- What are the originating IP addresses for scanning?
- Why is my latest scan taking longer to complete than earlier scans?
- How long should my scan take?
- Can I setup my own scan?
- Is it possible to create a custom tool policy?
- Can I scan my internal network?
- What is Business Impact?
- I don't agree with the current Business Impact rating, can I change it?
- What do the different vulnerability severity ratings mean?
- Why are there variations between some of the platform vulnerabilities CVSS Base Scores and severity?
- What is a SureCloud Asset Group?
- What does the baselined setting do?
- Can I add new users to SureCloud?
- I'm still not sure how to use the system, can you show me?
- What is the difference between Vulnerability Summary and Vulnerability List?
- How can I perform authenticated vunerability scanning?
- I get a lot of vulnerabilities related to unknown or self-signed certificates on hosts?
- What is the Events Manager retention policy?
- What do each of the Event Severities mean within Event Manager?
What are the originating IP addresses for scanning?
All SureCloud PCI ASV and On-Demand scanning activity will originate from the following IP address ranges:
The majority of penetration test traffic will also originate from this address space, though there are a few exceptions depending on the nature of the penetration test, and for that reason we advise checking at the time of the penetration test which IP addresses are being used.
Why is my latest scan taking longer to complete than earlier scans?
Many factors affect how long a scan will take, including Internet latency, target load, scan appliance load, and response times of services hosted within the target infrastructure and for these reasons it is not possible to give a definitive answer. Most recurring scans complete within 10-20% of its average historical duration, however random events such as a slow target server response time can cause a scan to require 100% extra time whilst still not being a significant cause for concern.
How long should my scan take?
Scan duration is approximately a function of the size of the scan in terms of how many IP addresses are being scanned. However there are various factors including Internet latency, target load, scan appliance load, and response times of services hosted within the target infrastructure, which make it impossible to accurately predict how long a scan will take.
SureCloud scans are throttled back to a reasonable degree to provide a balance between minimal impact on target environments, and scan duration.
Can I setup my own scan?
Yes, we encourage customers to setup their own scans. You can either choose a preset scan configuration, or you can choose the individual tools and build your own scan including choosing the policies. You then set the scan to run from the SureCloud 'cloud' security appliance farm, or from your own appliance if you have one installed locally.
Is it possible to create a custom tool policy?
Yes - If you need to create new policy file you can do so, as the SureCloud platform allows this. Beneath the "Cog" icon at the top of the page, you will see Tool Policies and Tool Settings sub tabs. Inside the Tool Policy tab, you can create a new policy based on an existing policy following these steps:
- Click Add Tool Policy icon
- Give your new policy a name
- Tool defaults to "SureCloud Vulnerability Scanner" and should be left as-is.
- Put your name and a brief description in "Description".
- From the Template drop down, choose the existing policy that you would like to inherit.
Once you have completed those steps, you can then drill into your new policy and edit the checks (plugins) manually as needed.
Can I scan my internal network?
Yes, if you have a SureCloud appliance installed locally. We do not currently support internal network scanning from our cloud appliances.
What is Business Impact?
Business impact is a rating from 0-5, which indicates the criticality of the asset to your organisation. Business impact 5 is the most critical and business impact 1 is least critical, whilst a business impact of zero means that the asset is a logical grouping only and not to be used in any of the dashboard or risk calculations. Generally, our risk calculations are derived by the severity of a particular vulnerability mulitplied by the business impact rating for the asset against which the vulnerability exists.
I don't agree with the current Business Impact rating, can I change it?
Please do! We encourage customers to review their scan and asset configurations regularly, as it is not possible for SureCloud consultants to keep on top of changes which often occur as a result of internal customer decisions. For example, at the point of scan configuration a customer may have 2 IP addresses but later add a third - unless SureCloud is notified of the additional IP address it will not be scanned, and as such a customer may be exposed to unidentified risk.
What do the different vulnerability severity ratings mean?
This item is presented for information only, and should not have an impact on the business. Occasionally, vulnerabilities raised within this severity rating may indicate missing best practice recommendations that could help to enhance the current security configuration.
This severity rating represents a Low risk issue. This may mean that the impact to the Confidentiality or Integrity of information, or to the Availabilityof systems or information is unlikely to have a material impact on the business or its users. Exploitation is likely to require very specific scenarios, such as physical or local access to systems, and is unlikely to provide usable system or information access. Alternatively, it could indicate that the difficulty of exploiting the vulnerability is very high.
This vulnerability presents a Moderate impact to the Confidentiality, Integrity, or Availability of systems or information. Exploitation of this vulnerability is likely to require a high degree of experience on the part of the malicious user. It may also require specific or time-limited conditions to exist for the exploitation to be successful, such as the use of social engineering tactics to obtain valid credentials or for the attacker to reside on the same network as the target. If the attack is successful there is likely to be limited impact to the vulnerable system, for example providing only low-privileged access to infrastructure or access to very limited amounts of information.
This issue may have a High impact on business systems or to the business' or users' information. While exploitation of this vulnerability may likely require a reasonable degree of expertise from the attacker, successful exploitation is likely to be relatively easy but may require specific scenarios
such as authenticated access or network connectivity. If exploited, the impact on the target system is likely to be significant, such as providing access to a compromised account's information or infrastructure access that could be elevated to a privileged level.
This vulnerability represents a Severe or Critical impact to systems or information. Exploitation is likely to be easy or even trivial for a malicious user to exploit, and although it may require a high degree of expertise it may not require any pre-requisite access, information, or specific conditions to occur. Exploitation is likely to provide elevated access to infrastructure such as servers or network equipment, direct access to information, or to allow the malicious user to impersonate or operate within the scope of another account.
Why are there variations between some of the platform vulnerabilities CVSS Base Scores and severity?
SureCloud use industry-standard Common Vulnerability Scoring System (CVSS) and severity ratings for the vulnerabilities within Vulnerability Manager and on Penetration Tests. These are defined through sources such as National Institute of Standards and Technology (NIST), Common Vulnerabilities and Exposures (CVE) and various other vulnerability feeds. However, there are some circumstances where SureCloud have had to raise or lower the related severities based upon factors such as exploitability and environment. An example of this would be where a service exposed to an internal trusted network is rated as an 'Informational' severity (0-1), but would be a 'Medium' (or higher)severity (3+) if exposed to the public internet.
As such, each vulnerability definition within the SureCloud platform will have an 'Internal' and 'External' severity. The association of these severities with hosts/services will depend upon whether the address is RFC 1918 compliant or not. For example, if the IP falls within 172.16.0.0/12, 192.168.0.0/16 or 10.0.0.0/8 it will be classed as 'internal', otherwise it will be classed as 'external'.
What is a SureCloud Asset Group?
An Asset is a logical representation of 'something' - it is usually an IT or information asset such as a network, a server, a datacenter or even a document. Against Assets, vulnerabilities are recorded either from penetration testing or from vulnerability scanning, PCI ASV, or even manually by yourself or SureCloud consultants. Assets can even be something intangible, such as business reputation. It is a very flexible model and allows users to be creative in terms of defining the assets that matter to their business.
What does the baselined setting do?
The 'Baselined' setting can be set on a per IP and/or a per Service level. Baselining allows you to state 'known' and expected IPs/Services. If a new IP or Service then appears on a scan you will then see it as not baselined and therefore it may warrant further investigation. For example, someone may have put a new system / service 'live' without the correct change control procedures or approval which may be exposing you to increase risk by a large attack surface being present.
Can I add new users to SureCloud?
Yes, if you are an administrator for your Organisation, you can manage user accounts under the Settings tab (see here). Note that the system will only let you add new user accounts if you have remaining licenses. Please contact email@example.com for additional licenses if you need them.
I'm still not sure how to use the system, can you show me?
If you would like a demonstration on how to use the system, we can arrange for a shared desktop session and we can walk you through our system as well as advise on the optimal configuration of the system for your organization. Please open a support ticket by clicking on the i icon at the top of the SureCloud platform.
What is the difference between Vulnerability Summary and Vulnerability List?
The Vulnerability Summary view shows the distinct vulnerabilities with a column showing the occurrences as a percentage - the occurrences column allows an organization to focus energy on fixing quick wins. The Vulnerability List view shows the individual vulnerabilities against individual systems. This allows the user to filter by IP address, severity, Asset group and many other options, as well as search individual vulnerability descriptions for keywords.
How can I perform authenticated vunerability scanning?
The SureCloud vulnerability scanner can be configured to use credentials so that authenticated scans can be created. Authenticated scanning allows for greater enumeration of vulnerabilities within the targets, which may reveal vulnerabilities such as missing patches for installed software that is not accessible over the network, misconfiguration within running services, and more. For more information, please ask for a copy of the Credentialed Vulnerability Scanning document.
I get a lot of vulnerabilities related to unknown or self-signed certificates on hosts?
During internal scanning you may notice lots of vulnerabilities appear which are related to unknown or self-signed certificates on hosts, despite you having an internally trust certificate authority. Clients can open a support ticket and include a copy of the certificate in .PEM format, we will import this onto your internal SureCloud security appliance. When you next run a scan it should close any unknown or self-signed certificate vulnerabilities which now match the newly imported certificate.
What is the Events Manager retention policy?
Events are stored for up to 13 months within the SureCloud platform. Events older than that are cleared on a daily basis.
What do each of the Event Severities mean within Event Manager?
- 11-15 Critical Severity: This would be a trigger that we'd recommend requires immediate investigation.
- 7-10 High Severity: This would be for an event that we wouldn't expect to see within normal operation OR a series of failures have occurred (indicating a potential attack).
- 4-7 Medium Severity: This would be generic network activity that should be reviewed to ensure it's expected, such as group permission changes.
- 0-3 Low Severity: Generic event trigger, for example a user elevated permission or a log file was rotated.