Assets
Purpose
This document provides users with an overview of the Assets. It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec subscription.
Introduction
Assets are groups of unique hosts or agents found during the discovery stage or added automatically while creating a configuration. An asset can also be linked to a group of configurations, and one asset can have hundreds of configurations which are being scheduled and scanned independently.
These assets are defined based on their IP, Docker Registry, or hostname. Their risk profile in form of top recommended solutions and risk charting provide a quick way of assessing the criticality of an asset, its association with other assets and already performed scans.
Assets
What are Assets?
Assets are groupings of one or several identifiers such as IP addresses and host names that represent distinct resources customers wants to secure. As such, an asset may represent entities such as:
- An employee's laptop
- A publicly available website, hosted on a domain for example
example.comand served from one or more physical or virtual servers - A database server only accessible from within an internal, protected network
- An OCI image served from a private container registry
- Resources hosted on a cloud service provider
- An Outpost24 agent
As Outpost24 services scan and analyze targets, findings are generated and associated with the corresponding assets.
How are Assets Created and Updated?
Assets are created dynamically when discovered during scans.
Valid Asset Composition
Not all identifier types may exist within the same asset simultaneously. The below matrix summarizes how assets may be composed.
Asset Composition Constraints
There are a few constraints for how many asset identifiers can compose an asset and which asset identifier types can co-exist within an asset:
| Asset Identifiers/Asset | Server | AWS Account | Docker Image | GCP Account | MAZ Account |
|---|---|---|---|---|---|
| AWS_ACCOUNT_ID | Not | Must | Not | Not | Not |
| AWS_REGION | Not | Must | Not | Not | Not |
| DOCKER_IMAGE | Not | Not | Must | Not | Not |
| DOCKER_REGISTRY | Not | Not | Must | Not | Not |
| GCP_PROJECT_ID | Not | Not | Not | Must | Not |
| HOSTNAME | May | Not | Not | Not | Not |
| IP | May | Not | Not | Not | Not |
| MAC | May | Not | Not | Not | Not |
| MAZ_TENANT_ID | Not | Not | Not | Not | Must |
| MAZ_SUBSCRIPTION | Not | Not | Not | Not | May |
| MAZ_RESOURCE_GROUP | Not | Not | Not | Not | May |
| MAZ_RESOURCE | Not | Not | Not | Not | May |
| NETBIOS | May | Not | Not | Not | Not |
| SEED_PATH | May | May | May | May | May |
| SERIAL_MACHINE_ID | Must | Not | Not | Not | Not |
| SERIAL_PRODUCT_ID | Must | Not | Not | Not | Not |
| SERIAL_DISK_ID | Must | Not | Not | Not | Not |
Green - Asset identifiers that must exist in an asset
Amber - Asset identifiers that may exist in an asset
Red - Asset identifiers that must not exist in an asset
Asset Sources
Each asset contains one or more sources visible in the source column which describe where the asset comes from:
 | Scout |
| Scale is an automated Dynamic Application Security Testing scanner (DAST) designed to analyze web applications for vulnerabilities at volume and speed. |
| Cloud security assessment |
 | SWAT is a combination of web application scanning technology and Security Consultants to provide the most accurate and reliable solution for dynamic security testing of web applications. |
 | Assure is a point in time security assessment of an web application designed to provide customers an assurance of the security level of their application. |
 | Netsec solutions provide capabilities to identify, categorize, manage, and report on network-attached Information Technology (IT) assets and their security vulnerabilities such as insecure system configurations or missing security updates. |
 | Snapshot is a point in time security assessment of a web application designed to provide customers a detailed overview of the security level of their application. |
Subscription Type
The Active subscription column indicates whether the asset has one or more currently active subscriptions or if it is inactive.
Asset Naming
Assets names is auto-generated by the system and is derived from underlying identifiers.
The asset names is a customizable attribute and can be changed.
Changes from Previous Versions of Portal
Previously the Assets view provided access to individual identifiers. In addition to flooding the view with many top-level records, this frequently meant having to traverse between linked records (for example hostname -> IP) in order to review updated information.
Grouping related identifiers together as assets allows for accessing information of importance faster and more coherently; for example, findings obtained from distinct IP addresses may all be united under the overarching webshop which they all serve.
Customizing the Asset View
The Assets view lists all tracked assets.
Configuring the Columns
The Columns can be configured in several ways. Columns can be added and removed and the order in which they are displayed can be changed. By clicking on the filter bar next to the main menu, a column menu is displayed where columns can be selected and deselected to configure the view. The content in the column menu may change depending on which view it is opened in. All the columns are configurable in width by dragging the dotted area on the right side of the column head. By dragging the dotted area on bottom of the column head, the order in which the columns are presented can be changed. You can select several rows by checking multiple boxes at a time. This enables you to use the tools from the blue tool bar beneath the table on all the selected rows simultaneously. For example, to use the tagging tool on three rows at once, select the rows an click the Edit Tag icon and fill in the tag name. The three selected will get the same tag. The toolbar varies between different views. For example, the Asset toolbar contains different tools then the toolbar in the findings view. Date Picker Each column containing a date have a date picker where dates can be set to filter the column accordingly.Selecting Columns
Changing Column Width
Changing Column Presentation
Multi Select
To customize the view,
- Click on Filter icon to see the available columns and filtering options. See Common Settings Panel, for more information.
- Add desired columns by clicking on the Show/Hide Column icon.
Filtering Assets
Adding Selections
To access the filters
- Open Findings and then Vulnerabilities.
- Open the Assets panel by clicking double dotted line.
- Clicking on a row selects single items.
Using Ctrl + click selects multiple non-contiguous items or Shift + click selects multiple contiguous items.
If a selected asset is clicked again, it is unselected and unfiltered.
Selection Counters
When assets are selected, a badge is displayed that informs that there is an asset filter applied with a counter.
In the image, four assets is selected indicated by the badge on the Assets bar. On the Column bar the badge indicates that one filter has been added.
Clearing Selections
The Clear all button unselects all selections.
Assets - Details
Select an asset to view its details on the right side of the window.
Risk Profile
The Risk Profile tab displays the information about the name and source of the asset, and the CVSS v3 risk categories of the findings associated with that specific asset.
Severity chart
The chart offers an overview of all findings, sorted by severity. Clicking on an item in each severity list reveals more details about the severity, while clicking on a severity slice in the chart leads to the filtered Findings view.
Each list item can be expanded to reveal more detailed information of each segment such. Hovering over the chart also displays more information about each part.
Top Recommended Actions
The Top Recommended Actions provides suggestions of actions needed to remedy most of the high risk findings.
OWASP top 10
The OWASP Top 10 provides an indication on where on the scale of the most critical security risks the findings are located.
Tags
The Tagging button allows you to add or remove tags from the selected asset.
View Related Findings
The View Related Findings button redirects you to a filtered findings table containing the findings associated to the selected asset.
Scans
Displays list of scans along with the status and results of each scan of that asset.
URLS
STATUS
If you have a SWAT, Assure, or Snapshot type subscriptions and open the detail view of those assets, the empty state message in the Scans tab should display "This is a SWAT/Assure/Snapshot asset, it's continuously monitored by Outpost24 Appsec team and therefore no scans can be shown here".
Configurations
Takes you to Scan Configurations.
Associations
Displays the IPs, host names, instances, and services associated with the selected asset.
Subscriptions
Subscriptions represent the customer's engagement with Outpost24 and each entry corresponds to an already purchased and paid subscription.
Shows you active or inactive subscription on assets.
The Subscription tab list the current subscriptions assigned to the selected asset.
If no subscription is available for the selected asset, this message is displayed.
Agents
Technical Preview
This section is a technical preview of a feature that is currently under development. This feature is hidden behind a feature flag.
The Agents view list all asset identifiers that are of Agent type.
The same columns that are available in the Asset view are also present in Agent view with an addition of columns that are specific to the agent type such as:
- Agent version
- Agent last synchronized
- Agent retired
- Agent id
Columns that show Agent asset data within Agent view is also added such as:
- Asset IDs: a list of ids of associated Agent assets, separated by commas and each id is a hyperlink that link to the asset in Asset view
- Asset names: a list of names of associated Agent assets, separated by commas and in alphabetically ascending order
allowing filtering on those columns.
Logs
Selecting an agent provides a view with logs for that Agent.
Managing Agents
Right clicking on a agent provides a menu where you can add and remove tags.
Edit Tags
The Edit tags action displays a popup providing the user with the ability to link, or create and then link, tags to the Agent’s assets and in the Agent view, displaying these tags as "This tag is inherited".
Update External Tags
The Update external tags action displays a popup, telling the user how many assets will have their tags updated.
Removing Tags from Agents
To remove a tag from the Agent, click on the X on the right hand side in the tag.
Managing Assets
The assets can be managed using the tools in the tools menu.
To manage the assets in the table:
- Right click an asset to open the Tools menu.
- Click the preferred task.
Rename
Rename the Asset.
When multiple assets are selected, the new name is applied to all of the selected assets.
Configure Assets
This action creates scan configurations for the selected assets allowing further customization of the scanning parameters.
Once the scan configuration has been created, it will appear in the Scan configurations view where it can be additionally tweaked.
Submit for Scoping
Outpost24 Appsec team can help with a deeper assessment of business critical assets beyond automated vulnerability scans. This feature provides a scoping form that can be used to conveniently request a quote for an assessment for the selected assets. The available solutions are currently SWAT, Assure and Snapshot. Once the form has been submitted, Outpost24 Appsec team will get back to confirm the scope, the proposed the assessment format and the time frame for the assessment.
Target Start Date
Set the starting date for when the asset should be scanned.
Assets
Administration interface URLs
URL to any administrative interface to the asset.
Out of Scope URLs
List all URL that should not be part of the scan.
Known Sensitive functionality
Any sensitive functionality that the testers should be aware of.
Credentials
See Scan Credentials for more information about credentials
Component and technologies
Focus areas
Tags
Tagging helps to create more custom filtering options by adding specific tags to various entities. Customize the asset view by adding or removing the tags and by applying filters. Each view has a Filter and Settings panel. To access it, click the Filter icon in the bar spanning along the left edge of the table. This displays the Filter and Settings panel. Inside the Filter and Settings panel, it is possible to add or remove columns, apply filters, save sorting order, and column width and make it persist on your account.
The Update external tags function adds all custom attributes of Agent asset identifiers as tags on the asset, except MAC attribute.
See Tags for more information about tags.
View Related Findings
The View related findings opens a view over findings linked to the selected asset.
Generate Report
Generates reports containing all vulnerability findings associated with the selected assets.
Edit the Asset Environmental Vectors
Different environments can have a big impact on the risk that some vulnerabilities pose to your company. The CVSS environmental metric group captures vulnerability characteristics associated with a user's IT environment. Environmental metrics are optional, each metric can be set to "Not defined" for that metric to not affect the score. This value is used when a user thinks a particular metric is not applicable and wants to "skip" it.
These metrics allow the analyst to tailor the CVSS score based on the value of the affected IT asset to the user's organization, as measured by the presence of complementary/alternative security controls, Confidentiality, Integrity, and Availability. Metrics are modifications of base metrics that assign metric values based on the placement of assets within an organization's infrastructure.
- Select the asset you want to edit.
- Click the Edit Environmental CVSS Vector icon in the right click menu.
In the pop up that are displayed you can edit the Environmental Vectors for both CVSSv2 and CVSSv3.
Metrics Option Description Collateral Damage potential (CDP)
Not Defined (ND) This value does not affect the score and is skipped by the equation. None (N)
There is no potential for loss of assets, productivity, or revenue. Low (light loss) (L) A successful exploit of this vulnerability may result in a slight loss of revenue or productivity to the organization. Low-Medium (LM) A successful exploit of this vulnerability may result in a moderate loss of revenue or productivity to the organization. Medium High (MH) A successful exploit of this vulnerability may result in a significant loss of revenue or productivity. High (Catastrophic loss) (H) A successful exploit of this vulnerability may result in a catastrophic loss of revenue or productivity. Target Distribution (TD) Not Defined (ND)
This value does not affect the score and is skipped by the equation. None [0%] (N) No target resources exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk. Low [0-25%] (L) Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk. Medium [26-75%] (M) Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk. High [76-100%] (H) Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk. Confidentiality Requirement (CR),
Integrity Requirement (IR),
Availability Requirement (AR)
Not Defined (ND)
This value does not affect the score and is skipped by the equation. Low (L)
Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates. Medium (M)
Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates. High (H)
Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates. 
Metric Option Description Confidentiality Requirement (CR),
Integrity Requirement (IR),
Availability Requirement (AR)
Not Defined (X) This value does not affect the score and is skipped by the equation. Low (L) Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates. Medium (M) Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates. High (H) Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates. Modified Attack Vector (MAV)
Not Defined (X) This value does not affect the score and is skipped by the equation. Network (N) Network rated vulnerabilities are remotely exploitable through the network layer of the OSI model, from several hops away, up to, and including, remote exploitation over the Internet.
See also CVE 2004 0230 for more information.
Adjacent Network (A) The Adjacent Network rated vulnerability requires that the exploit must be launched from the same physical or logical network and cannot be performed across an OSI layer 3 boundary.
See also CVE 2013 6014 for more information.
Local (L) Vulnerabilities with this rating are not exploitable over a network. The attacker must access the system locally, remotely through protocol such as SSH or RDP, or requires use of social engineering or other techniques to trick an user to help initiate the exploit.
Physical (P) In this type of attack, the attacker must physically interact with the target asset. Physical interaction can be brief like an attack from an evil maid [1]) or persistent.
Modified Attack Complexity (MAC)
Not Defined (X) This value does not affect the score and is skipped by the equation. Low (L) There are no specific pre-conditions available to exploit.
High (H) There are conditions beyond the attackers control for successful attack. For this type of attack, the attacker must complete some number of preparatory steps in order to get access.
This might include:- gather reconnaissance data
- overcoming mitigations
- becoming a man-in-the-middle
Modified Privileges Required (MPR)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
Low (L) The attacker is authorized with required privileges that provide basic user functions that typically only affect settings and files owned by a user. Alternatively, a low-privilege attacker can only affect non-sensitive resources.
High (H) The attacker is authorized with required privileges that provide significant administrative control over the vulnerable asset that could affect asset-wide settings and files.
Modified User Interaction (MUI)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) The vulnerable resources can be exploited without user interaction. Required (R) A user must complete some steps for the exploit to succeed.
For example, a successful exploit may only be possible during the installation of an application by a system administrator.
Modified Scope (MS)
Not Defined (X) This value does not affect the score and is skipped by the equation. Unchanged (U) An exploited vulnerability could only affect resources controlled by the same authority.
In this case, the impacted asset and the vulnerable asset are the same.
Changed (C) An exploited vulnerability could affect resources beyond the authorization rights provided by the vulnerable asset.
In this case, the vulnerable asset and the affected asset are different.
Modified Confidentiality (MC)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) There is no loss of confidentiality within the impacted asset. Low (L) There is some confidentiality loss leading to that limited information can be accessed, but with no control over what, specifically, they are able to access. The disclosure of information does not cause direct and serious damage to the affected asset.
High (H) The attacker has full access to all resources in the impacted asset, including highly sensitive information such as encryption keys, or access is obtained to limited information, but the information disclosed has a direct and serious impact.
Modified Integrity (MI)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) There is no loss of confidentiality within the impacted asset. Low (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. A limited amount of information might be tampered with or modified, the modification of the data does not have a direct and serious impact on the targeted asset.
High (H) The attack can modify information on the targeted assets, resulting in a complete loss of integrity or protection. This can lead to modified files, resulting in a direct and serious consequence to the impacted asset.
Modified Availability (MA)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) There is no loss of confidentiality within the impacted asset. Low (L) Performance is degraded or resource availability is disrupted. Although this vulnerability could be exploited repeatedly, the attack would not completely deny service to legitimate users.
The affected asset are either partially available or fully available intermittently, but in general this does not have any direct and significant consequences for the affected asset.
High (H) There is a complete loss of availability of the affected asset, where access to the resources of the assets is denied. This loss is either temporary during the attack or permanent leaving the asset unreachable even after the attack.
Alternatively, the attack can deny some availability, but the consequence of the lost availability is severe.
1) See https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html for a description of the evil maid attack.- Click Save.
References
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.