入組織層次結構

What’s new with runZero 3.6?

Organizational hierarchies

Organizational hierarchies help streamline user and permission management. When creating and editing organizations, you can define an organizational hierarchy that allows for inherited user permissions.

The users assigned to the selected parent organization will maintain the highest assigned permission in the child organization unless specified in their user permissions. For instance, if a user is a viewer in the parent organization, but an administrator in the child organization, they will maintain their admin status in the child organization when the parent-child relationship is created.

Organization hierarchies can be three levels deep, and user permissions in a child organization can be upgraded, not downgraded, from the currently set permissions in the parent organization.

CrowdStrike integration improvements

The CrowdStrike integration now populates asset software information from Falcon Discover. Additionally, IP addresses imported by CrowdStrike are now considered primary addresses and will be used for correlation, and the CrowdStrike credential verification is now seperated by service.

Operating system CPE assignment

The operating system Common Platform Enumeration (CPE) field is a string describing detected operating system software aligned to the CPE naming scheme. This field is queried using the syntax os.cpe23:<text>. In cases where runZero was able to fingerprint the operating system but the NIST database does not contain an official matching entry, an unofficial CPE will be generated and include r0_unofficial in the other field of the CPE.

New protocols and fingerprints

The runZero scanner now reports legacy RDP authentication, decodes additional ISAKMP/IKEv2 fields, and improves the fingerprinting of AirPlay devices.

Additional fingerprints were added for products by 2N, Aastra, Alien Technology, AMI, Arista, Asterisk, Avaya, Canon, Cisco, D-Link, Dell, Eaton, Echelon, Fortnet, FreePBX, GAI-Tronics, Grandstream, Hillrom, Honeywell, HP, HPE, Intel, Jenkins, Lantronix, Lenovo, LG, Logic Controls, Logitech, Meinberg, Mitel, Moxa, Netgear, NetApp, Quantum, Palo Alto Networks, Panasonic, Poly, QNAP, Samsung, Sierra Wireless, SoundCom, Spectralink, STARFACE, Tektronix, Thomson, Ubiquiti, VTech, Wahsega, Yealink, ZTE, Zultys, and Zyxel.

New Rapid Response queries

A new query was added to quickly identify OpenSSH 9.1 Servers affected by a memory double-free vulnerability.

See runZero 3.6 in action

Watch the video to see a preview of some of the newest features in runZero, including organizational hierarchies, research updates, software inventory from CrowdStrike, and OS CPE information.

Release notes

The runZero 3.6 release includes a rollup of all the 3.5.x updates, which includes all of the following features, improvements, and updates.

New features

  • Organizational hierarchies are available allowing for permissions to be inherited by child organizations based on an established parent.
  • runZero now identifies the CPE associated with fingerprinted assets and assigns an unofficial CPE where an official match is not found in the NIST database.

Product improvements

  • A new query was added for OpenSSH 9.1 servers affected by a memory double-free vulnerability.
  • Improved SNMP fingerprint coverage capabilities and added new attributes for SNMP protocol version (at the asset level) and authentication details (at the service level).
  • Improved handling of invalid multi-valued subjectAlternativeNames on x.509 certificates.
  • The scanner now supports identifying RDP authentication methods, including legacy and NLA, supported by target hosts.
  • The scanner now supports the ability to decode ISAKMP/IKEv2 replies
  • A new canned query for OpenSSH 9.1 servers which contain a memory double-free vulnerability has been added.
  • Performance of the Active Directory (LDAP), Azure AD, and Google Workspace integrations has been improved.
  • SNMP protocol versions are now tracked at the asset level.
  • SNMP services will now keep track of how they authenticated and using what protocols.
  • Hostname extraction from malformed subjectAlternativeNames on TLS certificates has been improved.
  • Site scopes with subnets ending in /32 (for IPv4) and /128 (for IPv6) are no longer parsed to single IPs and will appear as CIDR entries in the subnets list.
  • Improved error validation UX around email addresses when setting up an email alert channel.
  • Services, Screenshots, and Software inventory pages now include associated site subnet tags.
  • runZero now identifies the CPE associated with fingerprinted assets and assigns an unofficial CPE where an official match is not found in the NIST database

Integration improvements

  • Improved fingerprinting of operating systems imported via the LDAP and VMware integrations.
  • Stability and performance of VMware asset correlation has been improved.
  • VMware assets are now merged across sites.
  • The Intune integration has been improved to better handle Intune API rate limiting.
  • IP addresses reported by CrowdStrike are now considered primary addresses, and will be used for asset correlation.
  • CrowdStrike credentials verification is now separated by service

Bug fixes

  • A bug that could prevent automatic metric calculations from completing has been resolved.
  • A bug that could prevent stale assets from being automatically removed on subsequent task runs has been resolved.
  • Several minor bug fixes and UX improvements have been made to the redesigned task page.
  • A bug that prevented OS fingerprinting and information extraction over RDP has been resolved.
  • A bug preventing users from copying or editing connector and analysis tasks has been resolved.
  • A bug causing new recurring tasks to display an incorrect first run date has been resolved.
  • A bug causing the dashboard asset trends graph tooltips to appear away from the graph has been resolved.
  • A bug causing task page inspection cards to automatically collapse has been resolved.
  • A bug that could result in build-up of frequently recurring tasks has been resolved.
  • A bug that could cause extremely large tasks to remain queued for processing indefinitely has been resolved.
  • A bug that could prevent export of service attribute reports has been resolved.
  • A bug preventing license requirement indicators from being visible on some pages has been resolved.
  • A bug preventing saving of credentials due to bad org-access settings has been resolved.</l i>
  • A bug preventing recalculation of the next scheduled run time for a scan has been resolved.
  • A bug that could cause inaccurate asset counts in the Organization Overview report has been resolved.
  • A bug that could cause site import to fail when missing optional fields has been resolved.
  • A bug that could prevent the VMWare connector task page from loading has been resolved.
  • A bug that could cause duplicate MSDefender attributes on an asset has been resolved.
  • A bug where firewalls (and similar devices) responding to many non-asset IP addresses during scanning would lead to unexpected assets in inventory has been resolved.
  • A bug preventing the active scans dashboard widget from navigating to the associated task on click has been resolved.
  • A bug preventing site subnet tags from appearing in the dashboard Asset tags widget has been resolved.
  • A bug that could cause CrowdStrike tasks to fail when missing software permissions has been resolved.
  • A bug that could prevent bogus services from certain firewalls from being completely filtered has been resolved
  • A bug that could lead to a browser crash in the latest release of Chromium based browsers on MacOS has been circumvented.
 

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

如何通過組織層次結構簡化用戶權限

A common challenge for many businesses is efficiently managing user permissions as new solutions are deployed and adopted. How do you ensure that the right people have the right permissions to access the data they need for their jobs? Missteps on provisioning permissions can lead to unauthorized access to data, creating major headaches for IT and security teams.
One way around this challenge is to start with solid user and permission management practices that help you assign access to your users, such as role-based access control (RBAC). RBAC is a security approach that authorizes and restricts users’ access based on their roles within an organization. While RBAC is an effective way to manage user access control at scale, you can add extra layers of protection to ensure that the right roles are being assigned. A good example of this would be using hierarchies to propagate the inheritance of permissions.
Let’s take a look at how you can use runZero organizations for data segmentation and hierarchies to streamline user permission management.

The role of organizations

Organizations are a powerful feature that allow you to create separate entities for your assets and control what users can do with the organizational data. In runZero, you can use organizations to group and manage asset data, Explorers, tasks, sites, and scan configurations. The flexibility of organizations allows you to segment your data by company, department, customers, or however you like. For example, you might want to set up different organizations for each environment you have – such as development and production – because you want to segment the data. Or if you’re a service provider, you may have an organization for each one of your customers.
In some cases, your business may want to set up multiple organizations to manage asset data as well as streamline permissions management. Imagine having to review and assign organizational access for each user. That’s time-consuming and prone to user error. So how can you ensure consistent provisioning of user permissions throughout your organizations?

Introducing organizational hierarchies

runZero 3.6 introduces organizational hierarchies, which enables you to create parent-child relationships between organizations. This approach is based on a top-down permissions distribution model, where the child organizations inherit the permissions configured within the parent organization.

The parent organization sets the minimum permission level a user has to that organization and any children. Child organizations with lower permissions than the parent organization will inherit the effective higher permission. For example, if the parent organization has a user’s permissions set to annotator, then the child organizations can be upgraded to user or administrator, but downgraded permissions won’t have any effect.
Imagine you have a parent organization called Mom Org that has a child organization called Baby Org. Within Mom Org, a user named Chris has been assigned an administrator role. As a result, Chris can access the Baby Org organization as an administrator.
Let’s take a look at how you can set up organizational hierarchies in runZero.

How to set up organizational hierarchies in runZero

To set up an organizational hierarchy, you can either create a new organization or modify an existing one. You can always edit your organizations and assign a new parent (or no parent at all).
Here’s how you can assign a parent organization:

  1. Create a new organization or edit an existing organization.
  2. Make sure to provide a name and description for the organization. This information captures context about the organization and the type of data it contains.
  3. Make sure to set any expiration dates for stale assets, offline assets, and scan data. This determines how long these data types are stored by runZero.
  4. Under parent settings:
    • If you want to add the organization under a parent organization, choose an organization to assign as the parent. You can choose a child organization to be a parent as well – runZero supports up to three levels of nesting.
    • If you don’t want to assign a parent to the organization, choose None. You can add child organizations later, if needed.
  5. Save your organization.

After you save your changes, the new hierarchical permissions will take effect. From the Organizations page, you can see how many children each organization has.

Additionally, you can view the details page for a specific organization to see the parent hierarchy.

How to view user permissions

To see what a user’s permissions look like, you can view a user’s details to see their role for each organization.

  1. Go to your Users page and click the name of the user whose permissions you want to view.
  2. The user details page shows a table that contains all of the organizations that the user has access to and the role that they are assigned.


If the role is listed in the Assigned role column, then it was explicitly configured for the user. If the role is listed in the Inherited role column, then the permissions were set by the default role or parent organization. The higher level of the two columns will be the effective access that the user has to that organization.

Simplify the complexities of user access management with organizational hierarchies

As your business continues to grow and scale, so does the need for control over complexity. To protect and secure your data, you need to have the right systems and measures in place for effective user access management. Once you have solid RBAC practices in place, you can add extra layers of protection, such as organizational hierarchies, to ensure that the right roles are being propagated to users.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.