Skip to main content
Skip table of contents

Assets

Purpose

This document provides users with an overview of the Assets. It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec subscription.

Introduction

Assets are groups of unique hosts or agents found during the discovery stage or added automatically while creating a configuration. An asset can also be linked to a group of configurations, and one asset can have hundreds of configurations which are being scheduled and scanned independently.

These assets are defined based on their IP, Docker Registry, or hostname. Their risk profile in form of top recommended solutions and risk charting provide a quick way of assessing the criticality of an asset, its association with other assets and already performed scans.

Assets

What are Assets?

Assets are groupings of one or several identifiers such as IP addresses and host names that represent distinct resources customers wants to secure. As such, an asset may represent entities such as:

  • An employee's laptop
  • A publicly available website, hosted on a domain for example example.com and served from one or more physical or virtual servers
  • A database server only accessible from within an internal, protected network
  • An OCI image served from a private container registry
  • Resources hosted on a cloud service provider
  • An Outpost24 agent

As Outpost24 services scan and analyze targets, findings are generated and associated with the corresponding assets.

How are Assets Created and Updated?

Assets are created dynamically when discovered during scans.

Valid Asset Composition

Not all identifier types may exist within the same asset simultaneously. The below matrix summarizes how assets may be composed.

Asset Composition Constraints

There are a few constraints for how many asset identifiers can compose an asset and which asset identifier types can co-exist within an asset:

Asset Identifiers/AssetServerAWS AccountDocker ImageGCP AccountMAZ Account
AWS_ACCOUNT_IDNotMustNotNot

Not

AWS_REGIONNotMustNotNot

Not

DOCKER_IMAGENotNotMustNot

Not

DOCKER_REGISTRYNotNotMustNot

Not

GCP_PROJECT_IDNotNotNotMust

Not

HOSTNAMEMayNotNotNotNot
IPMayNotNotNotNot
MACMayNotNotNotNot
MAZ_TENANT_IDNot

Not

NotNotMust
NETBIOS

May

Not

NotNotNot
SEED_PATH

May

May

MayMayMay

Green - Asset identifiers that must exist in an asset
Orange - Asset identifiers that may exist in an asset
Red - Asset identifiers that must not exist in an asset

Asset Sources

Each asset contains one or more sources visible in the source column which describe where the asset comes from:

Scout

Scale is an automated Dynamic Application Security Testing scanner (DAST) designed to analyze web applications for vulnerabilities at volume and speed.

Cloud security assessment
SWAT is a combination of web application scanning technology and Security Consultants to provide the most accurate and reliable solution for dynamic security testing of web applications.
Assure is a point in time security assessment of an web application designed to provide customers an assurance of the security level of their application.
Netsec solutions provide capabilities to identify, categorize, manage, and report on network-attached Information Technology (IT) assets and their security vulnerabilities such as insecure system configurations or missing security updates.
Snapshot is a point in time security assessment of a web application designed to provide customers a detailed overview of the security level of their application.


Subscription Type

The Active subscription column indicates whether the asset has one or more currently active subscriptions or if it is inactive.

  •  
  •  
  •  

Asset Naming

Assets names is auto-generated by the system and is derived from underlying identifiers.

The asset names is a customizable attribute and can be changed.

Changes from Previous Versions of Portal

Previously the Assets view provided access to individual identifiers. In addition to flooding the view with many top-level records, this frequently meant having to traverse between linked records (for example hostname -> IP) in order to review updated information.

Grouping related identifiers together as assets allows for accessing information of importance faster and more coherently; for example, findings obtained from distinct IP addresses may all be united under the overarching webshop which they all serve.

Customizing the Asset View

The Assets view lists all tracked assets. 


Configuring the Columns

The Columns can be configured in several ways. Columns can be added and removed and the order in which they are displayed can be changed.

Selecting Columns

By clicking on the filter bar next to the main menu, a column menu is displayed where columns can be selected and deselected to configure the view.

The content in the column menu may change depending on which view it is opened in.

Changing Column Width

All the columns are configurable in width by dragging the dotted area on the right side of the column head.

Changing Column Presentation

By dragging the dotted area on bottom of the column head, the order in which the columns are presented can be changed.

Multi Select

You can select several rows by checking multiple boxes at a time. This enables you to use the tools from the blue tool bar beneath the table on all the selected rows simultaneously.

For example, to use the tagging tool on three rows at once, select the rows an click the Edit Tag icon and fill in the tag name. The three selected will get the same tag.

The toolbar varies between different views. For example, the Asset toolbar contains different tools then the toolbar in the findings view.

Date Picker

Each column containing a date have a date picker where dates can be set to filter the column accordingly.


To customize the view,

  1. Click on Filter icon to see the available columns and filtering options. See Common Settings Panel, for more information. 



  2. Add desired columns by clicking on the Show/Hide Column icon.

Filtering Assets

Adding Selections

To access the filters

  1. Open Findings and then Vulnerabilities.
  2. Open the Assets panel by clicking double dotted line.



  3. Clicking on a row selects single items.



    Using Ctrl + click selects multiple non-contiguous items or Shift + click selects multiple contiguous items.



    If a selected asset is clicked again, it is unselected and unfiltered.

Selection Counters

When assets are selected, a badge is displayed that informs that there is an asset filter applied with a counter.

In the image, four assets is selected indicated by the badge on the Assets bar. On the Column bar the badge indicates that one filter has been added.

Clearing Selections

The Clear all button unselects all selections.

Assets - Details

Select an asset to view its details on the right side of the window.

Risk Profile

The Risk Profile tab displays the information about the name and source of the asset, and the CVSS v3 risk categories of the findings associated with that specific asset.

Top Recommended Actions

The Top Recommended Actions provide suggestions of actions needed to remedy most of the high risk findings.

OWASP top 10

The OWASP Top 10 provides an indication on where on the scale of the most critical security risks the findings are located.


Tags

The Tagging button allows you to add or remove tags from the selected asset.

View Related Findings

The View Related Findings button redirects you to a filtered findings table containing the findings associated to the selected asset.

Scans

Displays list of scans along with the status and results of each scan of that asset.

URLS

STATUS

If you have a SWAT, Assure, or Snapshot type subscriptions and open the detail view of those assets, the empty state message in the Scans tab should display "This is a SWAT/Assure/Snapshot asset, it's continuously monitored by Outpost24 Appsec team and therefore no scans can be shown here".


Configurations

Takes you to Scan Configurations.



Associations

Displays the IPs, host names, instances, and services associated with the selected asset.


Subscriptions

Subscriptions represent the customer's engagement with Outpost24 and each entry corresponds to an already purchased and paid subscription.

Shows you active or inactive subscription on assets.


The Subscription tab list the current subscriptions assigned to the selected asset.

If no subscription is available for the selected asset, this message is displayed.


Agents


Technical Preview

This section is a technical preview of a feature that is currently under development. This feature is hidden behind a feature flag.


The Agents view list all asset identifiers that are of Agent type.

The same columns that are available in the Asset view are also present in Agent view with an addition of columns that are specific to the agent type such as:

  • Agent version
  • Agent last synchronized
  • Agent retired
  • Agent id

Rational for adding them is to allow filtering on those columns.


Logs

Selecting an agent provides a view with logs for that Agent.


Managing Agents

Right clicking on a agent provides a menu where you can add and remove tags.



Edit Tags

The Edit tags action displays a popup providing the user with the ability to link, or create and then link, tags to the Agent’s assets and in the Agent view, displaying these tags as "This tag is inherited".


Update External Tags

The Update external tags action displays a popup, telling the user how many assets will have their tags updated. 

Removing Tags from Agents

To remove a tag from the Agent, click on the X on the right hand side in the tag.



Managing Assets

The assets can be managed using the tools in the tools menu.

To manage the assets in the table:

  1. Right click an asset to open the Tools menu.



  2. Click the preferred task.

Rename

Rename the Asset.

When multiple assets are selected, the new name is applied to all of the selected assets.

Configure Assets

This action creates scan configurations for the selected assets allowing further customization of the scanning parameters.


Once the scan configuration has been created, it will appear in the Scan configurations view where it can be additionally tweaked.

Submit for Scoping

Outpost24 Appsec team can help with a deeper assessment of business critical assets beyond automated vulnerability scans. This feature provides a scoping form that can be used to conveniently request a quote for an assessment for the selected assets. The available solutions are currently SWAT, Assure and Snapshot. Once the form has been submitted, Outpost24 Appsec team will get back to confirm the scope, the proposed the assessment format and the time frame for the assessment.

Target Start Date

Set the starting  date for when the asset should be scanned.

Assets

Administration interface URLs

URL to any administrative interface to the asset.

Out of Scope URLs

List all URL that should not be part of the scan.

Known Sensitive functionality

Any sensitive functionality that the testers should be aware of.

Credentials

See Scan Credentials for more information about credentials

Component and technologies
Focus areas


Tags

Tagging helps to create more custom filtering options by adding specific tags to various entities. Customize the asset view by adding or removing the tags and by applying filters. Each view has a Filter and Settings panel. To access it, click the Filter icon in the bar spanning along the left edge of the table. This displays the Filter and Settings panel. Inside the Filter and Settings panel, it is possible to add or remove columns, apply filters, save sorting order, and column width and make it persist on your account.

The Update external tags function adds all custom attributes of Agent asset identifiers as tags on the asset, except MAC attribute.

See Tags for more information about tags.

View Related Findings

The View related findings opens a view over findings linked to the selected asset.

Generate Report

Generates reports containing all vulnerability findings associated with the selected assets.

Edit the Asset Environmental Vectors

Different environments can have a big impact on the risk that some vulnerabilities pose to your company. The CVSS environmental metric group captures vulnerability characteristics associated with a user's IT environment. Environmental metrics are optional, each metric can be set to "Not defined" for that metric to not affect the score. This value is used when a user thinks a particular metric is not applicable and wants to "skip" it.

These metrics allow the analyst to tailor the CVSS score based on the value of the affected IT asset to the user's organization, as measured by the presence of complementary/alternative security controls, Confidentiality, Integrity, and Availability. Metrics are modifications of base metrics that assign metric values based on the placement of assets within an organization's infrastructure.

  1. Select the asset you want to edit.
  2. Click the Edit Environmental CVSS Vector icon in the right click menu.



  3. In the pop up that are displayed you can edit the Environmental Vectors for both CVSSv2 and CVSSv3.



    MetricsOptionDescription

    Collateral Damage potential (CDP)

    Not Defined (ND)This value does not affect the score and is skipped by the equation.

    None (N)

    There is no potential for loss of assets, productivity, or revenue.
    Low (light loss) (L)A successful exploit of this vulnerability may result in a slight loss of revenue or productivity to the organization.
    Low-Medium (LM)A successful exploit of this vulnerability may result in a moderate loss of revenue or productivity to the organization.
    Medium High (MH)A successful exploit of this vulnerability may result in  a significant loss of revenue or productivity.
    High (Catastrophic loss) (H)A successful exploit of this vulnerability may result in a catastrophic loss of revenue or productivity.
     Target Distribution (TD)

    Not Defined (ND)

    This value does not affect the score and is skipped by the equation.
    None [0%] (N)No target resources  exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk.
    Low [0-25%] (L)Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk.
    Medium [26-75%] (M)Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk.
    High [76-100%] (H)Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk.

    Confidentiality Requirement (CR),

    Integrity Requirement (IR),

    Availability Requirement (AR)

    Not Defined (ND)

    This value does not affect the score and is skipped by the equation.

    Low (L)

    Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates.

    Medium (M)

    Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates.

    High (H)

    Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates.




    MetricOptionDescription

    Confidentiality Requirement (CR),

    Integrity Requirement (IR),

    Availability Requirement (AR)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Low (L)Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates.
    Medium (M)Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates.
    High (H)Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates.

    Modified Attack Vector (MAV)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Network (N)

    Network rated vulnerabilities are remotely exploitable through the network layer of the OSI model, from several hops away, up to, and including, remote exploitation over the Internet.

    See also CVE 2004 0230 for more information.

    Adjacent Network (A)

    The Adjacent Network rated vulnerability requires that the exploit  must be launched from the same physical or logical network and cannot be performed across an OSI layer 3 boundary.

    See also CVE 2013 6014 for more information.

    Local (L)

    Vulnerabilities with this rating are not exploitable over a network. The attacker must access the system locally, remotely through protocol such as SSH or RDP, or requires use of social engineering or other techniques to trick an user to help initiate the exploit.

    Physical (P)

    In this type of attack, the attacker must physically interact with the target asset. Physical interaction can be brief like an attack from an evil maid [1]) or persistent.

    Modified Attack Complexity (MAC)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Low (L)

    There are no specific pre-conditions available to exploit.

    High (H)

    There are conditions beyond the attackers control for successful attack. For this type of attack, the attacker must complete some number of preparatory steps in order to get access.
    This might include:

    • gather reconnaissance data
    • overcoming mitigations
    • becoming a man-in-the-middle

    Modified Privileges Required (MPR)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)

    The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

    Low (L)

    The attacker is authorized with required privileges that provide basic user functions that typically only affect settings and files owned by a user. Alternatively, a low-privilege attacker can only affect non-sensitive resources.

    High (H)

    The attacker is authorized with required privileges that provide significant administrative control over the vulnerable asset that could affect asset-wide settings and files.

    Modified User Interaction (MUI)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)The vulnerable resources can be exploited without user interaction.
    Required (R)

    A user must complete some steps for the exploit to succeed.

    For example, a successful exploit may only be possible during the installation of an application by a system administrator.

    Modified Scope (MS)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Unchanged (U)

    An exploited vulnerability could only affect resources controlled by the same authority.

    In this case, the impacted asset and the vulnerable asset are the same.

    Changed (C)

    An exploited vulnerability could affect resources beyond the authorization rights provided by the vulnerable asset.

    In this case, the vulnerable asset and the affected asset are different.

    Modified Confidentiality (MC)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)There is no loss of confidentiality within the impacted asset.
    Low (L)

    There is some confidentiality loss leading to that limited information can be accessed, but with no control over what, specifically, they are able to access. The disclosure of information does not cause direct and serious damage to the affected asset.

    High (H)

    The attacker has full access to all resources in the impacted asset, including highly sensitive information such as encryption keys, or access is obtained to limited information, but the information disclosed has a direct and serious impact.

    Modified Integrity (MI)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)There is no loss of confidentiality within the impacted asset.
    Low (L)

    Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. A limited amount of information might be tampered with or modified, the modification of the data does not have a direct and serious impact on the targeted asset.

    High (H)

    The attack can modify information on the targeted assets, resulting in a complete loss of integrity or protection. This can lead to modified files, resulting in a direct and serious consequence to the impacted asset.

    Modified Availability (MA)




    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)There is no loss of confidentiality within the impacted asset.
    Low (L)

    Performance is degraded or resource availability is disrupted. Although this vulnerability could be exploited repeatedly, the attack would not completely deny service to legitimate users.

    The affected asset are either partially available or fully available intermittently, but in general this does not have any direct and significant consequences for the affected asset.

    High (H)

    There is a complete loss of availability of the affected asset, where access to the resources of the assets is denied. This loss is either temporary during the attack or permanent leaving the asset unreachable even after the attack.

    Alternatively, the attack can deny some availability, but the consequence of the lost availability is severe.


    1)
    See https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html for a description of the evil maid attack.

  4. Click Save.

References

  1. https://www.first.org/cvss/v2/guide
  2. https://www.first.org/cvss/v3.0/specification-document




Copyright

© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.






















JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.