Your Company Help and Notes - April 2010

Reference:
YC 201135

Table of Contents

Enterprise Assessment Reports

The Enterprise Assessment is a full blended assessment of a single IP address or system. Assessments use both automated and manual techniques to obtain a view of a system's vulnerabilities. Each contact within the client's organisation will receive a customised report showing vulnerability results only for those systems over which they have responsibility (least privilege).

Informational Icons

NEW The port or vulnerability is new, i.e. it appears on the current scan and did not appear in the previous scan.
SANS The vulnerability is listed on SANS Top 20 list of commonly exploited Internet security vulnerabilities.
URGENT The vulnerability is on a list supplied by the client of vulnerabilities they consider high-priority.
OVERDUE An urgent vulnerability where the deadline has passed.

Meaning of Colour Coding in Reports

  Trend getting better
  Trend not changing
  Trend getting worse, High risk or Overdue
  Medium risk or Urgent
  Low risk
  SANS top 20 vulnerability
  System detected, no open services
  Address scanned, no system detected
  Address not scanned

Criticality

Description Systems can be assigned a 'Criticality' classification which indicates their value to your organisation. This information will usually be derived from a business impact assessment. The rating is presented in the reports as a graphic like the ones shown below. The rating can accomodate up to five distinct criticality classifications to reflect those used within your business. If you use fewer than five levels then these can be accounted for, e.g. a two level classification would correspond to either just the light blue bar being lit (least critical) and all bars being lit (most critical). In some reports you can sort the results by the level of criticality, and this can be done by clicking the column heading (in the same way as the other columns).
Appearance

Lowest              Highest


Executive Summary Graphs

Purpose Shows high level trends for the system population's vulnerability results.
Audience Senior management or executives who want a pictorial view of the vulnerability status and history of their organisation.
Benefits Shows trends that can contribute to a CISO's dashboard or metrics. Provides a view, via the Show Detail button, of the number of new vulnerabilities that are affecting the organisation and the rate at which vulnerabilities are being fixed. In turn these detail charts can be indicators of platform 'cost of ownership' and organisational remediation trends.
Pie Chart Shows the number and proportion of high (red), medium (yellow) and low (blue) vulnerabilities affecting the system population this scan.
Bar Chart Shows a rolling twelve scan history of the number of total, high, medium and low vulnerabilities that have affected the system population.
Show Details Button Expands [+], or collapses [-] the report view to show pie and bar chart trends for fixed vulnerabilities and new vulnerabilities.
'Fixed' vulnerabilities are those that were detected during the previous assessment but were not detected during the current one. 'New' vulnerabilities are those that were detected during the current assessment but not in the immediately preceding assessment.
SANS / Urgent History This bar chart shows the history of SANS, urgent and overdue vulnerabilities for the system population. There is no corresponding pie chart, because these informational statistics are not mutually exclusive.

Systems Not Vulnerability Scanned

Purpose Lists the responding systems which are not being vulnerability scanned.
Audience Technical management and staff whom are interested in ensuring all responding systems are vulnerability scanned.
Benifits Provides an immediate list of candidates for regular vulnerability scanning.
Key Cells with a red background indicate a system with one or more 'high risk' ports; cells with a blue background indicate a system with one or more 'low risk' ports. Systems which responded during the scan and had no services detected are shown in dark blue.
Summary Information List hosts discoved during a subnet scan with exposed ports, which are not vulnerability scanned. Displays the greatest risk level associated with an exposed port on the given host.

Risk Profile

Purpose A single pictorial overview of the high-level organisational risks.
Audience Management who want to track overall organisational risk levels via a series of high-level metrics.
Benefits Useful for monitoring compliance to corporate risk targets and contibuting to management dashboards. In selecting a set of meaningful metrics; setting relevant targets; and monitoring the area enclosed by these metrics a simple view of organisational risk trends can be discerned.
Radar Diagram The radar diagram presents the results of various metrics that summarise various aspects of risk due to vulnerabilities. All the metrics are normalised to percentages.
It is possible to view the results of the previous month in the radar diagram by checking the 'Show previous month' check box. This overlays last months results on the diagram.
You can view your historical state by clicking the 'Show History' button. This will display the historical state of your risk profile.
Metrics The metrics used are:
  • # Exposed IPs
    The number of IP addresses tested by either vulnerability assessment or network discovery scans. Normalising this metric results in your 'day 0' number of exposed IPs being equated to 30%.
    Default Target: Average number of IP addresses tested over the last year.
  • Exposed Systems
    The proportion of the scanned systems that responded.
    Default target: Average number of systems that responded to probes over the last year.
  • Systems not Vul Scanned
    The percentage of the responding systems that are not vulnerability scanned.
    Default target: The percentage of systems that responded to probes but do not have (high or low risk) services visible. That is, those responding only on ICMP or TCP RST.
  • Systems with vuls
    The percentage of systems that were vulnerability scanned that were found to have vulnerabilities.
    Default target: Twice the average number of systems with new vulnerabilities over the last year.
  • Systems with Elevated Vuls
    The percentage of systems that were vulnerability scanned and were found to have vulnerabilities that have an elevated level of risk associated with them.
    Default target: Twice the average number of systems with new elevated vulnerabilities over the last year.
  • Crit Systems w/Elevated Vuls
    The percentage of systems that have been listed as 'critical' (see Criticality above) and also have at least one vulnerability with an elevated level of risk.
    Default target: One-and-a-half times the average number of (most) critical systems with new elevated vulnerabilities over the last year.
  • # Total Vuls
    The total number of vulnerabilities detected within your population. Normalising this metric results in your 'day 0' number of vulnerabilities being equated to 20%.
    Default target: Twice the average number of new vulnerabilities over the last year.
  • Elevated Vuls
    The proportion of of vulnerabilities detected that have elevated risk.
    Default target: Twice the average number of new elevated vulnerabilities over the last year.
  • Avg Fix Time
    The average time (in days) taken to fix an elevated vulnerability.
    Default target: 30 days.
A vulnerability is considered to have an elevated level of risk if it has been classified as high risk, has been listed in the SANS top 20 or has been assigned a deadline by which it must be fixed.
Customisation Whilst we generate default targets for these metrics you can specify your own target levels. It is possible for us to customise the metrics offered, either to add additional ones or to remove those you find irrelevent. If you require this, please let us know.

Systems

Purpose Lists all systems scanned and acts as an index, or jump-off point, to the System Detail reports.
Audience Technical managers or systems or facilities owners who want an overview of which of their systems have security issues.
Benefits Shows an ordered list of all systems scanned and summarises their security status. Provides various summary trend statistics that indicate if the situation is improving, static or worsening. The vulnerability list indicates if any systems have specific vulnerabilities that may be of particular interest.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicate the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Vulnerability Statistics The first column of statistics shows the number and severity of all vulnerabilities discovered and the number of new vulnerabilities discovered (i.e. vulnerabilities present this scan that were not present last scan). It also displays statistics for informational indexes, such as SANS or Urgent.
The second column of statistics shows for each severity of vulnerability the number and percentage of systems that had that severity of vulnerability as its worst type. For example, if 13% of systems are shown as having low risk vulnerabilities this means they do not have any vulnerabilities of a higher severity (i.e. medium or high).
The third column shows the type of assessment that was performed (Professional, Enterprise); the start and end dates/times of the assessment; the total number of systems assessed this scan; and the number of new systems assessed this scan.
Summary of Results Table Shows an list of all systems assessed. The default ordering is first by severity of the worst vulnerability; then by the number of vulnerabilities; then by severity of the worst port; then by the number of ports.
For each system scanned the table displays:
  • The system's host name (or IP address).
  • Any relevant informational icons. In this context, "new" indicates that the system is new to the population.
  • The system's IP address.
  • The system's criticality rating (if specified).
  • A link to the detailed vulnerability report for that system.
  • The number of open ports found on that system, with the cell coloured according to the severity of the worst port.
  • The total number of vulnerabilities discovered, with the cell coloured according to the severity of the worst vulnerability. The number of new vulnerabilities discovered this scan is shown in brackets.

While this table is sorted to highlight what is usually the most important information, it is possible to sort the table by clicking on the column headings. This facility allows you to extract as much information as possible from the table, by presenting the results in the way that best suits you.

All Vulnerabilities Found Table Shows a unique list of all vulnerabilities discovered. The default ordering is by severity. For each vulnerability the table displays:
  • The frequency of occurrence of the vulnerability.
  • A short description of the vulnerability. The description links to the relevant section of the Vulnerabilities report.
  • Any relevant informational icons. In this context, "new" indicates that the vulnerability is new across the population.
  • The severity of the vulnerability

While this table is sorted to highlight what is usually the most important information, it is possible to sort the table by clicking on the column headings. This facility allows you to extract as much information as possible from the table, by presenting the results in the way that best suits you.


System Detail

Purpose Provides a detailed list and description of ports and vulnerabilities that have been discovered on the system assessed.
Audience Technical staff and system owners responsible for rectifying security issues. Firewall or network administrators should be equally interested in the 'ports' section of the report.
Benefits Highlights key security issues, remediation strategies and vulnerability references allowing technical staff to prioritise their corrective efforts.
Summary Information Lists the system's IP address and domain name (if any); type of scan (e.g. Enterprise); the criticality rating (if specified); the start and end dates/times of the assessment; and a customer defined reference field (can be any text string, e.g. an asset tag).
Contact Details Lists the e-mail addresses of all contacts who receive a copy of the vulnerability report for this system. Clicking the contact e-mail address will start your e-mail editor. Each contact/e-mail address can have a 'role' associated with it. Roles are defined by the customer, for example, 'System Owner', 'Technical', 'Business' etc.
Ports Section Has two subsections: Open Ports Found and Closed Ports. For each of these subsections the table displays:
  • The port number, in decimal.
  • The 'transport' protocol, e.g. TCP, UDP or ICMP.
  • The name of the service usually assigned to this port, e.g. 'domain' for port 53.
  • A description of the banner or response from the system.
  • A 'new' graphic is displayed at the left side of the table adjacent to ports that have been newly discovered this scan (i.e. were not present last scan).
In the Open Ports Found subsection the port numbers are background coloured red if the port is considered high risk, otherwise they are coloured blue. The Closed Ports subsection lists all ports that were present last scan but not detected this scan. This table is not coloured to de-emphasise it, reminding the user that these ports are not a risk/no longer present on the system
Vulnerabilities Section Like the Ports Section this also has two subsections: Vulnerabilities Found and Vulnerabilities Fixed Since Last Scan. Each subsection displays a list of vulnerabilities ordered by severity. Each vulnerability is described in its own table:
  • Five digit vulnerability code. A unique code you can use to reference this vulnerability when discussing with your supplier.
  • A brief title for the vulnerability.
  • Any relevant informational icons. In this context, "new" means that the vulnerability is new on this host. It may not be new across the whole population.
  • A colour coded rating indicating the vulnerability's severity (the cell is coloured red if the vulnerability's severity is high, yellow if medium, blue if low). As a general guide, high risk vulnerabilities need to be fixed urgently. Medium risks are not urgent, but require attention. Low risks are minor issues. As with all vulnerabilities the customer has the best understanding of the impact of a vulnerability being exploited.
  • A description of the vulnerability. This explains what the vulnerability is, and where relevant, which software versions are affected. It describes what class of attacker could exploit it - e.g. remote user with no login, or local user with mailbox rights, etc. and details what the possible consequences of a breach are. Sometimes this will include data specific to your scan, for example URLs you can use to see the effect of the vulnerability.
  • A solution to remedy, mitigate or workaround the vulnerability. In many cases you will have to read some of the references for step-by-step instructions.
  • Links to additional references about the vulnerability, such as CVE references or advisory IDs.
  • The date the vulnerability was first discovered on this particular system.
  • The transport protocol and port number of the service over which the vulnerability was detected.
  • A six-scan mini-history of this vulnerability on this system. The six 'LEDs' represent the past six scans; if the LED is on (red) the vulnerability was present in that scan; if the LED is off (grey) the vulnerability was not present that scan. The rightmost LED pertains to the current scan. This feature is useful for identifying recurring vulnerabilities, or vulnerabilities that have been reintroduced.
Listed in the Vulnerabilities Not Found This Scan section are all those vulnerabilities that were present on this system last scan but have not been detected this scan. The vulnerabilities are not colour coded so as to de-emphasise their importance reminding the user that they are not a risk/no longer present on the system.
Historical Information Bar charts showing rolling twelve scan histories for the number of Open Ports, Vulnerabilities and Fixed Vulnerabilities on this particular system. The Vulnerabilities chart is stacked to discriminate between 'new' vulnerabilities (i.e. ones first detected on this system this scan) and 'old' vulnerabilities (i.e. ones that were first detected in prior scans and are still present).
Stoplisted Vulnerabilities These are vulnerabilities the client has nominated as unimportant and no longer wishes them to be included in the main body of the report. Stoplisted vulnerabilities do not contribute to statistics or trending figures. Stoplisted vulnerabilities are not colour coded so as to de-emphasise their importance reminding the user that they are not considered a risk.
Stoplisted vulnerabilities have an audit trail attached to them indicating the e-mail ID of the contact who 'stopped' the vulnerability; the duration the vulnerability will remain stoplisted; and the reason for the stoplisting.

Vulnerabilities

Purpose Lists all vulnerabilities that have been discovered, cross referenced by vulnerable systems and CVE identities.
Audience Technical managers responsible for organising staff remediation efforts. Technical staff who need to verify which systems are vulnerable to specific exploits/CVEs.
Benefits Allows management to prioritise the remediation efforts of staff by identifying which systems are vulnerable to which exploit. Enables vulnerabilities to searched and located by CVE identity.
Vulnerability Tabs The vulnerabilities page is organised into four tabs. The tabs show 'All' vulnerabilities, 'New' vulnerabilities, 'Fixed' vulnerabilities and 'Stoplists'. The 'All' tab lists all vulnerabilities that were detected accross all hosts in this scan. The 'New' tab shows vulnerabilities which were not detected in the previous scan but which were detected in the current scan. The 'Fixed' tab shows vulnerabilities which were detected in the previous scan but not in the current one. The 'Stoplists' tab lists vulnerabilities which the client has nominated as unimportant and no longer reported in the main body of the report. The list also shows other information about the stoplist including who asked for the vulnerability to be 'stopped', why and how long for.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicate the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Vulnerability Statistics The first column of statistics shows the number and severity of all vulnerabilities discovered and the number of new vulnerabilities discovered (i.e. vulnerabilities present this scan that were not present last scan). It also displays statistics for informational indexes, such as SANS or Urgent.
The second column of statistics shows for each severity of vulnerability the number and percentage of systems that had that severity of vulnerability as its worst type. For example 13% of systems had low risk vulnerabilities means 13% of systems did not have vulnerabilities of a higher severity (i.e. medium of high).
The third column shows the type of assessment that was performed (Professional, Enterprise); the start and end dates/times of the assessment; the total number of systems assessed this scan; and the number of new systems assessed this scan.
CVE Compatibility Statement Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. CVE names result from open and collaborative discussions of the CVE Editorial Board. The Board identifies which vulnerabilities or exposures will be included in CVE, then determines the common name, description, and references for each entry.
CVE 'candidates' are those vulnerabilities or exposures under consideration for acceptance into CVE. Candidates are assigned special numbers to distinguish them from CVE entries. The number, also referred to as a name, is an encoding of the year that the candidate number was assigned and a unique number N for the Nth candidate assigned that year, e.g. CAN-1999-0067.
If the CVE Editorial Board accepts the candidate, an official CVE entry is created that includes the description and references. The candidate number is converted into a CVE name by replacing the 'CAN' with 'CVE'. For example, when the Editorial Board accepted the candidate CAN-1999-0067, the candidate number was converted to CVE-1999-0067, and the resulting new entry was added to CVE.
Our vulnerability assessment service is CVE compliant, and where appropriate in our vulnerability descriptions, you will see references of the form CVE-XXXX-XXXX and CAN-XXXX-XXXX. These refer to the standard identifiers for vulnerabilities in the CVE database. The CVE references (and candidate references) in the reports are links which, when clicked, will take you to the canonical description of the CVE entry on the mitre.org website (MITRE is the company that manages the CVE database).
In some cases, a single reported vulnerability will refer to multiple CVE entries in order to reduce the amount of information presented to users. This can happen for example when a number of versions of a piece of software have had vulnerabilities, so upgrading to a recent version would solve several issues.
CVE Filtering You can check which systems in a report are affected by a vulnerability with a particular CVE name using the 'Find CVE' search box. Entering the CVE name (e.g. CVE-1999-0024 or CAN-1999-0629) and pressing the 'Filter' button will display a list of all vulnerabilities (and affected systems) that match the CVE name. Searches will return both CVE names and candidate names even if the prefix is entered incorrectly. Clicking the "Reset" button clears the search field and re-displays all vulnerabilities.
CVE-MAP-NOMATCH A placeholder reference which indicates that a vulnerability does not have a directly applicable CVE reference but does have a CVSS score and vector.
Expand / Collapse All A set of controls that allow the user to expand and collapse the vulnerability descriptions, systems lists and graphs.
Vulnerability Descriptions Each vulnerability is described in its own table:
  • A view button [-/+] allowing descriptions to be collapsed or expanded.
  • Five digit vulnerability code. A unique code you can use to reference this vulnerability when discussing with your supplier.
  • A brief title for the vulnerability.
  • Any relevant informational icons. In this context, "new" means that the vulnerability is new across the whole population.
  • Total number of systems that have this vulnerability. A view button [-/+] allowing the vulnerable system listing to be collapsed or expanded.
  • A colour coded rating indicating the vulnerability's severity (the cell is coloured red if the vulnerability's severity is high, yellow if medium, blue if low). As a general guide, high risk vulnerabilities need to be fixed urgently. Medium risks are not urgent, but require attention. Low risks are minor issues. As with all vulnerabilities the customer has the best understanding of the impact of a vulnerability being exploited.
  • A description of the vulnerability. This explains what the vulnerability is, and where relevant, which software versions are affected. It describes what class of attacker could exploit it - e.g. remote user with no login, or local user with mailbox rights, etc. and details what the possible consequences of a breach are. Sometimes this will include data specific to your scan, for example URLs you can use to see the effect of the vulnerability.
  • A solution to remedy, mitigate or workaround the vulnerability. In many cases you will have to read some of the references for step-by-step instructions.
  • Links to additional references about the vulnerability, such as CVE references or advisory IDs.
  • A list of all systems, by domain name and IP address, that have this vulnerability. The date the vulnerability was first detected on a system in the target population is included in square brackets. Clicking on the system link will display the "System Detail" report. A 'new' icon is shown if the vulnerability is new on this particular system, and a criticality icon is shown if the system has been assigned one.
  • A graph showing the history of this vulnerability over the last 12 scans. This is intended to give you a feel for whether the vulnerability is being successfully dealt with.

Ports

Purpose Lists all TCP, UDP and ICMP services that have been discovered across the target system population, cross referenced by system.
Audience Technical managers responsible for organising staff remediation efforts. Technical staff who need to verify which services are visible on which systems.
Benefits Allows management to prioritise the remediation of efforts staff by identifying which systems are offering which services.
TCP Open Ports Lists all open TCP ports that respond to the standard tcp connect three-way packet handshake. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those systems that have that port open.
UDP Open Ports Lists all responding UDP services. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those systems that have that port open.
ICMP Open Ports Lists all responding ICMP services. ICMP services are listed in ascending numerical (decimal) order. The name of each service is listed next its number. Clicking a service number link will scroll the page down to show those systems that offer that service.
"New Services" page This page lists only those ports which are new in the current scan. The data is presented in the same way as in the main Ports report, including a "Systems by Port Cross Reference" section limited to new ports only. This view highlights new systems, or new services on existing systems within the population.
Systems by Port Cross Reference Each responding port or service is listed in its own table:
  • Protocol, port or service number and common name. The background colour of this cell is red if any of these ports are considered high risk, otherwise it is coloured blue.
  • A count of the number of systems that responded on this port/service.
  • A list of all systems, by domain name and IP address, that have this port/service open. Clicking on the system link will display the 'System Detail' report. The systems will display their criticality icon if specified.

Unfixed By Age

Purpose Highlights vulnerability remediation issues.
Audience Management who need to identify vulnerability remediation deficiencies or highlight organisational exposure levels.
Benefits Precisely identifies recurring security issues. All unfixed vulnerabilities are identified and shown grouped by system, by type of vulnerability and by responsible contact. This enables security, or other, management to focus attention on risk 'hotspots'. This report can also serve to justify investment in areas of the organisation that are not rectifying vulnerabilities in a timely manner, or are suffering resource shortages.
"Unfixed" Vulnerabilities A vulnerability is considered unfixed if it has been detected on a particular system in at least 2 consecutive scans (i.e., it has recurred at least once). New vulnerabilities (ones which have only been detected once so far) will not appear in this report and will not count towards any of the totals. Stoplisted vulnerabilities are also not counted or displayed.
Line Graph The line graph summarises how many systems have unfixed vulnerabilities of various ages and severities. If a system has unfixed vulnerabilities of different ages and severities, it will be counted multiple times in the graph, but never more than once per risk severity (line) per scan. For example, if a system has one high risk vulnerability that has remained unfixed for 3 scans; another, different, high risk vulnerability that has remained unfixed for 6 scans; and a medium risk vulnerability that had remained unfixed for 3 scans it will be counted once on high risk line at 3 scans, once on the high risk line at 6 scans and once on the medium risk line at 3 scans.
A vulnerability on a system that has remained unfixed for, say, 4 scans is not considered (counted) as having been unfixed for 3 scans, 2 scans and 1 scan. The right-most column of the graph is shaded to indicate that it covers a range of scans, not a single scan like the other columns.
Risk Selectors The tabs attached to the top of line graph can be used to filter out lower severity vulnerabilities. If you are using the urgent vulnerabilities facility, then there will be a selector for "Overdue By Age", see below.
Ordered by Host The first table below the line graph shows a unique list of all the systems that have unfixed vulnerabilities. By default it is ordered first by severity, then by the age of the oldest unfixed vulnerability of that severity. For example, a system with unfixed high risk vulnerabilities aged 6 scans, 4 scans and 2 scans, and unfixed medium risk and low risk vulnerabilities will only be listed once in the table. It will appear in the high risk (red) section of the table.
For each system scanned the table displays:
  • The host name of the system (or IP address).
  • Any relevant informational icons. In this context, "new" cannot appear.
  • Its IP address.
  • The criticality rating if specified.
  • The primary 'region' or group to which it belongs.
  • A link to the detailed vulnerability report for that system.
  • The number of open ports found on the system (the cell is coloured red if any of these ports are considered high risk, otherwise it is coloured blue).
  • The total 'Number' of high, medium, or low risk unfixed vulnerabilities, regardless of age.
  • The number of times the oldest existing vulnerability has recurred on this host ('Longest').

While this table is sorted to highlight what is usually the most important information, it is possible to sort the table by clicking on the column headings. This facility allows you to extract as much information as possible from the table, by presenting the results in the way that best suits you.

Ordered by Vulnerability The second table shows a list of all unique vulnerabilities that have been unfixed for at least one scan. This is intended to give you a feel for which vulnerabilities are causing most of the problems. By default it is ordered first by severity, then by scans outstanding.
For each outstanding vulnerability the table displays:
  • A short description of the vulnerability and informational icons. In this context, "new" means the vulnerability is new across the whole population. The description links to the relevant part of the vulnerabilities report.
  • The severity.
  • Number of systems on which this vulnerability has been unfixed for at least one scan.
  • The maximum number of times this vulnerability has recurred any system.

While this table is sorted to highlight what is usually the most important information, it is possible to sort the table by clicking on the column headings. This facility allows you to extract as much information as possible from the table, by presenting the results in the way that best suits you.

Ordered by Contact This table breaks down by contact the on-going risk resulting from unaddressed vulnerabilities. It only appears if contact information has been provided and shows all contacts who have systems with at least one unfixed vulnerability.

The report contains one summary row per contact. Each summary row has an attached detail section which is folded away by default. When expanded, this section shows all the metrics for each system which add up to the individual's overall stats.

The report is sortable by any of its columns. These are:
  • "Name" - the contact's email address, sorted in alphabetical order by default.
  • "Systems" - a count of the number of systems with unfixed vulnerabilities each contact is responsible for. Systems without unfixed vulnerabilities are not listed or counted.
  • "Total" - the total number of unfixed vulnerabilities on all the contact's systems added together, as well as the total on each system.
  • "High" / "Medium" / "Low" are the total numbers of unfixed vulnerabilities of each severity, again per contact and per system.
  • "Longest" - the age of the oldest unfixed vulnerability the contact is responsible for, and the oldest on each system. The value for the contact will be equivalent to the maximum value found on any of his or her systems. This is counted in the same way as in the previous table, i.e. a vulnerability which has occured in 3 consecutive scans will have a "Longest" value of 2.
  • "Months of Exposure" - a sum of the ages of all recurring vulnerabilities per system and per contact. E.g., if a system has 2 high vulnerabilities, one of which has recurred 3 times and the other 2 times, the "Months of Exposure" will add up to 5. New vulnerabilities which have only occured once so far are not counted.
All counts and metrics take into account the currently selected minimum severity. When the "High risk only" tab is selected, only high-risk vulnerabilities are considered when calculating totals, the age of the oldest vulnerabilities and the Months of Exposure.

When "High and medium risk" is selected, the totals and the value for "Longest" will take into account Medium as well as High severities equally. E.g., if a system has 1 High of age 3 and 1 Medium of age 5, the value reported for "Longest" will be 5 and the Total number will be 2. "Months of Exposure" will be 8.

The same applies when "High, medium and low risk" is selected - All severities are treated equally in the calculations. Totals include Lows and "Longest" will display the age of the oldest Low vulnerability, if its age is greater than that of the oldest Medium or High. No formulas such as "1 high equals 2 lows" are applied anywhere.
Overdue This is an alternative view of the 'Unfixed by Age' report which is enabled for customers using the 'overdue' facility. This facility allows specifying deadline dates for the resolution of specific vulnerabilities, either per system or organisation-wide.

The 'overdue' tab only displays hosts and contacts with vulnerabilities for which deadlines have been set and broken. The value displayed for 'Longest' is the number of Months the longest-existing overdue vulnerability on a system is past the due-date.

The 'Months of Exposure' represents the sum of the ages of overdue vulnerabilities since they were first detected, not taking into account the amount of time they have been overdue.

Contacts

Purpose Shows which contacts are responsible for which systems; the vulnerability status of each contact's systems; and the extent of their remediation efforts.
Audience Managers who want to verify who is responsible for a system's security and track the extent of a contact's remediation workload.
Benefits Identifies which contact is responsible for a system's security and the number of systems for which they are responsible. The statistics next to the contacts names highlight the status of the organisation's remediation programme and where it may be constrained. For example, if a contact has not fixed any vulnerabilities it could be because have been redeployed onto another project; are short of resources or tools; or they are tardy; etc. signifying that the remediation programme may be stalling.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Viewing Option Buttons Two buttons that allow the user to collapse and expand the view for all contacts, to include or exclude the list of systems for which contacts have responsibility.
Contact Cross Reference Table Lists the e-mail address of each contact that gets vulnerability reports. For each contact the list of systems for which they are responsible is also shown. The table, in expanded format includes:
  • A button [-/+] that allows the system summary for the contact to be collapsed or expanded.
  • The e-mail address of the contact followed: by the number of systems over which the has responsibility; the number of systems with vulnerabilities; the total number of vulnerabilities for those systems; the number of vulnerabilities the contact had fixed since the last assessment. Trending symbols are also included.
  • The system summary for the contact that, for each system, shows:
    • The host name of the system (or IP address).
    • Any relevant informational icons. In this context, "new" indicates that the system is new to the population.
    • Its IP address.
    • The criticality rating if specified.
    • A link to the detailed vulnerability report for that system.
    • The number of open ports found on that system (the cell is coloured red if any of these ports are considered high risk, otherwise it is coloured blue).
    • The total number of vulnerabilities discovered (the cell is coloured red if the vulnerability's severity is high, yellow if medium, blue if low). The number of new vulnerabilities discovered this scan is shown in brackets.

Groups

Purpose To segment vulnerability results by customer-defined group thereby allowing comparisons to be made across groups.
Audience Managers who want visibility of the 'security status' of parts of their organisation.
Benefits Provides visibility of the relative vulnerability status of groups and allows comparisons to be made between groups. Enables management to apply peer pressure between groups thereby assisting enterprise-wide remediation efforts. Groups can represent organisational boundaries within an organisation, for example, geographic, departmental or otherwise. If a group reflects a type of platform, e.g. Windows systems, vulnerability results can be used to contribute to overall TCO calculations, or help the enterprise drive vendor quality improvements.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Group Comparison The group comparison report provides a `league' table for each type of group ordered by the amount of risk, or exposure, they contribute to your organisation's total exposure. The position of each group within the league table is ordered by exposure resulting from: first, high risk vulnerabilities, then medium risk vulnerabilities, then low risk vulnerabilities. Each group's remediation status, i.e. within or outside it's target, for this and the previous scan is also shown. You can enable or disable the display of any chosen type of group using the check boxes provided. Each group occupies a row in the league table showing:
  • Position - The position of the group in the league, the trend symbol shows the change, if any, compared to the previous scan.
  • Group - The name of the group.
  • Months of Exposure - For each type of vulnerability severity (high, medium, low) this shows the total number of months of exposure that severity of vulnerability has introduced. For example, say a group has two high risk vulnerabilities, each three months old; and another high risk vulnerability four months old, then the total high risk exposure is: (2 vuls x 3 months) + (1 vul x 4 months) = 10 months.
    A remediation target may be independently set for each severity of vulnerability in each group. Targets may be set for the maximum number of months a vulnerability of a given severity may remain outstandingunfixed (or recurring). If this has been done then a green or red triangle is added to the bottom right corner of the box, respectively indicating if the target has been achieved, or not, for this severity level. If a green or red triangle is not present then a target has not been set for this severity level within this group. The bottom row of the table presents a total measure of your organisations overall risk.
  • Target - These indicate if a group has fixed vulnerabilities of all severities within its target(s). If all groups are on target (or have no target(s) specified) then the overall target is considered to have been reached.
Group Summary The group summary report provides a high-level overview of key data items for each group you have specified. It consists of a table for each type of group that includes:
  • Group - The name of the group. The group name links to the management Summary report for the group. The Systems link provides access to the list of systems that comprise the group.
  • Systems - This section displays information about the systems that comprise a group.
    • withVuls - The number of systems with vulnerabilities.
    • without Vuls - The number of systems without any vulnerabilities. The red-green horizontal bar provides a visual indication of the proportion of systems with and without vulnerabilities.
    • New - The number of new systems appearing in this group since the last scan.
    • Total - The total number of systems in this group.
  • Vulnerabilities - This section displays information about the vulnerabilities present on systems in each group.
    • New / Recurring - This section displays the number of new vulnerabilities detected in the current scan, and the number of old, or recurring, vulnerabilities. In addition to the figure itself the horizontal bar provides a visual indication of the proportion of new and recurring vulnerabilitites occurring across systems within the group.
    • Fixed - The number of vulnerabilities that were found during the previous scan that were not found in the current scan. This gives an indication of the remediation work carried out since the last assessment.
    • Total - The total number of vulnerabilities detected on systems in this group.
    • Breakdown - This horizontal bar chart provides a visual indication of the proportions of high, medium and low vulnerabilities.
  • Target - These indicate if a group has fixed vulnerabilities of all severities within its target. This is the same as the 'This Month' target in the Group Comparison report.
You can enable or disable display of any chosen type of group using the check boxes provided.

History

Purpose To show a rolling twelve scan history of trends for the number of open ports and vulnerabilities on each system tested.
Audience Managers and technicians who want visibility of port and vulnerability trends for systems for which they are responsible.
Benefits Provides a view of the 'hot spots' that have occurred over the previous twelve scan period and indicates on which systems the current (this period's) hot spots are.
Trending Colours A cell with a background colour of:
  • Red indicates the trend has worsened since the past assessment, i.e. an increase in the number of open ports or vulnerabilities.
  • Amber indicates the trend has remained static since the last assessment, i.e. no change in the number or open ports or vulnerabilities.
  • Green indicates the trend has improved since the last assessment, i.e. the number of open ports or vulnerabilities had reduced.
  • Blue indicates no open ports or vulnerabilities have been detected.
  • White indicates the system was not assessed in that period.
RAG Chart Within this table each system assessed is listed with its domain name (if it has one) and its IP address. If the system has no domain name just its IP address is listed. Clicking the domain name (or IP address) link will display the System Detail report for that system. The top row for the system shows the trend for the number of open ports; the bottom row shows the trend for the number of vulnerabilities.

Issues

Purpose To highlight issues with the administrative data provided by customers thereby ensuring assessment information remains current.
Audience Management and administrative staff responsible for overseeing the effectiveness and smooth running of the vulnerability assessment contract.
Benefits Shows which systems have not responded to vulnerability probes for three or more consecutive scans. This enables IP addresses to be 'recovered' and vulnerability assessments to be retargeted to responding systems. Issues with the domain name of systems under assessment or the e-mail address of report recipients are also highlighted.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Summary Statistics The following statistics are provided:
  • Total number of systems that do not appear to be showing any visible ports/services.
  • The number of systems that appear to have DNS problems, such as a mismatch between domain name and IP address.
  • The number of contacts that are responsible for systems that are not responding to vulnerability assessments, i.e. are not showing any visible ports/services.
  • The number of contacts that are responsible for systems that appear to have DNS problems.
  • The number of contacts with e-mail issues, for example, emails containing reports that are being returned (often due to staff leaving the company).
Viewing Option Buttons Two buttons that allow the user to collapse and expand the view for all contacts, to include or exclude the list of systems with 'issues'.
Issues Table This table is organised by contact to make it easy to delegate issues to the relevant system owners. The blue coloured area shows a summary for each contact: a button [-/+] that allows the system summary for the contact to be collapsed or expanded; their e-mail address; job title/role; number of systems with no ports; any DNS problems; whether their e-mail is bouncing; and a link to send a mail. Clicking this link will open a 'compose' window in the user's default mail program with the subject and text shown in the E-mail Template section.
Expanding the system summary view for the contact shows:
  • The domain name, IP address and criticality (if specified) for the system.
  • A link to the System Detail report.
  • The number of scans for which each system has had zero open ports. If the system has had open ports in the previous three scans, but is included because of DNS anomalies, then this column is blank. Repeatedly having zero open ports usually indicates that an IP address is no longer in use. However in some cases this may be intentional - for example a firewall box that is scanned to verify that no ports have been accidentally opened. In such cases you may use the stoplist facility: see below.
  • Comments on the nature of the DNS problems (if any). Sometimes host names are specified that appear to be incorrect. This does not prevent the scan taking place, as the scan primarily uses the IP address. If the domain does not resolve, "Domain does not resolve" will appear in this column, with the low-level error message in brackets. These error messages are only meaningful to DNS administrators. If the domain resolves to a different IP address to the one provided then "mismatch" will appear in this column. When this column is blank this indicates that the system had no DNS anomalies, but is included because it has zero open ports. DNS anomalies usually indicate that there is some problem with the information provided. However in some cases they may be intentional - for example a host name that points to a load balanced address, while the IP address provided is one of the actual systems. In such cases you may use the stoplist facility: see below. Some uncommon variations of round-robin DNS cannot be reliably tested and in these cases false alerts may occur.
E-mail Template Clicking the Send E-mail link provides a convenient way for a security administrator to e-mail affected contacts. The form at the bottom of the report allows customisation of the e-mail that is sent. The tag '$$SERVERS' is replaced by the relevant contact's list of affected systems. On clicking a "Send E-mail" link, the browser will open a mail composition window with some fields already filled-in. The message can be edited as desired before sending. Messages are sent though your mail client as usual.
Note: There is a limitation in Internet Explorer that prevents long message bodies being passed to the composition window. In this case the body will appear empty, but the text will be copied to the clipboard so it can be pasted in. Netscape does not have this limitation.
Stoplisting In some situations systems with zero open ports or DNS anomalies are expected and understood. A system can be stoplisted for "DNS anomalies" or for "zero open ports" in the same way as for a vulnerability. While the stoplist is in place the affected system will not appear in this report at all.


Network Discovery Assessment Reports

The Network Discovery Assessment is partial assessment of a range of IP addresses. Its purpose is to identify active systems in the client's address range and assure the client that their configuration remains as intended.

Subnet Summary

Purpose Shows high level trends for the number of systems within a subnet responding to network probes.
Audience Management and technical staff who want a pictorial view of the number of systems visible from the Internet.
Benefits Shows trends that can contribute to a CISO's dashboard or metrics. Provides a view of the numbers of responding systems within an organisations address ranges and the proportion of those systems which could present a high risk.
Pie Chart Shows the number and proportion of high risk (red) and standard (blue) systems that have responded to this assessment. The number of IP addresses that are unused, or not responding, is also shown (light grey).
Bar Chart Shows a rolling twelve scan history of the total number of systems found (grey bar); the number of those systems with high risk services visible (red bar); and the total number of responding systems that are not fully vulnerability scanned (blue line), i.e. are not part of the organisation's Enterprise vulnerability assessment schedule.

Subnets

Purpose Shows which systems within an organisation's address space are visible from the Internet.
Audience Technical management and staff who want to kept track of Internet reachable systems within their organisation.
Benefits Confirms that the systems an organisation shows to the Internet are as intended. Highlights systems not supposed to be visible to the Internet. Shows systems considered to be 'high risk'.
Summary Information Shows:
  • The number of distinct subnet ranges that were scanned.
  • The total number of IP addresses scanned.
  • The start and end date/time for the assessment. This can help when correlating results with firewall logs or IDS alerts.
  • The total number of systems within all network address ranges that responded to probes.
Summary (Key) Table This table gives a key for the colour coding of the cells in the network map and provides some relevant statistics:
  • The total number of IP addresses scanned from which a response could not be obtained (light grey), i.e. unused IP addresses.
  • Of the responding systems the number offering high risk (red) services.
  • Of the responding systems the number offering low risk (blue) services.
  • Of the responding systems the number not offering any services (dark blue), i.e. those systems only responding with ICMP or TCP RST.
  • The number of systems within the network address ranges that are part of an Enterprise assessment schedule (green stripe).
  • The number of new systems detected this scan (thick black border).
  • IP addresses not scanned (dark grey). More often than not this is because the organisation does not own that portion of the IP address space.
Network Details The box above each network map contains:
  • Address Prefix - The first three octets of the network address. The cells of the network map enumerate the last octet.
  • Port Details - Provides a View link that takes you do a report listing the port details for the hosts of this particular subnet.
  • Contact - The e-mail address of the network administrator (owner) for this IP range.
  • Description - A free text description of the network that may help to identify it.
  • Details - When collapsed, this shows the number of devices in this subnet that that responded on ports that are associated with high-risk services (i.e. those that are not normally exposed to the internet). It also shows the number of devices that were detected during the current scan but were not detected during the previous scan.
    When expanded this additionally shows:
    • Low Risk - The number of systems responding on ports assigned to low risk services in this subnet.
    • No Services - The number of systems in this subnet that were detected that are not offering services to the internet.
    • No System Found - The number of scanned addresses in this subnet where no system was found.
    • Scanned Addresses - The total number of address scanned in this subnet.
    • Vulnerability Scanned - The number of addresses in this subnet that are part of the full vulnerability scans.
    • The number of addresses in this class C network which are not included in the range for which a scan was requested.
Network Map The network map shows a matrix of up to 256 contiguous IP addresses (often referred to as a "class C subnet"). Each cell represents the IP address corresponding to last octet of the IP address. Clicking the link in a cell will display the Subnet Detail report. The cells are colour-coded as follows:
  • Cells coloured dark grey represent IP addresses that were not scanned.
  • Cells coloured light grey represent IP addresses that have been scanned but did not respond.
  • Cells coloured dark blue represent IP addresses that have offered no services, but have responded with either ICMP or TCP RST packets.
  • Cells coloured light blue represent IP addresses that have responded, offering services (over TCP or UDP).
  • Cells coloured red represent IP addresses that have responded and are offering high risk services.
  • Cells with a green triangle in the corner represent IP addresses that are part of the full vulnerability scans.
  • Cells with a yellow triangle in the corner represent IP addresses that responded, but are not part of the full vulnerability scans.

Subnet Detail

Purpose Provides a list and description of ports on a system that have responded to Network Discovery probes.
Audience Technical staff, such as firewall and network administrators and system owners, responsible monitoring those services that are visible to the Internet and rectifying resultant security issues.
Benefits Highlights which services are visible to the Internet thereby alerting technical staff to anomalies in their number or type.
Summary Information Lists the system's IP address and domain name (if any); type of scan; the start and end dates/times of the assessment; and a customer defined reference field (can be any text string, such as an asset number).
Ports Section Has two subsections: Open Ports Found and Closed Ports. For each of these subsections the table displays:
  • The port number, in decimal.
  • The 'transport' protocol, e.g. TCP, UDP or ICMP.
  • The name of the service usually assigned to this port, e.g. 'domain' for port 53.
  • A description of the banner or response from the system.
  • A 'new' graphic is displayed at the left side of the table adjacent to ports that have been newly discovered this scan (i.e. were not present last scan).
In the Open Ports Found subsection the port numbers are background coloured red if the port is considered high risk, otherwise they are coloured blue. The Closed Ports subsection lists all ports that were present last scan but not detected this scan. This table is not coloured to de-emphasise it, reminding the user that these ports are not a risk/no longer present on the system.

Differences

Purpose For systems that have been Network Discovery scanned a concise list is provided of only those systems where a change has been detected in their port configuration. This includes systems newly appearing in, or disappearing off, a network address range.
Audience Technical management and staff who need a view of what network changes have occurred since the last scan.
Benefits Provides an immediate indication of a change in the risk exposure of a network segment. Assures network managers that the configuration of their network (or systems attached to it) is not changing unexpectedly. This report can also be useful in identifying changes that have circumvented standard change control procedures.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Summary Information Lists the number of subnet address ranges where differences have been detected this scan; the total number of systems with differences; the number of systems where one or more new 'high risk' ports have been detected; the number of systems where one of more 'high risk' ports detected during the last assessment are no longer present; the number of systems where one or more new 'low risk' ports have been detected; the number of systems where one of more 'low risk' ports detected during the last assessment are no longer present.
Key Cells with a red background colour indicate a change in one or more 'high risk' ports; cells with a blue background indicate a change in one or more 'low risk' ports; cells with a green stripe through them indicate the IP address is already part of an Enterprise assessment schedule; a '+' in the cell indicates an increase in ports detected; a '-' in the cell indicates a decrease in ports detected
Viewing Option Buttons The first button opens the 'New Systems' report (see description below). The next two buttons allow the user to collapse and expand the view for all subnet address ranges, to include or exclude the list of IP address where changes have been detected.
Network Difference Maps Differences within each network address range are described in a table:
  • A view button [-/+] allowing the list of IP address where changes have been detected to be collapsed or expanded.
  • The IP address range for this network.
  • The total number of systems within this IP address range where changes have been detected.
  • A map of cells, each showing the last octet of the IP address of the system where the change was detected. Clicking the link in a cell will display the Subnet Detail report for that IP address.

New Systems

Purpose Identifies systems that have been discovered since the last assessment, via Network Discovery assessment or systems that have been added to your vulnerability assessment schedule.
Audience Technical management and staff who need a view of what network changes have occurred since the last scan.
Benefits Provides an immediate indication of new systems that have appeared in an organisation's address space since the last assessment was performed. Allows network managers to confirm that the configuration of their network (or systems attached to it) is not changing unexpectedly. This report can also be useful in identifying changes that have circumvented standard change control procedures.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Summary Information Lists the total number of new systems appearing since the last assessment (either discovered by us or added by you to your assessment schedule); the total number of new systems which are not being vulnerability scanned; total number of subnet ranges which have new systems; total number of systems you have added to your vulnerability assessment schedule.
Key Cells with a red background colour indicate a new system with one or more 'high risk' ports; cells with a blue background indicate a new system with one or more 'low risk' ports; cells with a green stripe through them indicate the IP address is already part of an Enterprise assessment schedule.
Viewing Option Buttons Two buttons that allow the user to collapse and expand the view for all subnet address ranges, to include or exclude the list of IP address where new systems have been detected.
Network Maps New systems within each network address range are described in a table:
  • A view button [-/+] allowing the list of IP address of new systems be collapsed or expanded.
  • The IP address range for this network.
  • The total number of new systems within this IP address range.
  • A map of cells, each showing the full IP address of the new system. Clicking the link in a cell will display either the Subnet Detail report, or the System Detail report if the system is being vulnerability scanned.
Subnet Not Scanned Network Map The final Network Map may be entitled 'Subnet Not Scanned'. In this case new systems that you have added to your vulnerability assessment schedule but are not part of any Network Discovery assessment are described in a table:
  • A view button [-/+] allowing the list of IP address of new systems be collapsed or expanded.
  • The total number of new systems not part of any Network Discovery assessment.
  • A map of cells, each showing the full IP address of the new system added to your assessment schedule. Clicking the link in a cell will display the System Detail report for the system.

Subnet Ports

Purpose Lists all TCP, UDP and ICMP services that have been discovered across the target system population, cross referenced by system.
Audience Technical managers responsible for organising staff remediation efforts. Technical staff who need to verify which services are visible on which systems.
Benefits Allows management to prioritise the remediation of efforts staff by identifying which systems are offering which services.
TCP Open Ports Lists all open TCP ports that respond to the standard tcp connect three-way packet handshake. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those systems that have that port open.
UDP Open Ports Lists all responding UDP services. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those systems that have that port open.
ICMP Open Ports Lists all responding ICMP services. ICMP services are listed in ascending numerical (decimal) order. The name of each service is listed next its number. Clicking a service number link will scroll the page down to show those systems that offer that service.
"New Services" page This page lists only those ports which are new in the current network discovery scan. The data is presented in the same way as in the main Subnet Ports report, including a "Systems by Port Cross Reference" section limited to new ports only. This view highlights new systems, or new services on existing systems within the population.
Systems by Port Cross Reference Each responding port or service is listed in its own table:
  • Protocol, port or service number and common name. The background colour of this cell is red if any of these ports are considered high risk, otherwise it is coloured blue.
  • A count of the number of systems that responded on this port/service.
  • A list of all systems, by domain name and IP address, that have this port/service open. Clicking on the system link will display the 'System Detail' report.

System Requirements

Browser Support for Reports We recommend viewing the reports using a maximised window with Microsoft Internet Explorer 6.0 in 1024x768 screen area. For best results make sure Javascript is enabled when reading the reports (normally this is turned on by default).
Printing Reports For best results when printing the reports, please ensure you have printing of background colours turned on. In Internet Explorer this can be achieved by selecting 'Tools' -> 'Internet Options...' then clicking on the 'Advanced' tab. In the 'Printing' section make sure the box 'Print background colors and images' is checked.

Scans by RatwareUK