Asset detection at home

Chris Sienko: If you're involved in the process of asset detection and asset mapping, it's often about a lot more than seeing your connection of computers and endpoints. It can include IoT devices, decades old legacy systems with no option to patch firmware, even operating technology like heating and cooling systems, or electronic billboards. For those wanting to dip their toe in asset management, runZero's Huxley Barbee joins me today to help you try asset detection on your home network and beyond, and for free, no less. I spy with my little eye a career choice that begins with Cyber Work Hacks.

[0:00:37] CS: Welcome to a new episode of Cyber Work Hacks. The purpose of the spin-off of our popular Cyber Work podcast, just to take a single fundamental question and give you quick clear and an actionable solution to it. Today's guest is Huxley Barbee, security evangelist at runZero. Huxley and I just recorded an episode of the Cyber Work podcast talking about the nuts and bolts of asset detection on a large scale, specifically around US federal government's current directive, and elsewhere. Here, we're going to just shrink the playing field a lot until newcomers to security how to do home asset detection or start to play with it a little bit yourself. Thanks for joining me today, Huxley. Thank you. First of all, can you give us a brief explanation of what asset detection means and why it's important for a secured network?

[0:01:23] Huxley Barbee: Cyber asset detection is really about building a cyber asset inventory. A cyber asset inventory – well, let's talk about what a cyber asset is. The cyber asset is a compute device that includes all the details, related details that security teams hear about. What is that? What are those other details? Well, hardware, software. But also, what are the vulnerabilities on that device? What are the risky configurations on that device? What are the applications that are running, services, listening on ports on that device? Who are the users associated with that device?

Also, what are the security controls that are on that device? Does it have endpoint protection, so on and so forth? This is different from an IT asset. IT asset has details that IT people care about? Something like licensing, IT people who care about that more. Security folks, don't care so much. Replacement cost, IT cares about then, not security. There's some overlap between what a cyber asset and what is an IT asset. But when we're talking about cyber asset discovery, we mean going out there, finding information that security teams care about so they can do their jobs better.

[0:02:43] CS: Got it. How challenging is asset detection as a security practice? Is this something newcomers can learn quickly or does it require a lot of foundational computer science and technology?

[0:02:54] HB: I would say generating the asset inventory is easy with the right tooling. Being able to interpret the data does require some level of knowledge.

[0:03:07] CS: Okay. There are probably kind of levels. If you can start by actually sort of running the scans and stuff, but it's going to the way you level up is to get better at sort of interpreting what you see, and working around issues.

[0:03:20] HB: Yes, absolutely. I would say, a solid foundation of networking, TCP/IP networking, would be one of the prerequisites to get a lot of value out of it. But if you're just trying to see, "Oh. I have like 15 things on my home network, you could do that in minutes. That's very, very easy.

[0:03:39] CS: Okay. Yes. Well, let's start small then. How can our listeners do asset detection on their own network? Where would they get started?

[0:03:46] HB: Yes. You have two choices. One is Nmap. Nmap is a free open-source tool. If you're just getting into cybersecurity, I encourage you to learn Nmap for a variety of reasons. Especially if you're going to be working on the red side of things. But the other tool that you can try is the free forever edition of runZero. It is free. You only have to provide an email address, no credit card required, or anything like that. Typically, people can get started in minutes. You just download it, you install the product, and then it's just a few clicks, and then you start scanning your home network. Typically, like less than an hour, you already have your home network scanned. I typically is like 20 minutes. Who knows? You might have like a lot of stuff on your network.

[0:04:43] CS: Right. You might be surprised. Even like the big organizations that have dead terminals that they forgot are still there. You might well have something in an old rec room or something that you forgot about, a printer. Working out from that aperture a bit. I mean, that's a great start. You can actually do the sort of raw work of that. Is it possible to do asset detection on say, like a school network, or a library network for practice? Or would you have to kind of get permission from the organization to do? Once you've mapped out your own network? What are some other ways that you could do hands on work around this in a way that would help you to do the work in a professional capacity?

[0:05:27] HB: Right? That is a dicey subject here. I would not recommend to anybody to do any sort of scanning without permission. It should be fine, but whether it's fine or not, is in the eye of target network. Always get permission when you can. Obviously, in your home, you have the permission to do so. But outside of that, I would ask. I would ask.

[0:06:06] CS: Can you give some other ways that people could expand their knowledge like that, that wouldn't be legally actionable, or find them walk off their campus in handcuffs or what have you?

[0:06:17] HB: You can always create your own virtualized environment and do that. I will frequently spin up EC2 instances in AWS. I would scan those specific IPs, just because I want to interpret the results, and so on, and so forth.

[0:06:34] CS: Yes. There is kind of a technical flashcard thing you can do here. You can make sort of virtual versions, and then interpret them, and see what you have, and so forth.

[0:06:43] HB: Yeah, or if you have ESXi, at home, then you can spin up a bunch of VMs as well and do it that way.

[0:06:51] CS: Now, in order to get into asset detection as a line of work, how can you document these types of projects on a resume to show prospective employers that you don't just know these concepts in theory, but you've actually worked on them yourself?

[0:07:01] HB: Oh, that is very interesting. Because I can see people – if you did Nmap, like I see people asking, "Which flags would you use for this versus that?" Maybe what you would do if you were to somehow collect, if you had a free version, the free forever version of runZero. If you were to collect a bunch of unusual assets, then in an interview, you could actually bring up a screenshot of it, and talk about why that device is unusual. You can say, "Oh, here I found two different two different devices that have the same SSH host key." That has security ramifications, so that that could be very interesting. That could showcase to the hiring manager that, one, you understand the security implications of that, and you knew what to look for, and you were able to execute on that. There's something along those lines. Or you said, you were able to say, you show us a device that you scan that has RDP running, and it's on the internet. You could even fake it. You could spin up some virtual machines in the cloud, which are public IPs, and then you create risky configurations on them, and then scan that. And you can say, "Okay, I created my own simulation of a poorly configured device from a security perspective, and then I scan for it." So something along those lines.

[0:08:48] CS: Yes. Previous guests have said this as well, and I think it's sort of attached to your answer there. But document your thought process in writing as much as you can. Because a lot of our past guests have said, we don't necessarily need to see a newcomers getting the answer correct. We just need to see what they're thinking about and what they're thinking through and so forth. I think this would be a really good way to sort of show potential employers that you know how to think these things, and you don't just know, as you said, to sort of push a button and just watch it sort of spider out, and possibly past your network into other things.

[0:09:21] HB: Yes. And if you create your own risky network somewhere, you can show like, "Oh, hey. I did recon with runZero, and then I follow that up with using Metasploit to exploit a certain vulnerability or configuration. Something along those lines. As I think more, now I have more ideas.

[0:09:44] CS: Yes. Well, great. I have one last question on there. For people who want to do the work around this type of activity whether it's asset detection or vulnerability remediation and so forth, what areas of study should students and new professionals be working on now to sort of prepare them for that?

[0:10:00] HB: Yes. Definitely solid understanding of networking, TCP/IP networking, and some understanding of how modern software is engineered, understanding like how APIs work. Understanding of very common protocols, SSH, HTP, FTP, like how do those work. In these days, you know what, it always helps to be able to write some code.

[0:10:30] CS: Nice. One last question. If our listeners want to check out Huxley Barbee or the free forever version of runZero or runZero in general, where should they go online?

[0:10:38] HB: Yes. For runZero, just go to runzero.com. There's a button on the website that says free trial, just click on that. You don't need to provide a credit card. It's just an email address, and then you can get started. If you want to find me, you just search for Huxley Barbee on the Internet. H-U-X-L-E-Y B-A-R-B-E-E. I'm the only Huxley Barbee you're ever going to meet. I'm active on LinkedIn, on Twitter, and InfoSec's infosec.exchange for messaging. Come connect with me, chat with me, please.

[0:11:15] CS: All right one and only Huxley Barbee, thank you for giving us a lowdown on asset detection today.

[0:11:17] HB: Thank you.

[0:11:22] CS: Thank you all for watching this episode. If this video helped you, please share it with colleagues, forums, or on your social media accounts, and definitely subscribe to our podcast feed and YouTube page. You can just type in Cyber Work into any of them and you're on your way. Plenty more to come. So if you have any topics that you want us to cover, drop them in the comments below. Till then, we'll see you next time.

Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12 most in-demand cybersecurity roles. I asked experts working in the field how to get hired and how to do the work of the security roles so you can choose your study with confidence. I'll see you there.