Common Asset Management
Purpose
This document provides users with an overview of the Assets. It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec subscription.
Introduction
Assets are groups of unique hosts found during the discovery stage or added automatically while creating a configuration. An asset can also be linked to a group of configurations, and one asset can have hundreds of configurations which are being scheduled and scanned independently.
These assets are defined based on their IP, Docker Registry, or hostname. Their risk profile in form of top recommended solutions and risk charting provide a quick way of assessing the criticality of an asset, its association with other assets and already performed scans.
Assets
What are Assets?
Assets are groupings of one or several identifiers such as IP addresses and host names that represent distinct resources customers wants to secure. As such, an asset may represent entities such as:
- An employee's laptop
- A publicly available website, hosted on a domain for example
example.comand served from one or more physical or virtual servers - A database server only accessible from within an internal, protected network
- An OCI image served from a private container registry
- Resources hosted on a cloud service provider
As Outpost24 services scan and analyze targets, findings are generated and associated with the corresponding assets.
How are Assets Created and Updated?
Assets are managed either along with the creation of a new scan configuration, or dynamically on discovering Docker images or assessing cloud resources.
Valid Asset Composition
Not all identifier types may exist within the same asset simultaneously. The below matrix summarizes how assets may be composed.
Asset Composition Constraints
There are a few constraints for how many asset identifiers can compose an asset and which asset identifier types can co-exist within an asset:
| Asset Identifiers/Asset | Server | AWS Account | Docker Image | GCP Account | MAZ Account |
|---|---|---|---|---|---|
| AWS_ACCOUNT_ID | Not | Must | Not | Not | Not |
| AWS_REGION | Not | Must | Not | Not | Not |
| DOCKER_IMAGE | Not | Not | Must | Not | Not |
| DOCKER_REGISTRY | Not | Not | Must | Not | Not |
| GCP_PROJECT_ID | Not | Not | Not | Must | Not |
| HOSTNAME | May | Not | Not | Not | Not |
| IP | May | Not | Not | Not | Not |
| MAC | May | Not | Not | Not | Not |
| MAZ_TENANT_ID | Not | Not | Not | Not | Must |
| NETBIOS | May | Not | Not | Not | Not |
| SEED_PATH | May | May | May | May | May |
Green - Asset identifiers that must exist in an asset
Orange - Asset identifiers that may exist in an asset
Red - Asset identifiers that must not exist in an asset
Asset Sources
Each asset contains one or more sources visible in the source column which describe where the asset comes from:
Asset Naming
Assets names is auto-generated by the system and is derived from underlying identifiers.
The asset names is a customizable attribute and can be changed.
Changes from Previous Versions of Portal
Previously the Assets view provided access to individual identifiers. In addition to flooding the view with many top-level records, this frequently meant having to traverse between linked records (for example hostname -> IP) in order to review updated information.
Grouping related identifiers together as assets allows for accessing information of importance faster and more coherently; for example, findings obtained from distinct IP addresses may all be united under the overarching webshop which they all serve.
Customizing the Asset View
The Assets view lists all tracked assets.
Configuring the Columns
The Columns can be configured in several ways. Columns can be added and removed and the order in which they are displayed can be changed.
Selecting Columns
By clicking on the filter bar in to the left, a column menu is displayed where columns can be selected and deselected to configure the view.
The content in the column menu may change depending on which view it is opened in.
Changing Column Width
All the columns are configurable in width by dragging the dotted area on the right side of the column head.
Changing Column Presentation
By dragging the dotted area on bottom of the column head, the order in which the columns are presented can be changed.
Multi Select
You can select several rows by checking multiple boxes at a time. This enables you to use the tools from the blue tool bar beneath the table on all the selected rows simultaneously.
For example, to use the tagging tool on three rows at once, select the rows an click the Add Tag icon 
and fill in the tag name. The three selected will get the same tag.
The toolbar varies between different views. For example, the Asset toolbar contains different tools then the toolbar in the findings view.
To customize the view,
- Click on Filter icon to see the available columns and filtering options. See Common Settings Panel, for more information.
- Add desired columns by clicking on the Show/Hide Column icon.
Filtering Assets
Adding Selections
To access the filters
- Open Findings and then Vulnerabilities.
- Open the Assets panel by clicking double dotted line.
- Clicking on a row selects single items.
Using Ctrl + click selects multiple non-contiguous items or Shift + click selects multiple contiguous items.
If a selected asset is clicked again, it is unselected and unfiltered.
Selection Counters
When assets are selected, a badge is displayed that informs that there is an asset filter applied with a counter.
In the image, four assets is selected indicated by the badge on the Assets bar. On the Column bar the badge indicates that one filter has been added.
Clearing Selections
The Clear all 
button unselects all selections.
Assets - Details
Select an asset to view its details on the right side of the window.
Risk Profile
The Risk Profile tab displays the information about the name and source of the asset, and the CVSS v3 risk categories of the findings associated with that specific asset.
Top Recommended Actions
The Top Recommended Actions provide suggestions of actions needed to remedy most of the high risk findings.
OWASP top 10
The OWASP Top 10 provides an indication on where on the scale of the most critical security risks the findings are located.
Tags
The two Tagging buttons allows you to add or remove tags from the selected asset.
View Related Findings
The View Related Findings button redirects you to a filtered findings table containing the findings associated to the selected asset.
Scans
Displays list of scans along with the status and results of each scan of that asset.
URLS
STATUS
Configurations
Takes you to Scan Configurations.
Associations
Displays the IPs, host names and services associated with the selected asset.
Edit the Asset Environmental Vectors
Different environments can have a big impact on the risk that some vulnerabilities pose to your company. The CVSS environmental metric group captures vulnerability characteristics associated with a user's IT environment. Environmental metrics are optional, each metric can be set to "Not defined" for that metric to not affect the score. This value is used when a user thinks a particular metric is not applicable and wants to "skip" it.
These metrics allow the analyst to tailor the CVSS score based on the value of the affected IT asset to the user's organization, as measured by the presence of complementary/alternative security controls, Confidentiality, Integrity, and Availability. Metrics are modifications of base metrics that assign metric values based on the placement of assets within an organization's infrastructure.
- Select the asset you want to edit.
- Click the Edit Environmental CVSS Vector icon on the lower right corner.
In the pop up that are displayed you can edit the Environmental Vectors for both CVSSv2and CVSSv3.
Metrics Option Description Collateral Damage potential (CDP)
Not Defined (ND) This value does not affect the score and is skipped by the equation. None (N)
There is no potential for loss of assets, productivity, or revenue. Low (light loss) (L) A successful exploit of this vulnerability may result in a slight loss of revenue or productivity to the organization. Low-Medium (LM) A successful exploit of this vulnerability may result in a moderate loss of revenue or productivity to the organization. Medium High (MH) A successful exploit of this vulnerability may result in a significant loss of revenue or productivity. High (Catastrophic loss) (H) A successful exploit of this vulnerability may result in a catastrophic loss of revenue or productivity. Target Distribution (TD) Not Defined (ND)
This value does not affect the score and is skipped by the equation. None [0%] (N) No target resources exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk. Low [0-25%] (L) Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk. Medium [26-75%] (M) Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk. High [76-100%] (H) Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk. Confidentiality Requirement (CR),
Integrity Requirement (IR),
Availability Requirement (AR)
Not Defined (ND)
This value does not affect the score and is skipped by the equation. Low (L)
Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates. Medium (M)
Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates. High (H)
Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates. 
Metric Option Description Confidentiality Requirement (CR),
Integrity Requirement (IR),
Availability Requirement (AR)
Not Defined (X) This value does not affect the score and is skipped by the equation. Low (L) Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates. Medium (M) Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates. High (H) Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates. Modified Attack Vector (MAV)
Not Defined (X) This value does not affect the score and is skipped by the equation. Network (N) Network rated vulnerabilities are remotely exploitable through the network layer of the OSI model, from several hops away, up to, and including, remote exploitation over the Internet.
See also CVE 2004 0230 for more information.
Adjacent Network (A) The Adjacent Network rated vulnerability requires that the exploit must be launched from the same physical or logical network and cannot be performed across an OSI layer 3 boundary.
See also CVE 2013 6014 for more information.
Local (L) Vulnerabilities with this rating are not exploitable over a network. The attacker must access the system locally, remotely through protocol such as SSH or RDP, or requires use of social engineering or other techniques to trick an user to help initiate the exploit.
Physical (P) In this type of attack, the attacker must physically interact with the target asset. Physical interaction can be brief like an attack from an evil maid [1]) or persistent.
Modified Attack Complexity (MAC)
Not Defined (X) This value does not affect the score and is skipped by the equation. Low (L) There are no specific pre-conditions available to exploit.
High (H) There are conditions beyond the attackers control for successful attack. For this type of attack, the attacker must complete some number of preparatory steps in order to get access.
This might include:- gather reconnaissance data
- overcoming mitigations
- becoming a man-in-the-middle
Modified Privileges Required (MPR)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.
Low (L) The attacker is authorized with required privileges that provide basic user functions that typically only affect settings and files owned by a user. Alternatively, a low-privilege attacker can only affect non-sensitive resources.
High (H) The attacker is authorized with required privileges that provide significant administrative control over the vulnerable asset that could affect asset-wide settings and files.
Modified User Interaction (MUI)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) The vulnerable resources can be exploited without user interaction. Required (R) A user must complete some steps for the exploit to succeed.
For example, a successful exploit may only be possible during the installation of an application by a system administrator.
Modified Scope (MS)
Not Defined (X) This value does not affect the score and is skipped by the equation. Unchanged (U) An exploited vulnerability could only affect resources controlled by the same authority.
In this case, the impacted asset and the vulnerable asset are the same.
Changed (C) An exploited vulnerability could affect resources beyond the authorization rights provided by the vulnerable asset.
In this case, the vulnerable asset and the affected asset are different.
Modified Confidentiality (MC)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) There is no loss of confidentiality within the impacted asset. Low (L) There is some confidentiality loss leading to that limited information can be accessed, but with no control over what, specifically, they are able to access. The disclosure of information does not cause direct and serious damage to the affected asset.
High (H) The attacker has full access to all resources in the impacted asset, including highly sensitive information such as encryption keys, or access is obtained to limited information, but the information disclosed has a direct and serious impact.
Modified Integrity (MI)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) There is no loss of confidentiality within the impacted asset. Low (L) Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. A limited amount of information might be tampered with or modified, the modification of the data does not have a direct and serious impact on the targeted asset.
High (H) The attack can modify information on the targeted assets, resulting in a complete loss of integrity or protection. This can lead to modified files, resulting in a direct and serious consequence to the impacted asset.
Modified Availability (MA)
Not Defined (X) This value does not affect the score and is skipped by the equation. None (N) There is no loss of confidentiality within the impacted asset. Low (L) Performance is degraded or resource availability is disrupted. Although this vulnerability could be exploited repeatedly, the attack would not completely deny service to legitimate users.
The affected asset are either partially available or fully available intermittently, but in general this does not have any direct and significant consequences for the affected asset.
High (H) There is a complete loss of availability of the affected asset, where access to the resources of the assets is denied. This loss is either temporary during the attack or permanent leaving the asset unreachable even after the attack.
Alternatively, the attack can deny some availability, but the consequence of the lost availability is severe.
1) See https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html for a description of the evil maid attack.- Click Save.
References
Related Articles
-
Page:
Copyright
© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Trademark
Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.