Assets
Purpose
This document provides users with an overview of the Assets. It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec subscription.
Introduction
Assets are groups of unique hosts or agents found during the discovery stage or added automatically while creating a configuration. An asset can also be linked to a group of configurations, and one asset can have hundreds of configurations which are being scheduled and scanned independently.
These assets are defined based on their IP, Docker Registry, or hostname. Their risk profile in form of top recommended solutions and risk charting provide a quick way of assessing the criticality of an asset, its association with other assets and already performed scans.
Assets
What are Assets?
Assets are groupings of one or several identifiers such as IP addresses and host names that represent distinct resources customers wants to secure. As such, an asset may represent entities such as:
An employee's laptop
A publicly available website, hosted on a domain for example
example.com
and served from one or more physical or virtual serversA database server only accessible from within an internal, protected network
An OCI image served from a private container registry
Resources hosted on a cloud service provider
An Outpost24 agent
As Outpost24 services scan and analyze targets, findings are generated and associated with the corresponding assets.
How are Assets Created and Updated?
Assets are created dynamically when discovered during scans.
Valid Asset Composition
Not all identifier types may exist within the same asset simultaneously. The below matrix summarizes how assets may be composed.
Asset Composition Constraints
There are a few constraints for how many asset identifiers can compose an asset and which asset identifier types can co-exist within an asset:
Asset Identifiers/Asset | Server | AWS Account | Docker Image | GCP Account | MAZ Account |
---|---|---|---|---|---|
AWS_ACCOUNT_ID | Not | Must | Not | Not | Not |
AWS_REGION | Not | Must | Not | Not | Not |
DOCKER_IMAGE | Not | Not | Must | Not | Not |
DOCKER_REGISTRY | Not | Not | Must | Not | Not |
GCP_PROJECT_ID | Not | Not | Not | Must | Not |
HOSTNAME | May | Not | Not | Not | Not |
IP | May | Not | Not | Not | Not |
MAC | May | Not | Not | Not | Not |
MAZ_TENANT_ID | Not | Not | Not | Not | Must |
MAZ_SUBSCRIPTION | Not | Not | Not | Not | May |
MAZ_RESOURCE_GROUP | Not | Not | Not | Not | May |
MAZ_RESOURCE | Not | Not | Not | Not | May |
NETBIOS | May | Not | Not | Not | Not |
SEED_PATH | May | May | May | May | May |
SERIAL_MACHINE_ID | Must | Not | Not | Not | Not |
SERIAL_PRODUCT_ID | Must | Not | Not | Not | Not |
SERIAL_DISK_ID | Must | Not | Not | Not | Not |
Green - Asset identifiers that must exist in an asset
Amber - Asset identifiers that may exist in an asset
Red - Asset identifiers that must not exist in an asset
Asset Sources
Each asset contains one or more sources visible in the source column which describe where the asset comes from:
Scout | |
Scale is an automated Dynamic Application Security Testing scanner (DAST) designed to analyze web applications for vulnerabilities at volume and speed. | |
Cloud security assessment | |
SWAT is a combination of web application scanning technology and Security Consultants to provide the most accurate and reliable solution for dynamic security testing of web applications. | |
Assure is a point in time security assessment of an web application designed to provide customers an assurance of the security level of their application. | |
Netsec solutions provide capabilities to identify, categorize, manage, and report on network-attached Information Technology (IT) assets and their security vulnerabilities such as insecure system configurations or missing security updates. | |
Snapshot is a point in time security assessment of a web application designed to provide customers a detailed overview of the security level of their application. |
Subscription Type
The Active subscription column indicates whether the asset has one or more currently active subscriptions or if it is inactive.
Asset Naming
Assets names is auto-generated by the system and is derived from underlying identifiers.
The asset names is a customizable attribute and can be changed.
See Managing Assets for information on how to managed your assets.
Changes from Previous Versions of Portal
Previously the Assets view provided access to individual identifiers. In addition to flooding the view with many top-level records, this frequently meant having to traverse between linked records (for example hostname -> IP) in order to review updated information.
Grouping related identifiers together as assets allows for accessing information of importance faster and more coherently; for example, findings obtained from distinct IP addresses may all be united under the overarching webshop which they all serve.
Customizing the Asset View
The Assets view lists all tracked assets.
Configuring the Columns
The Columns can be configured in several ways. Columns can be added and removed and the order in which they are displayed can be changed.
Selecting Columns
By clicking on the column icon a drop-down list is displayed where columns can be selected and deselected to configure the view.
The content in the column menu changes depending on which view it is opened in.
Changing Column Width
All the columns are configurable in width by dragging the dotted area on the right side of the column head.
Changing Column Presentation
By dragging the dotted area on bottom of the column head, the order in which the columns are presented can be changed.
Multi Select
You can select several rows by checking multiple boxes at a time. This enables you to use the tools from the blue tool bar beneath the table on all the selected rows simultaneously.
For example, to use the tagging tool on three rows at once, select the rows an click the edit tags icon and fill in the tag name. The three selected will get the same tag.
The toolbar varies between different views. For example, the Asset toolbar contains different tools than the toolbar in the findings view.
Date Picker
Each column containing a date have a date picker where dates can be set to filter the column accordingly.
To customize the view,
Click on filter icon to see the available columns and filtering options. See Common Settings Panel for more information.
Add desired columns by clicking on the Show/Hide Column icon.
Filtering Assets
Adding Selections
To access the filters
Open Findings and then Vulnerabilities.
Open the Assets panel by clicking the assets icon.
Clicking on a row selects single items.
Using Ctrl + click selects multiple non-contiguous items or Shift + click selects multiple contiguous items.
If a selected asset is clicked again, it is unselected and unfiltered.
Selection Counters
When assets are selected, a badge is displayed that informs that there is an asset filter applied with a counter.
In the image, three assets are selected, which is indicated by the badge on the Assets groups & Assets icon. The badge on the Filter icon indicates that one filter has been added.
Clearing Selections
The clear all button unselects all selections.
Assets - Details
Select an asset to view its details on the right side of the window.
Risk Profile
The Risk Profile tab displays the information about the name and source of the asset, and the CVSS v3 risk categories of the findings associated with that specific asset.
Severity chart
The chart offers an overview of all findings, sorted by severity. Clicking on an item in each severity list reveals more details about the severity, while clicking on a severity slice in the chart leads to the filtered Findings view.
Each list item can be expanded to reveal more detailed information of each segment such. Hovering over the chart also displays more information about each part.
Top Recommended Actions
The Top Recommended Actions provides suggestions of actions needed to remedy most of the high risk findings.
OWASP top 10
The OWASP Top 10 provides an indication on where on the scale of the most critical security risks the findings are located.
Tags
The Tagging button allows you to add or remove tags from the selected asset.
View Related Findings
The View Related Findings button redirects you to a filtered findings table containing the findings associated to the selected asset.
Scans
Displays list of scans along with the status and results of each scan of that asset.
URLS
STATUS
If you have a SWAT, Assure, or Snapshot type subscriptions and open the detail view of those assets, the empty state message in the Scans tab should display "This is a SWAT/Assure/Snapshot asset, it's continuously monitored by Outpost24 Appsec team and therefore no scans can be shown here".
Note that in assets view, configurations and scans tabs are hidden if the asset only has NETSEC and/or CLOUDSEC sources.
Configurations
Takes you to Scan Configurations.
Note that in assets view, configurations and scans tabs are hidden if the asset only has NETSEC and/or CLOUDSEC sources.
Associations
Displays the IPs, host names, instances, and services associated with the selected asset.
Subscriptions
Subscriptions represent the customer's engagement with Outpost24 and each entry corresponds to an already purchased and paid subscription.
Shows you active or inactive subscription on assets.
The Subscription tab list the current subscriptions assigned to the selected asset.
If no subscription is available for the selected asset, this message is displayed.
Agents
Technical Preview
This section is a technical preview of a feature that is currently under development. This feature is hidden behind a feature flag.
The Agents view lists all asset-identifiers that are of the Agent type.
The same columns that are available in the Asset view are also present in Agent view, with an addition of columns that are specific to the agent type such as:
Agent version
Agent last synchronized
Agent retired
Agent id
Columns that show Agent asset data within Agent view is also added such as:
Asset IDs: a list of ids of associated Agent assets, separated by commas and each id is a hyperlink that link to the asset in Asset view
Asset names: a list of names of associated Agent assets, separated by commas and in alphabetically ascending order
allowing filtering on those columns.
Logs
Selecting an agent provides a view with logs for that Agent.
Managing Agents
Right clicking on a agent provides a menu where you can add and remove tags.
Edit Tags
The Edit tags action displays a popup providing the user with the ability to link, or create and then link, tags to the Agent’s assets and in the Agent view, displaying these tags as "This tag is inherited".
Update External Tags
The Update external tags action displays a popup, telling the user how many assets will have their tags updated.
Removing Tags from Agents
To remove a tag from the Agent, click on the X on the right hand side in the tag.
Managing Assets
The assets can be managed using the tools in the context menu.
To manage the assets in the table:
Right click an asset to open the Tools menu.
Click the preferred task.
Rename
Assets names is auto-generated by the system and is derived from underlying identifiers. The asset names is a customizable attribute and can be changed by using the Rename function in the context menu.
To rename the asset:
Right click on the assets in question to open the context menu.
Click Rename.
Fill in a new name in the Rename assets form.
Click the blue Rename button to rename the asset.
When multiple assets are selected, the new name is applied to all of the selected assets.
Edit Tags
Tagging helps to create more custom filtering options by adding specific tags to various entities. Customize the asset view by adding or removing the tags and by applying filters.
To edit the tags of an asset:
Right click on the assets in question to open the context menu.
Click Edit tags in the menu.
The Update external tags function adds all custom attributes of Agent asset identifiers as tags on the asset, except MAC attribute.
See Tags document for more information.
View Related Findings
The View related findings opens a view over findings linked to the selected asset.
Generate Report
Generates reports containing all vulnerability findings associated with the selected assets.
See Reports for more information
Edit the Asset Environmental Vectors
Different environments can have a big impact on the risk that some vulnerabilities pose to your company. The CVSS environmental metric group captures vulnerability characteristics associated with a user's IT environment. Environmental metrics are optional, each metric can be set to "Not defined" for that metric to not affect the score. This value is used when a user thinks a particular metric is not applicable and wants to "skip" it.
These metrics allow the analyst to tailor the CVSS score based on the value of the affected IT asset to the user's organization, as measured by the presence of complementary/alternative security controls, Confidentiality, Integrity, and Availability. Metrics are modifications of base metrics that assign metric values based on the placement of assets within an organization's infrastructure.
Select the asset you want to edit.
Click the Edit Environmental CVSS Vector icon in the right click menu.
In the pop up that are displayed you can edit the Environmental Vectors for both CVSSv2 and CVSSv3.
Metrics | Option | Description |
---|---|---|
Collateral Damage potential (CDP) | Not Defined (ND) | This value does not affect the score and is skipped by the equation. |
None (N) | There is no potential for loss of assets, productivity, or revenue. | |
Low (light loss) (L) | A successful exploit of this vulnerability may result in a slight loss of revenue or productivity to the organization. | |
Low-Medium (LM) | A successful exploit of this vulnerability may result in a moderate loss of revenue or productivity to the organization. | |
Medium High (MH) | A successful exploit of this vulnerability may result in a significant loss of revenue or productivity. | |
High (Catastrophic loss) (H) | A successful exploit of this vulnerability may result in a catastrophic loss of revenue or productivity. | |
Target Distribution (TD) | Not Defined (ND) | This value does not affect the score and is skipped by the equation. |
None [0%] (N) | No target resources exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk. | |
Low [0-25%] (L) | Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk. | |
Medium [26-75%] (M) | Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk. | |
High [76-100%] (H) | Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk. | |
Confidentiality Requirement (CR), Integrity Requirement (IR), Availability Requirement (AR) | Not Defined (ND) | This value does not affect the score and is skipped by the equation. |
Low (L) | Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates. | |
Medium (M) | Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates. | |
High (H) | Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates. |
Metric | Option | Description |
Confidentiality Requirement (CR), Integrity Requirement (IR), Availability Requirement (AR) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
Low (L) | Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates. | |
Medium (M) | Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates. | |
High (H) | Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates. | |
Modified Attack Vector (MAV) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
Network (N) | Network rated vulnerabilities are remotely exploitable through the network layer of the OSI model, from several hops away, up to, and including, remote exploitation over the Internet. See also CVE 2004 0230 for more information. | |
Adjacent Network (A) | The Adjacent Network rated vulnerability requires that the exploit must be launched from the same physical or logical network and cannot be performed across an OSI layer 3 boundary. See also CVE 2013 6014 for more information. | |
Local (L) | Vulnerabilities with this rating are not exploitable over a network. The attacker must access the system locally, remotely through protocol such as SSH or RDP, or requires use of social engineering or other techniques to trick an user to help initiate the exploit. | |
Physical (P) | In this type of attack, the attacker must physically interact with the target asset. Physical interaction can be brief like an attack from an evil maid [1]) or persistent. | |
Modified Attack Complexity (MAC) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
Low (L) | There are no specific pre-conditions available to exploit. | |
High (H) | There are conditions beyond the attackers control for successful attack. For this type of attack, the attacker must complete some number of preparatory steps in order to get access.
| |
Modified Privileges Required (MPR) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
None (N) | The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. | |
Low (L) | The attacker is authorized with required privileges that provide basic user functions that typically only affect settings and files owned by a user. Alternatively, a low-privilege attacker can only affect non-sensitive resources. | |
High (H) | The attacker is authorized with required privileges that provide significant administrative control over the vulnerable asset that could affect asset-wide settings and files. | |
Modified User Interaction (MUI) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
None (N) | The vulnerable resources can be exploited without user interaction. | |
Required (R) | A user must complete some steps for the exploit to succeed. For example, a successful exploit may only be possible during the installation of an application by a system administrator. | |
Modified Scope (MS) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
Unchanged (U) | An exploited vulnerability could only affect resources controlled by the same authority. In this case, the impacted asset and the vulnerable asset are the same. | |
Changed (C) | An exploited vulnerability could affect resources beyond the authorization rights provided by the vulnerable asset. In this case, the vulnerable asset and the affected asset are different. | |
Modified Confidentiality (MC) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
None (N) | There is no loss of confidentiality within the impacted asset. | |
Low (L) | There is some confidentiality loss leading to that limited information can be accessed, but with no control over what, specifically, they are able to access. The disclosure of information does not cause direct and serious damage to the affected asset. | |
High (H) | The attacker has full access to all resources in the impacted asset, including highly sensitive information such as encryption keys, or access is obtained to limited information, but the information disclosed has a direct and serious impact. | |
Modified Integrity (MI) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
None (N) | There is no loss of confidentiality within the impacted asset. | |
Low (L) | Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. A limited amount of information might be tampered with or modified, the modification of the data does not have a direct and serious impact on the targeted asset. | |
High (H) | The attack can modify information on the targeted assets, resulting in a complete loss of integrity or protection. This can lead to modified files, resulting in a direct and serious consequence to the impacted asset. | |
Modified Availability (MA) | Not Defined (X) | This value does not affect the score and is skipped by the equation. |
None (N) | There is no loss of confidentiality within the impacted asset. | |
Low (L) | Performance is degraded or resource availability is disrupted. Although this vulnerability could be exploited repeatedly, the attack would not completely deny service to legitimate users. The affected asset are either partially available or fully available intermittently, but in general this does not have any direct and significant consequences for the affected asset. | |
High (H) | There is a complete loss of availability of the affected asset, where access to the resources of the assets is denied. This loss is either temporary during the attack or permanent leaving the asset unreachable even after the attack. Alternatively, the attack can deny some availability, but the consequence of the lost availability is severe. |
1) See https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html for a description of the evil maid attack.
Click Save.
References
Related Articles
Copyright
© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.