Purpose

This document provides users with an overview of the Assets. It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec subscription.

Introduction

Assets are groups of unique hosts found during the discovery stage or added automatically while creating a configuration. An asset can also be linked to a group of configurations, and one asset can have hundreds of configurations which are being scheduled and scanned independently.

These assets are defined based on their IP, Docker Registry, or hostname. Their risk profile in form of top recommended solutions and risk charting provide a quick way of assessing the criticality of an asset, its association with other assets and already performed scans.

Assets

What are Assets?

Assets are groupings of one or several identifiers such as IP addresses and host names that represent distinct resources customers wants to secure. As such, an asset may represent entities such as:

  • An employee's laptop
  • A publicly available website, hosted on a domain for example example.com and served from one or more physical or virtual servers
  • A database server only accessible from within an internal, protected network
  • An OCI image served from a private container registry
  • Resources hosted on a cloud service provider

As Outpost24 services scan and analyze targets, findings are generated and associated with the corresponding assets.

How are Assets Created and Updated?

Assets are managed either along with the creation of a new scan configuration, or dynamically on discovering Docker images or assessing cloud resources.

Valid Asset Composition

Not all identifier types may exist within the same asset simultaneously. The below matrix summarizes how assets may be composed.

Asset Composition Constraints

There are a few constraints for how many asset identifiers can compose an asset and which asset identifier types can co-exist within an asset:

Asset Identifiers/AssetServerAWS AccountDocker ImageGCP AccountMAZ Account
AWS_ACCOUNT_IDNotMustNotNot

Not

AWS_REGIONNotMustNotNot

Not

DOCKER_IMAGENotNotMustNot

Not

DOCKER_REGISTRYNotNotMustNot

Not

GCP_PROJECT_IDNotNotNotMust

Not

HOSTNAMEMayNotNotNotNot
IPMayNotNotNotNot
MACMayNotNotNotNot
MAZ_TENANT_IDNot

Not

NotNotMust
NETBIOS

May

Not

NotNotNot
SEED_PATH

May

May

MayMayMay

Green - Asset identifiers that must exist in an asset
Orange - Asset identifiers that may exist in an asset
Red - Asset identifiers that must not exist in an asset

Asset Sources

Each asset contains one or more sources visible in the source column which describe where the asset comes from:

  • SCOUT
  • SCALE
  • CLOUDSEC
  • SWAT
  • ASSURE
  • NETSEC
  • SNAPSHOT

Asset Naming

Assets names is auto-generated by the system and is derived from underlying identifiers.

The asset names is a customizable attribute and can be changed.

Changes from Previous Versions of Portal

Previously the Assets view provided access to individual identifiers. In addition to flooding the view with many top-level records, this frequently meant having to traverse between linked records (for example hostname -> IP) in order to review updated information.
Grouping related identifiers together as assets allows for accessing information of importance faster and more coherently; for example, findings obtained from distinct IP addresses may all be united under the overarching webshop which they all serve.

Customizing the Asset View

The Assets view lists all tracked assets. 



To customize the view,

  1. Click on Filter icon to see the available columns and filtering options. See Common Settings Panel, for more information. 



  2. Add desired columns by clicking on the Show/Hide Column icon.

Assets - Details

Select an asset to view its details on the right side of the window.

RISK PROFILE

Displays the information about when the asset was first seen, last seen and the risk overviews associated with that specific asset. 

SCANS

Displays list of scans along with the status and results of each scan of that asset.

URLS

STATUS


CONFIGURATIONS

Takes you to Scan Configurations.

ASSOCIATIONS

Displays the IPs, host names and services associated with the selected asset.

Edit the Asset Environmental Vectors

Different environments can have a big impact on the risk that some vulnerabilities pose to your company. The CVSS environmental metric group captures vulnerability characteristics associated with a user's IT environment. Environmental metrics are optional, each metric can be set to "Not defined" for that metric to not affect the score. This value is used when a user thinks a particular metric is not applicable and wants to "skip" it.

These metrics allow the analyst to tailor the CVSS score based on the value of the affected IT asset to the user's organization, as measured by the presence of complementary/alternative security controls, Confidentiality, Integrity, and Availability. Metrics are modifications of base metrics that assign metric values based on the placement of assets within an organization's infrastructure.

  1. Select the asset you want to edit.
  2. Click the Edit Environmental CVSS Vector icon on the lower right corner.


  3. In the pop up that are displayed you can edit the Environmental Vectors for both CVSSv2and CVSSv3.


    MetricsOptionDescription

    Collateral Damage potential (CDP)

    Not Defined (ND)This value does not affect the score and is skipped by the equation.

    None (N)

    There is no potential for loss of assets, productivity, or revenue.
    Low (light loss) (L)A successful exploit of this vulnerability may result in a slight loss of revenue or productivity to the organization.
    Low-Medium (LM)A successful exploit of this vulnerability may result in a moderate loss of revenue or productivity to the organization.
    Medium High (MH)A successful exploit of this vulnerability may result in  a significant loss of revenue or productivity.
    High (Catastrophic loss) (H)A successful exploit of this vulnerability may result in a catastrophic loss of revenue or productivity.
     Target Distribution (TD)

    Not Defined (ND)

    This value does not affect the score and is skipped by the equation.
    None [0%] (N)No target resources  exist, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk.
    Low [0-25%] (L)Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk.
    Medium [26-75%] (M)Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk.
    High [76-100%] (H)Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk.

    Confidentiality Requirement (CR),

    Integrity Requirement (IR),

    Availability Requirement (AR)

    Not Defined (ND)

    This value does not affect the score and is skipped by the equation.

    Low (L)

    Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates.

    Medium (M)

    Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates.

    High (H)

    Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates.




    MetricOptionDescription

    Confidentiality Requirement (CR),

    Integrity Requirement (IR),

    Availability Requirement (AR)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Low (L)Loss of [confidentiality/integrity/availability] is likely to have only a limited effect on the organization and associates.
    Medium (M)Loss of [confidentiality/integrity/availability] is likely to have a serious effect on the organization and associates.
    High (H)Loss of [confidentiality/integrity/availability] is likely to have a catastrophic effect on the organization and associates.

    Modified Attack Vector (MAV)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Network (N)

    Network rated vulnerabilities are remotely exploitable through the network layer of the OSI model, from several hops away, up to, and including, remote exploitation over the Internet.

    See also CVE 2004 0230 for more information.

    Adjacent Network (A)

    The Adjacent Network rated vulnerability requires that the exploit  must be launched from the same physical or logical network and cannot be performed across an OSI layer 3 boundary.

    See also CVE 2013 6014 for more information.

    Local (L)

    Vulnerabilities with this rating are not exploitable over a network. The attacker must access the system locally, remotely through protocol such as SSH or RDP, or requires use of social engineering or other techniques to trick an user to help initiate the exploit.

    Physical (P)

    In this type of attack, the attacker must physically interact with the target asset. Physical interaction can be brief like an attack from an evil maid [1]) or persistent.

    Modified Attack Complexity (MAC)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Low (L)

    There are no specific pre-conditions available to exploit.

    High (H)

    There are conditions beyond the attackers control for successful attack. For this type of attack, the attacker must complete some number of preparatory steps in order to get access.
    This might include:

    • gather reconnaissance data
    • overcoming mitigations
    • becoming a man-in-the-middle

    Modified Privileges Required (MPR)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)

    The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack.

    Low (L)

    The attacker is authorized with required privileges that provide basic user functions that typically only affect settings and files owned by a user. Alternatively, a low-privilege attacker can only affect non-sensitive resources.

    High (H)

    The attacker is authorized with required privileges that provide significant administrative control over the vulnerable asset that could affect asset-wide settings and files.

    Modified User Interaction (MUI)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)The vulnerable resources can be exploited without user interaction.
    Required (R)

    A user must complete some steps for the exploit to succeed.

    For example, a successful exploit may only be possible during the installation of an application by a system administrator.

    Modified Scope (MS)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    Unchanged (U)

    An exploited vulnerability could only affect resources controlled by the same authority.

    In this case, the impacted asset and the vulnerable asset are the same.

    Changed (C)

    An exploited vulnerability could affect resources beyond the authorization rights provided by the vulnerable asset.

    In this case, the vulnerable asset and the affected asset are different.

    Modified Confidentiality (MC)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)There is no loss of confidentiality within the impacted asset.
    Low (L)

    There is some confidentiality loss leading to that limited information can be accessed, but with no control over what, specifically, they are able to access. The disclosure of information does not cause direct and serious damage to the affected asset.

    High (H)

    The attacker has full access to all resources in the impacted asset, including highly sensitive information such as encryption keys, or access is obtained to limited information, but the information disclosed has a direct and serious impact.

    Modified Integrity (MI)

    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)There is no loss of confidentiality within the impacted asset.
    Low (L)

    Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. A limited amount of information might be tampered with or modified, the modification of the data does not have a direct and serious impact on the targeted asset.

    High (H)

    The attack can modify information on the targeted assets, resulting in a complete loss of integrity or protection. This can lead to modified files, resulting in a direct and serious consequence to the impacted asset.

    Modified Availability (MA)




    Not Defined (X)This value does not affect the score and is skipped by the equation.
    None (N)There is no loss of confidentiality within the impacted asset.
    Low (L)

    Performance is degraded or resource availability is disrupted. Although this vulnerability could be exploited repeatedly, the attack would not completely deny service to legitimate users.

    The affected asset are either partially available or fully available intermittently, but in general this does not have any direct and significant consequences for the affected asset.

    High (H)

    There is a complete loss of availability of the affected asset, where access to the resources of the assets is denied. This loss is either temporary during the attack or permanent leaving the asset unreachable even after the attack.

    Alternatively, the attack can deny some availability, but the consequence of the lost availability is severe.


    1)
    See https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html for a description of the evil maid attack.

  4. Click Save.

References

  1. https://www.first.org/cvss/v2/guide
  2. https://www.first.org/cvss/v3.0/specification-document




Copyright

© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.