Scan Assessment Configuration

Technical Preview

This document contains parts that are technical previews of features that is currently under development. These features may be hidden behind a feature flag.

Purpose

This document serves to improve understanding of the role that assessment scans play in enhancing the security and resilience of an organization's digital infrastructure. Its aim is to provide a overview of the objectives and configurations of various assessments, including Application Assessment, Docker Image Assessment, Cloud Assessment, Network Host Assessment, and Agent Assessment.

Scan Assessment

Vulnerability and Compliance assessments target a set of assets and identify findings that is presented and tied to the scanned assets.

Application Assessment

The Application Assessment evaluates the security risks and vulnerabilities in an organization's software applications, and it is an important part of any vulnerability management program because vulnerabilities in applications can be exploited by attackers to gain unauthorized access to sensitive data or systems.

Application Assessments identify vulnerabilities and consider the security of an application throughout its lifecycle, including design, development, testing, deployment, and maintenance when scanned in multiple stages of its Software Development Life Cycle.

The assessment also considers the application's dependencies, including third-party libraries and frameworks, as these can introduce additional security risks and vulnerabilities.

The results of the assessment can be used to resolve vulnerabilities for remediation in the organization. Remediation may include implementing patches, code changes, or additional security controls such as web application firewalls or intrusion detection systems.

It is strongly recommended that Application Assessments are executed regularly, as new vulnerabilities can be introduced when applications are updated or new features are added.

Setting up the Application Assessment

1. Select Application assessment.
   
   

   

2. Fill in the targets.
   When adding more than one target, separate them using a new line.
   The targets can be added as:

   • URL - https://example.com

   • IPv4 - 203.0.113.1

   • IPv4:port - 198.51.100.5:5291

   • IPv6 - [2001:db8:1:2:3:4:5:6]

   • IPv6:port - [2001:db8:2fa:bba:dd3:f3c:11:2b]:928

   • Hostname - cumulus

3. After adding the targets, click the blue ADD button in the lower right corner.

URL-entries not starting with https protocol are prefixed with https://.

A configuration name is extracted from the host, optional port and path to build a unique and user-friendly representation of the added configuration. URL fragments and queries are not used for configuration names.

The Choose scanner (HIAB only) option is visible if at least one Appsec scanner is available.

• The first scanner in the list is selected by default.

• The selected scanner can be changed in the Edit view.

To add scans in HIAB Appsec, one of the regular HIAB scanners must be turned into Appsec scanner.
See Setting up a HIAB as an Appsec Scale Scanner for more information.

Docker Image Assessment

The Docker image assessment evaluates the security risks and vulnerabilities associated with the Docker images used by an organization. Docker images are pre-configured software packages that contain all the necessary components to run an application and can be easily distributed and deployed in a container environment.

A Docker Image Assessment involves tools to identify the contents of the image and assess the security of the software components, including the operating system and any applications or services included in the image. Configuration errors or misconfigurations can create security vulnerabilities that can be exploited by attackers.

The results of Docker Image Assessments are used to prioritize vulnerabilities and develop a remediation plan. It may include updating the image with the latest security patches or configurations.

It is essential that Docker Image Assessments should be conducted regularly, as new vulnerabilities can be introduced as software is updated or new images are created.

Requirements

To access a private registry, a Docker account with its credentials are required.

When scanning a Docker image using OUTSCAN RC, a HIAB deployed as a container inspection scanner is required. For more information, see Use Appsec Scale with OUTSCAN RC.

HIAB and OUTSCAN RC supports a Docker image scan. You can scan a Docker image if you have done a Docker discovery to retrieve the images available on your private Docker Registries. 

Currently, it is only possible to scan images that are less than 1GB and type of Linux and with a 64 bit architecture.

Setting up the Docker Image Assessment

Follow the below procedure to scan Docker images:

1. To create a Docker image assessment scan configuration, select Docker image assessment under Assessment.
   

   

2. Select Assets from the table displaying all the discovered images and the details of an image such as name, OS, architecture and size.

3. Select one or more images and click on ADD to save the scan configuration. The name of the scan configuration can be changed by editing it.

4. Click on the scan now icon in the blue toolbar at the bottom right to run the Docker image assessment scan.
   

   

5. View the scan status under Scans. Click on Scans on the Toolbar to view all scans performed on HIAB with the status starting 'QUEUED, STARTING, RUNNING, FINISHED'.

6. To view the vulnerability set of the scanned image, click on Findings, and select Vulnerabilities.
   

By default all Docker image vulnerabilities are displayed. You can filter the result by selecting All, No or Yes in the Potential column respectively.

• All: view all vulnerabilities.

• No: excluding any potential vulnerabilities.

• Yes: view only potential vulnerabilities without a fix.

To display the Potential item in the column, select it from the column list and check the corresponding box. 

The potential vulnerabilities are marked in the potential column with a green dot.
You can then select within the potential column the option you want.

See Scan a Docker Image for more information.

Cloud Assessment

Cloud environments can introduce new risks and vulnerabilities that may not exist in traditional on-premises environments. This makes cloud assessments an important part of any Vulnerability Management program. The Cloud Assessment evaluates compliance against a policy in a Boolean way regarding an organization's use of cloud services.

A Cloud Assessment evaluates the customer's use of the cloud service provider, as well as assessing the configuration and security of the organization's own cloud environment. This can include evaluating the security of the network architecture, access controls, and data encryption.

The assessment considers the unique security challenges to be associated with different types of public cloud deployments, such as AWS, Google Cloud, and Azure. For example, a public cloud environment may require additional controls to protect against data breaches and unauthorized access, while a private cloud environment may require more focus on access controls and network segmentation.

The assessment identifies potential vulnerabilities and risks and is used to develop plans for remediation. This includes implementing additional security controls or practices, such as multi-factor authentication, network segmentation, or regular vulnerability scanning and testing.

In summary, a cloud assessment is a critical component of maintaining a secure cloud environment and should be conducted on a regular basis to ensure ongoing protection against emerging threats and vulnerabilities.

Setting up the Cloud Assessment

1. Select which assessment to use, for this example Cloud assessment is chosen.
   

   

2. Select Credentials from the drop down menu. See Scan Credentials for more information on how to set up scan credentials.
   When aws.access.key.allow.remote = false and ARN credentials are selected, the scanner dropdown is hidden and the default scanner is selected as value.

3. Select Policy from the drop down menu.

4. Select which Regions to scan. For further information about AWS regions, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html.
   If multiple regions are selected, each time the scan configuration runs, the number of scans queued/started will match the number of regions selected.

5. Click on the blue Add button in the lower right corner to add the configuration.

Adding new configurations also populates the Assets. The assets are deducted from the submitted target information. If an asset already exists, the created configuration is linked to it. Else, it is created upon creation of the configuration and linked.

See Cloudsec Scan Configuration for more information.

Network Host Assessment

The Network Host Assessment is the process of identifying and evaluating the security risks and vulnerabilities within individual network hosts, such as servers, workstations, or network devices. The goal of a network host assessment is to identify potential security weaknesses and remediate them before they can be exploited by attackers.

A Network Host Assessment identifies the operating system and software applications installed on the host and assesses their vulnerability to known exploits and attacks. The assessment also evaluates the configuration of the host, including the security of network services, access controls, and patch levels. Configuration errors or misconfigurations can create security vulnerabilities that can be exploited by attackers.

The results of the assessment can be used to prioritize vulnerabilities and develop a plan for remediation that includes applying security patches, reconfiguring access controls or network services, or implementing additional security controls such as intrusion detection or prevention systems.

It is important that network host assessments are performed regularly, as new vulnerabilities can be introduced as software is updated or new applications are installed.

When targeting an asset, the newest Asset Identifier is selected to be resolved, if the Asset Identifier is not a hostname, the newest IP number is selected.

Setting up a Network Assessment

1. Select Network host assessment.
   
   

   

2. Fill in the Name input field with a descriptive name for the intended assessment. 

3. Select Policy from the drop-down menu. To create a new scan policy, refer to: Scan Policies.

4. Optionally, select an Override scan policy from the drop-down menu. For a more detailed description of this parameter, refer to: Policy Settings.

5. Toggle the Scanning-Less Scanning switch button to enable or disable this option. For a comprehensive understanding of this feature, refer to: Scanning-Less Scanning.

6. Click on the blue Add button in the lower right corner to add the configuration.

Agent Assessment

The Agent Assessment is the process of identifying and evaluating the security risks and vulnerabilities within mobile and remote hosts such as agent equipped workstations. The goal of a agent assessment is to identify potential security weaknesses and remediate them before they can be exploited by attackers.

A Agent Assessment identifies the operating system and software applications installed on the host and assesses their vulnerability to known exploits and attacks. 

The results of the assessment can be used to prioritize vulnerabilities and develop a plan for remediation that includes applying security patches, reconfiguring access controls or network services, or implementing additional security controls such as intrusion detection or prevention systems.

It is important that agent assessments should be performed regularly, as new vulnerabilities can be introduced as software is updated or new applications are installed.

Setting up a Agent Assessment

1. Select Agent assessment.
   
   

   

2. Fill in the Name input field with a descriptive name for the intended assessment. 

3. Enter a value in the Scan Recurrence field to specify the scan recurrence in hours. The minimum frequency is 24 hours, and the maximum is 30 days.

4. Asset Tags

5. Click on the blue Add button in the lower right corner to add the configuration.

Running Agent assessment manually from the Scan configuration is not supported, so the Scan Now button is disabled and cannot start agent scans.

Agents are asynchronous in their behavior, and are not connected to Outscan to "receive" scans when started like HIABs. Instead the agent has a duration between each scan in hours with an allowed range of 24-720 (1d-30d). When the data from an agent has been fully received, Outscan then runs reporting to complete the scan.

References

1. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

Related Articles

_Copyright

_{© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}