The risks of using spreadsheets for cyber asset management
An accurate and comprehensive asset inventory is vital for an effective cybersecurity program. Relying on basic spreadsheets for asset management could introduce severe risks to your entire organization.
Read on as we explore the downsides of using spreadsheets for cyber asset management and highlight the clear advantages of using a dedicated cyber asset management tool to empower your security program, rather than hinder it.
Spreadsheets are simply inefficient for cyber asset management #
A recent study found that a staggering 73% of cybersecurity and IT professionals use spreadsheets to manage security hygiene and posture.
There are two primary reasons why one might use spreadsheets for asset management:
- An asset inventory tool has never been used in your organization.
- You need to work around your current asset inventory tools.
While spreadsheets can adapt to numerous use cases since they handle all sorts of data, this dexterity also makes them less than ideal for IT asset management. Furthermore, while Excel and Google Sheets can be an easy first step to track asset data for an IT environment, they fail entirely as an efficient cyber asset management solution.
7 disadvantages to spreadsheets asset management #
- Manual data collection
Spreadsheets require time-consuming manual updates. Without automation, they often become outdated. Reliance on tracking changes and identifying responsible parties manually introduces errors, hindering the detection and resolution of security incidents. This limitation makes it harder to monitor the integrity of the asset inventory and respond swiftly to cyber threats.
- Inconsistent attributes
Different departments and individuals have discrepancies in what attributes they prioritize for data collection. Security teams may focus on listening ports, while IT may prioritize warranty expiration. This can lead to confusion and inconsistent data collection over time.
- Outdated information
Asset records in spreadsheets can vary widely in age, ranging from a week to a year, depending on when someone bothered to update them. This significantly hampers effective incident response and security program management.
- Lack of detail
Due to the aforementioned points, spreadsheets often lack sufficient detail. Humans dislike repetitive manual work, and the limitations of spreadsheets prevent them from containing comprehensive information.
- Incomplete inventory / managed-only devices
The Achilles' heel of any asset inventory program is unmanaged devices. Spreadsheets cannot be updated with assets that are unknown.
According to a Deloitte research report, 32% of organizations believe that "Shadow IT" assets pose the greatest challenge for ITAM. Rogue devices installed by employees, third-party vendors, or through shadow IT lack standard security controls like EDR agents, making them easy targets for adversaries.
The same report states that 18% of organizations are considering non-active or repurposed IT assets. With manual data entry, unmanaged devices can go unnoticed or neglected for extended periods, leading to uncertainty within teams regarding their significance or reluctance to invest effort in investigating them.
Here are just some of the key problems unmanaged assets pose:
- Audit violations
- Cannot be patched
- Cannot be upgraded
- Cannot be automated
- Cannot be turned off
- Hard to share
Sharing is not built into Excel. Sharing Excel sheets linked to other dependencies also causes all sorts of problems. In the meantime, Google Sheets copies come with a touch of showmanship, flaunting a prepending "Copy of" like a magician demonstrating a trick. However, with it being so easy to duplicate documents, one sleight-of-hand from a nefarious user could go easily unnoticed.
- No version control
Version control becomes a challenge as spreadsheets lack proper mechanisms to track changes and maintain data consistency. It is difficult and time-consuming to trace back who updated which asset in whose copy of which version of the spreadsheet.
Multiple copies of the same spreadsheet create confusion and hinder the ability to have accurate and up-to-date information. This limitation affects data integrity and poses challenges in maintaining a reliable asset inventory. With Excel, sharing automatically creates a copy, and with Google Sheets, anyone with edit access can make a copy. These copies can take on a life of their own, resulting in various states of inaccuracy.
Spreadsheets are high-risk for sensitive information #
As if the inefficiencies weren’t bad enough, spreadsheets lack sophisticated controls and are easily duplicated, increasing the risk of information exposure. In truth, using spreadsheets for any sensitive information is a liability. Storing asset details in a spreadsheet is perilous.
PeopleDAO, a group formed to buy a copy of the U.S. Constitution, lost 76.5 ETH ($120,000) after the accounting lead mistakenly shared a Google Sheet with edit access to a payout form on a public Discord channel.
Human error aside, hackers have a notorious history of exploiting enterprise products. In 2021, Microsoft fell victim to a malware attack spread through Excel spreadsheets, and in 2019, hackers bypassed Google filters to launch CSV malware via Google Sheets.
Both companies have continued to be victims of vulnerabilities and phishing campaigns over the years:
- Massive phishing campaign using malicious Excel macros to hack PCs (2020)
- A Google Docs Bug Could Have Allowed Hackers See Your Private Documents (2021)
- Google Docs Comments Weaponized in New Phishing Campaign (2022)
Access to just one spreadsheet could be the key to everything that a bad actor needs to compromise your entire network. The potential repercussions, including the costs associated with a data breach, loss of profits, expensive lawsuits, and customer and partner attrition, far exceed the investment required for a secure and comprehensive asset inventory solution.
Beyond spreadsheets – go CAASM #
It is clear to see that there are significant downsides to using spreadsheets to manage cyber assets, yet organizations proceed to adopt this method with the support of other tools. However, EDRs, vulnerability scanners, CMDBs, NACs, and free asset management solutions all have asset management limitations. Not only do these tools lack comprehensive visibility into the asset landscape, but using spreadsheets to supplement or work around them only inherits the same limitations.
The manual process involved with spreadsheets introduces the risk of human error, especially as the number of assets and data sources increases. Managing access and enforcing the principle of least privilege, as well as restricting who can view, edit, or delete the inventory, becomes increasingly difficult. Without proper access controls, maintaining a secure environment and protecting sensitive information becomes a daunting task.
Correlating asset data from different sources poses challenges because each tool or data source uses its own format. It becomes arduous to accurately compare and analyze data when it is not normalized within the same time ranges. Without proper correlation and normalization, the ability to understand asset relationships, identify vulnerabilities or misconfigurations, and respond to security incidents in a timely manner is negatively impacted.
Although Google Sheets and Excel allow third-party plugins and extensions to enhance usability and functionality, granting this type of access is also high-risk. Third-parties gain access using an OAuth process. As part of this process applications can request specific scopes, gaining formidable privileges.
Example of an OAuth scope request from a third-party application for a Google product
The wrong plugin, developed with malicious intent, could wreak havoc by pilfering your sensitive information. Furthermore, once a third-party add-on has been granted access permissions, it will retain them until they are manually revoked. This means that forgotten add-ons, not used for several years, could still have access to your data. Managing this situation without a CASB or SSPM solution becomes a near-impossible task, adding yet another tool to your stack.
In contrast, a cyber asset attack surface management (CAASM) solution addresses all of these limitations, offering security, automation, integration, scalability, reporting, collaboration, and compliance support. One major benefit of CAASM is the ability to bring in data from multiple sources, allowing for automated data collection, correlation, and normalization. The best CAASM solutions also include active scan data. With a comprehensive view of all assets, organizations can prioritize security efforts, identify potential security gaps, and make informed decisions to protect their network. Correlation among different sources is not only a desirable feature but also a table stakes requirement for an effective cyber asset management solution. It enables organizations to have a holistic view of their assets, streamline workflows, and implement proactive security measures to effectively mitigate risks.
runZero is a cyber asset management solution that includes CAASM functionality, and can safely and securely integrate with other security tools and systems, such as vulnerability management platforms, Security Information and Event Management (SIEM) solutions, and Internet scanning services.
As a standalone solution, runZero performs unauthenticated active scans powered by high-fidelity fingerprinting to quickly and safely provide a complete and accurate asset inventory, even on fragile IoT and OT networks. As a whole, runZero is designed to effectively address the unique challenges and requirements of cybersecurity asset management, which a spreadsheet could never achieve.
Spreadsheets vs runZero #
As a whole, runZero is designed to address the unique challenges and requirements of cybersecurity asset management effectively, which a spreadsheet comparatively could never do. Below are the notable ways runZero far surpasses spreadsheets for cyber asset management:
Unlike spreadsheets, runZero automates the entire asset discovery, inventory and tracking process; offering real-time updates, accurate data synchronization, and a holistic view of an organization’s assets and network.
Spreadsheets struggle to handle large-scale asset inventories, leading to performance issues and decreased efficiency. runZero is built to handle vast amounts of data, and millions of assets, providing a scalable solution to accommodate growing asset portfolios, from small business to large enterprise.
Advanced Security #
Spreadsheets lack robust security features, making it easier for unauthorized individuals to access and manipulate them. runZero prioritizes security and provides robust features, offering advanced role-based access control (RBAC) and organizational hierarchies to ensure that only authorized individuals can access and modify the asset inventory. Our SSO and RBAC features are available in all editions. Our commitment to helping the world be more secure means we don’t gate security features in the higher tiers.
Reporting and Analytics #
runZero has robust reporting and analytics capabilities, allowing organizations to generate detailed reports on asset inventory, services running on the network, current vulnerabilities, and more. This is essential when needing to provide insights and metrics that can assist in decision-making, resource allocation, and risk mitigation strategies.
Collaboration and Workflow #
Spreadsheets make it difficult to collaborate and streamline workflows. runZero enables IT and security teams to work together more efficiently, share insights, and coordinate response efforts through asset ownership, alerts, third-party integrations, and canned queries for rapid zero-day response.
Compliance and Audit Support #
It is near impossible to maintain an up-to-date asset inventory with spreadsheets. runZero helps organizations maintain exemplary cyber hygiene through automatic asset tracking, documenting information, changes, and security controls, making it easy to demonstrate compliance with industry regulations and standards.
July 26, 2023
Going beyond: The cybersecurity tools hindering effective cyber asset management
Each article in this roundup explains the downsides of common tools as they pertain to effective cyber asset management, and how runZero, a complete cyber asset management solution, provides a complete and detailed asset inventory beyond the scope of any tools discussed.
July 18, 2023
The best free network scanners for security teams in 2023
In this article, we compare and contrast several free tools and provide our take on why we believe runZero is best suited for corporate security teams.
July 10, 2023
Why NACs are inadequate for cyber asset management
NACs aren’t the best at asset discovery. Allowing or denying access to the network on Layer 2 is their primary function, but finding everything on your network is a different problem. Let’s examine why.