Your Company Glossary and Notes - April 2003

Enterprise Assessment Reports

The Enterprise Assessment is a full blended assessment of a single IP address, system or device. Assessments use both automated and manual techniques to obtain a view of a system's vulnerabilities. Each contact within the client's organisation will receive a customised report showing vulnerability results only for those systems over which they have responsibility (least privilege).

Executive Summary

Purpose Shows high level trends for the device population's vulnerability results.
Audience Senior management or executives who want a pictorial view of the vulnerability status and history of their organisation.
Benefits Shows trends that can contribute to a CISO's dashboard or metrics. Provides a view, via the Show Detail button, of the number of new vulnerabilities that are affecting the organisation and the rate at which vulnerabilities are being fixed. In turn these detail charts can be indicators of platform 'cost of ownership' and organisational remediation trends.
Pie Chart Shows the number and proportion of high (red), medium (yellow) and low (blue) vulnerabilities affecting the device population this month.
Bar Chart Shows a rolling twelve month history of the number of total, high, medium and low vulnerabilities that have affected the device population.
Show Details Button Expands [+], or collapses [-] the report view to show pie and bar chart trends for fixed vulnerabilities and new vulnerabilities.
'Fixed' vulnerabilities are those that were detected during the previous assessment but were not detected during the current one. 'New' vulnerabilities are those that were detected during the current assessment but not in the immediately preceding assessment.

Servers

Purpose Lists all devices scanned and acts as an index, or jump-off point, to the detail device vulnerability reports.
Audience Technical managers or systems or facilities owners who want an overview of which of their systems have security issues.
Benefits Shows an ordered list of all devices scanned and summarises their security status. Provides various summary trend statistics that indicate if the situation is improving, static or worsening. The vulnerability list indicates if any devices have specific vulnerabilities that may be of particular interest.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicate the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Vulnerability Statistics The first column of statistics shows the number and severity of all vulnerabilities discovered and the number of new vulnerabilities discovered (i.e. vulnerabilities present this month that were not present last month).
The second column of statistics shows for each severity of vulnerability the number and percentage of devices that had that severity of vulnerability as its worst type. For example, if 13% of hosts are shown as having low risk vulnerabilities this means they do not have any vulnerabilities of a higher severity (i.e. medium or high).
The third column shows the type of assessment that was performed (Professional, Enterprise, Enterprise+); the start and end dates/times of the assessment; the total number of devices assessed this month; and the number of new devices assessed this month.
Summary of Results Table Shows an ordered list of all devices assessed. Ordering is first by severity of vulnerability; then number of vulnerabilities; then severity of risk associated with open ports; then number of open ports.
For each device scanned the table displays:
  • The DNS name of the device (if any). A 'new' graphic next to the host name indicates this month is the first time the system was scanned/discovered.
  • Its IP address.
  • A link to the detailed vulnerability report for that device.
  • The number of open ports found on that device (the cell is coloured red if any of these ports are considered high risk, otherwise it is coloured blue).
  • The total number of vulnerabilities discovered (the cell is coloured red if the worst vulnerability's severity is high, yellow if medium, blue if low). The number of new vulnerabilities discovered this month is shown in brackets.
All Vulnerabilities Found Table Shows a unique ordered list of all vulnerabilities discovered. Ordering is by severity. For each vulnerability the table displays:
  • The frequency of occurrence of the vulnerability.
  • The vulnerability name. This links to its full description in the Vulnerabilities page.
  • The severity of the vulnerability

Server Detail

Purpose Provides a detailed list and description of ports and vulnerabilities that have been discovered on the device assessed.
Audience Technical staff and system owners responsible for rectifying security issues. Firewall or network administrators should be equally interested in the 'ports' section of the report.
Benefits Highlights key security issues, remediation strategies and vulnerability references allowing technical staff to prioritise their corrective efforts.
Summary Information Lists the device's IP address and domain name (if any); type of scan (e.g. Enterprise, Enterprise+); the start and end dates/times of the assessment; and a customer defined reference field (can be any text string, e.g. an asset tag).
Contact Details Lists the e-mail addresses of all contacts who receive a copy of the vulnerability report for this device. Clicking the contact e-mail address will start your e-mail editor. Each contact/e-mail address can have a 'role' associated with it. Roles are defined by the customer, for example, 'System Owner', 'Technical', 'Business' etc.
Ports Section Has two subsections: Open Ports Found and Closed Ports. For each of these subsections the table displays:
  • The port number, in decimal.
  • The 'transport' protocol, e.g. TCP, UDP or ICMP.
  • The name of the service usually assigned to this port, e.g. 'domain' for port 53.
  • A description of the banner or response from the device.
  • A 'new' graphic is displayed at the left side of the table adjacent to ports that have been newly discovered this month (i.e. were not present last month).
In the Open Ports Found subsection the port numbers are background coloured red if the port is considered high risk, otherwise they are coloured blue. The Closed Ports subsection lists all ports that were present last month but not detected this month. This table is not coloured to de-emphasise it, reminding the user that these ports are not a risk/no longer present on the device
Vulnerabilities Section Like the Ports Section this also has two subsections: Vulnerabilities Found and Vulnerabilities Fixed Since Last Month. Each subsection displays a list of vulnerabilities ordered by severity. Each vulnerability is described in its own table:
  • Five digit vulnerability code. A unique code you can use to reference this vulnerability when discussing with your supplier.
  • A brief title for the vulnerability.
  • A colour coded rating indicating the vulnerability's severity (the cell is coloured red if the vulnerability's severity is high, yellow if medium, blue if low). As a general guide, high risk vulnerabilities need to be fixed urgently. Medium risks are not urgent, but require attention. Low risks are minor issues. As with all vulnerabilities the customer has the best understanding of the impact of a vulnerability being exploited.
  • A description of the vulnerability. This explains what the vulnerability is, and where relevant, which software versions are affected. It describes what class of attacker could exploit it - e.g. remote user with no login, or local user with mailbox rights, etc. and details what the possible consequences of a breach are. Sometimes this will include data specific to your scan, for example URLs you can use to see the effect of the vulnerability.
  • A solution to remedy, mitigate or workaround the vulnerability. In many cases you will have to read some of the references for step-by-step instructions.
  • Links to additional references about the vulnerability, such as CVE references or advisory IDs.
  • The date the vulnerability was first discovered on this particular device.
  • The transport protocol and port number of the service over which the vulnerability was detected.
  • A six-month mini-history of this vulnerability on this device. The six 'LEDs' represent the past six months; if the LED is on (red) the vulnerability was present in that month; if the LED is off (grey) the vulnerability was not present that month. The rightmost LED pertains to the current month. This feature is useful for identifying recurring vulnerabilities, or vulnerabilities that have been reintroduced.
Listed in the Vulnerabilities Not Found This Month section are all those vulnerabilities that were present on this device last month but have not been detected this month. The vulnerabilities are not colour coded so as to de-emphasise their importance reminding the user that they are not a risk/no longer present on the device.
Historical Information Bar charts showing rolling twelve month histories for the number of Open Ports, Vulnerabilities and Fixed Vulnerabilities on this particular device. The Vulnerabilities chart is stacked to discriminate between 'new' vulnerabilities (i.e. ones first detected on this device this month) and 'old' vulnerabilities (i.e. ones that were first detected in prior months and are still present).
Stoplisted Vulnerabilities These are vulnerabilities the client has nominated as unimportant and no longer wishes them to be included in the main body of the report. Stoplisted vulnerabilities do not contribute to statistics or trending figures. Stoplisted vulnerabilities are not colour coded so as to de-emphasise their importance reminding the user that they are not considered a risk.
Stoplisted vulnerabilities have an audit trail attached to them indicating the e-mail ID of the contact who 'stopped' the vulnerability; the duration the vulnerability will remain stoplisted; and the reason for the stoplisting.

Vulnerabilities

Purpose Lists all vulnerabilities that have been discovered, cross referenced by vulnerable devices and CVE identities.
Audience Technical managers responsible for organising staff remediation efforts. Technical staff who need to verify which devices are vulnerable to specific exploits/CVEs.
Benefits Allows management to prioritise the remediation efforts of staff by identifying which devices are vulnerable to which exploit. Enables vulnerabilities to searched and located by CVE identity.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicate the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Vulnerability Statistics The first column of statistics shows the number and severity of all vulnerabilities discovered and the number of new vulnerabilities discovered (i.e. vulnerabilities present this month that were not present last month).
The second column of statistics shows for each severity of vulnerability the number and percentage of devices that had that severity of vulnerability as its worst type. For example 13% of hosts had low risk vulnerabilities means 13% of devices did not have vulnerabilities of a higher severity (i.e. medium of high).
The third column shows the type of assessment that was performed (Professional, Enterprise, Enterprise+); the start and end dates/times of the assessment; the total number of devices assessed this month; and the number of new devices assessed this month.
CVE Compatibility Statement Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. CVE names result from open and collaborative discussions of the CVE Editorial Board. The Board identifies which vulnerabilities or exposures will be included in CVE, then determines the common name, description, and references for each entry.
CVE 'candidates' are those vulnerabilities or exposures under consideration for acceptance into CVE. Candidates are assigned special numbers to distinguish them from CVE entries. The number, also referred to as a name, is an encoding of the year that the candidate number was assigned and a unique number N for the Nth candidate assigned that year, e.g. CAN-1999-0067.
If the CVE Editorial Board accepts the candidate, an official CVE entry is created that includes the description and references. The candidate number is converted into a CVE name by replacing the 'CAN' with 'CVE'. For example, when the Editorial Board accepted the candidate CAN-1999-0067, the candidate number was converted to CVE-1999-0067, and the resulting new entry was added to CVE.
Our vulnerability assessment service is CVE compliant, and where appropriate in our vulnerability descriptions, you will see references of the form CVE-XXXX-XXXX and CAN-XXXX-XXXX. These refer to the standard identifiers for vulnerabilities in the CVE database. The CVE references (and candidate references) in the reports are links which, when clicked, will take you to the canonical description of the CVE entry on the mitre.org website (MITRE is the company that manages the CVE database).
In some cases a single vulnerability reported, will refer to multiple CVE entries in order to reduce the amount of information presented to users. This can happen for example when a number of versions of a piece of software has had vulnerabilities so upgrading to a recent version would solve several issues.
CVE Filtering You can check which servers in a report are affected by a vulnerability with a particular CVE name using the 'Find CVE' search box. Entering the CVE name (e.g. CVE-1999-0024 or CAN-1999-0629) and pressing the 'Filter' button will display a list of all vulnerabilities (and affected devices) that match the CVE name. Searches will return both CVE names and candidate names even if the prefix is entered incorrectly. Clicking the "Reset" button clears the search field and re-displays all vulnerabilities.
Viewing Option Buttons A range of buttons that allow the user to collapse and expand vulnerability descriptions and the names/IP addresses of vulnerable devices.
Vulnerability Descriptions Each vulnerability is described in its own table:
  • A view button [-/+] allowing descriptions to be collapsed or expanded.
  • Five digit vulnerability code. A unique code you can use to reference this vulnerability when discussing with your supplier.
  • A brief title for the vulnerability.
  • Total number of devices that have this vulnerability. A view button [-/+] allowing the vulnerable device listing to be collapsed or expanded.
  • A colour coded rating indicating the vulnerability's severity (the cell is coloured red if the vulnerability's severity is high, yellow if medium, blue if low). As a general guide, high risk vulnerabilities need to be fixed urgently. Medium risks are not urgent, but require attention. Low risks are minor issues. As with all vulnerabilities the customer has the best understanding of the impact of a vulnerability being exploited.
  • A description of the vulnerability. This explains what the vulnerability is, and where relevant, which software versions are affected. It describes what class of attacker could exploit it - e.g. remote user with no login, or local user with mailbox rights, etc. and details what the possible consequences of a breach are. Sometimes this will include data specific to your scan, for example URLs you can use to see the effect of the vulnerability.
  • A solution to remedy, mitigate or workaround the vulnerability. In many cases you will have to read some of the references for step-by-step instructions.
  • Links to additional references about the vulnerability, such as CVE references or advisory IDs.
  • A list of all devices, by domain name and IP address, that have this vulnerability. The date the vulnerability was first detected on a device in the target population is included in square brackets. Clicking on the device link will display the "Server Detail" report. If the vulnerability was not present on a particular device in the immediately preceding assessment but has been found on the device during this assessment a 'new' graphic/icon is displayed next to the device.

Ports

Purpose Lists all TCP, UDP and ICMP services that have been discovered across the target device population, cross referenced by device.
Audience Technical managers responsible for organising staff remediation efforts. Technical staff who need to verify which services are visible on which devices.
Benefits Allows management to prioritise the remediation of efforts staff by identifying which devices are offering which services.
TCP Open Ports Lists all open TCP ports that respond to the standard tcp connect three-way packet handshake. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those devices that have that port open.
UDP Open Ports Lists all responding UDP services. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those devices that have that port open.
ICMP Open Ports Lists all responding ICMP services. ICMP services are listed in ascending numerical (decimal) order. The name of each service is listed next its number. Clicking a service number link will scroll the page down to show those devices that offer that service.
Servers by Port Cross Reference Each responding port or service is listed in its own table:
  • Protocol, port or service number and common name. The background colour of this cell is red if any of these ports are considered high risk, otherwise it is coloured blue.
  • A count of the number of devices that responded on this port/service.
  • A list of all devices, by domain name and IP address, that have this port/service open. Clicking on the device link will display the 'Server Detail' report.

Unfixed By Age

Purpose Highlights vulnerability remediation issues.
Audience Management who need to identify vulnerability remediation deficiencies or highlight organisational exposure levels.
Benefits Precisely identifies devices that have ongoing vulnerabilities thereby enabling security, or other, management to focus their attentions on these risk 'hotspots'. This graph can also serve to justify investment in areas of the organisation that are not rectifying vulnerabilities in a timely manner, or are suffering resource shortages.
Line Graph The line graph summarises how many devices have unfixed vulnerabilities of various ages and severities. If a device has unfixed vulnerabilities of different ages and severities, it will be counted multiple times in the graph, but never more than once per risk severity (line) per month. For example, if a host has one high risk vulnerability that has remained unfixed for 3 months; another, different, high risk vulnerability that has remained unfixed for 6 months; and a medium risk vulnerability that had remained unfixed for 3 months it will be counted once on high risk line at 3 months, once on the high risk line at 6 months and once on the medium risk line at 3 months.
A vulnerability on a device that has remained unfixed for, say, 4 months is not considered (counted) as having been unfixed for 3 months, 2 months and 1 month. The rightmost column of the graph is shaded to indicate that it covers a range of months, not a single month like the other columns.
Risk Selectors The tabs attached to the top of line graph can be used to filter out lower severity vulnerabilities.
Servers with Outstanding Vulnerabilities Table The table below the line graph shows a unique list of all the hosts that have unfixed vulnerabilities. It is ordered by severity first, then by the age of the oldest unfixed vulnerability of that severity. For example, a host with unfixed high risk vulnerabilities of 6 months, 4 months and 2 months, and unfixed medium risk and low risk vulnerabilities will only be listed once in the table. It will appear in the high risk (red) section of the table.
For each device scanned the table displays:
  • The DNS name of the device (if any).
  • Its IP address.
  • The primary 'region' or group to which it belongs.
  • A link to the detailed vulnerability report for that device.
  • The number of open ports found on the device (the cell is coloured red if any of these ports are considered high risk, otherwise it is coloured blue).
  • The total 'Number' of high, medium, or low risk unfixed vulnerabilities, regardless of age.
  • The duration the 'Longest' unfixed vulnerability of that severity has been outstanding.
Note that for a vulnerability to be considered 'unfixed for one month' it must have been discovered in two consecutive months.

Contacts

Purpose Shows which contacts are responsible for which devices; the vulnerability status of each contact's devices; and the extent of their remediation efforts.
Audience Managers who want to verify who is responsible for a device's security and track the extent of a contact's remediation workload.
Benefits Identifies which contact is responsible for a device's security and the number of devices for which they are responsible. The statistics next to the contacts names highlight the status of the organisation's remediation programme and where it may be constrained. For example, if a contact has not fixed any vulnerabilities it could be because have been redeployed onto another project; are short of resources or tools; or they are tardy; etc. signifying that the remediation programme may be stalling.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Viewing Option Buttons Two buttons that allow the user to collapse and expand the view for all contacts, to include or exclude the list of devices for which contacts have responsibility.
Contact Cross Reference Table Lists the e-mail address of each contact that gets vulnerability reports. For each contact the list of devices for which they are responsible is also shown. The table, in expanded format includes:
  • A button [-/+] that allows the device summary for the contact to be collapsed or expanded.
  • The e-mail address of the contact followed: by the number of devices over which the has responsibility; the number of devices with vulnerabilities; the total number of vulnerabilities for those devices; the number of vulnerabilities the contact had fixed since the last assessment. Trending symbols are also included.
  • The device summary for the contact that, for each device, shows:
    • The DNS name of the device (if any). A 'new' graphic next to the host name indicates this month is the first time the device was scanned/discovered.
    • Its IP address.
    • A link to the detailed vulnerability report for that device.
    • The number of open ports found on that device (the cell is coloured red if any of these ports are considered high risk, otherwise it is coloured blue).
    • The total number of vulnerabilities discovered (the cell is coloured red if the vulnerability's severity is high, yellow if medium, blue if low). The number of new vulnerabilities discovered this month is shown in brackets.

Regions

Purpose To segment vulnerability results by customer-defined group thereby allowing comparisons to be made across groups.
Audience Managers who want visibility of the 'security status' of parts of their organisation.
Benefits Provides visibility of the relative vulnerability status of groups and allows comparisons to be made between groups. Enables management to apply peer pressure between groups thereby assisting enterprise-wide remediation efforts. Groups can represent organisational boundaries within an organisation, for example, geographic, departmental or otherwise. If a group reflects a type of platform, e.g. Windows devices, vulnerability results can be used to contribute to overall TCO calculations, or help the enterprise drive vendor quality improvements.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Summary of Results Table Each region or group occupies a row in the table. The following information is provided:
  • Region name. Clicking this link will show an Executive Summary report for the devices within that region.
  • Server list. Clicking this link will show a Servers report listing all devices within that region.
  • The number of devices assessed for that region.
  • The number of new devices that have appeared in that region since the previous assessment.
  • The number of devices with vulnerabilities.
  • The number of new vulnerabilities that have been discovered in the region since the previous assessment.
  • High risk vulnerability breakdown
    • Under the "V" column the total number of high risk vulnerabilities are shown.
    • Under the "H" column the total number of devices whose highest severity vulnerability is rated as 'high risk', i.e. the number of devices that have high risk vulnerabilities.
  • Medium risk vulnerability breakdown
    • Under the "V" column the total number of medium risk vulnerabilities are shown.
    • Under the "H" column the total number of devices whose highest severity vulnerability is rated as 'medium risk', i.e. the number of devices that have medium and low risk vulnerabilities.
  • Low risk vulnerability breakdown
    • Under the "V" column the total number of low risk vulnerabilities are shown.
    • Under the "H" column the total number of devices whose highest severity vulnerability is rated as 'low risk', i.e. the number of devices that have low risk vulnerabilities only.
Stoplisted vulnerabilities do no contribute to these regional statistics.
All Vulnerabilities Found Table Shows a unique ordered list of all vulnerabilities discovered. Ordering is by severity. For each vulnerability the table displays:
  • The vulnerability name. This links to its full description in the Vulnerabilities page.
  • The severity of the vulnerability.
  • The frequency of occurrence of the vulnerability within each region and a total frequency count.

History

Purpose To show a rolling twelve month history of trends for the number of open ports and vulnerabilities on each device tested.
Audience Managers and technicians who want visibility of port and vulnerability trends for systems for which they are responsible.
Benefits Provides a view of the 'hot spots' that have occurred over the previous twelve month period and indicates on which devices the current (this period's) hot spots are.
Trending Colours A cell with a background colour of:
  • Red indicates the trend has worsened since the past assessment, i.e. an increase in the number of open ports or vulnerabilities.
  • Amber indicates the trend has remained static since the last assessment, i.e. no change in the number or open ports or vulnerabilities.
  • Green indicates the trend has improved since the last assessment, i.e. the number of open ports or vulnerabilities had reduced.
  • Blue indicates no open ports or vulnerabilities have been detected.
  • White indicates the device was not assessed in that period.
RAG Chart Within this table each device assessed is listed with its domain name (if it has one) and its IP address. If the device has no domain name just its IP address is listed. Clicking the domain name (or IP address) link will display the Server Detail report for that device. The top row for the device shows the trend for the number of open ports; the bottom row shows the trend for the number of vulnerabilities.

Issues

Purpose To highlight issues with the administrative data provided by customers thereby ensuring assessment information remains current.
Audience Management and administrative staff responsible for overseeing the effectiveness and smooth running of the vulnerability assessment contract.
Benefits Shows which devices have not responded to vulnerability probes for three or more consecutive months. This enables IP addresses to be 'recovered' and vulnerability assessments to be retargeted to responding devices. Issues with the domain name of devices under assessment or the e-mail address of report recipients are also highlighted.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Summary Statistics The following statistics are provided:
  • Total number of devices that do not appear to be showing any visible ports/services.
  • The number of devices that appear to have DNS problems, such as a mismatch between domain name and IP address.
  • The number of contacts that are responsible for devices that are not responding to vulnerability assessments, i.e. are not showing any visible ports/services.
  • The number of contacts that are responsible for devices that appear to have DNS problems.
  • The number of contacts with e-mail issues, for example, emails containing reports that are being returned (often due to staff leaving the company).
Viewing Option Buttons Two buttons that allow the user to collapse and expand the view for all contacts, to include or exclude the list of devices with 'issues'.
Issues Table This table is organised by contact to make it easy to delegate issues to the relevant system owners. The blue coloured area shows a summary for each contact: a button [-/+] that allows the device summary for the contact to be collapsed or expanded; their e-mail address; job title/role; number of devices with no ports; any DNS problems; whether their e-mail is bouncing; and a link to send a mail. Clicking this link will open a 'compose' window in the userメs default mail program with the subject and text shown in the E-mail Template section.
Expanding the device summary view for the contact shows:
  • The domain name and IP address for the device.
  • A link to the Server Detail report.
  • The number of months for which each device has had zero open ports. If the device has had open ports in the previous three months, but is included because of DNS anomalies, then this column is blank. Repeatedly having zero open ports usually indicates that an IP address is no longer in use. However in some cases this may be intentional - for example a firewall box that is scanned to verify that no ports have been accidentally opened. In such cases you may use the stoplist facility: see below.
  • Comments on the nature of the DNS problems (if any). Sometimes host names are specified that appear to be incorrect. This does not prevent the scan taking place, as the scan primarily uses the IP address. If the domain does not resolve, "Domain does not resolve" will appear in this column, with the low-level error message in brackets. These error messages are only meaningful to DNS administrators. If the domain resolves to a different IP address to the one provided then "mismatch" will appear in this column. When this column is blank this indicates that the device had no DNS anomalies, but is included because it has zero open ports. DNS anomalies usually indicate that there is some problem with the information provided. However in some cases they may be intentional - for example a host name that points to a load balanced address, while the IP address provided is one of the actual hosts. In such cases you may use the stoplist facility: see below. Some uncommon variations of round-robin DNS cannot be reliably tested and in these cases false alerts may occur.
E-mail Template Clicking the Send E-mail link provides a convenient way for a security administrator to e-mail affected contacts. The form at the bottom of the report allows customisation of the e-mail that is sent. The tag '$$SERVERS' is replaced by the relevant contact's list of affected devices. On clicking a "Send E-mail" link, the browser will open a mail composition window with some fields already filled-in. The message can be edited as desired before sending. Messages are sent though your mail client as usual.
Note: There is a limitation in Internet Explorer that prevents long message bodies being passed to the composition window. In this case the body will appear empty, but the text will be copied to the clipboard so it can be pasted in. Netscape does not have this limitation.
Stoplisting In some situations devices with zero open ports or DNS anomalies are expected and understood. A device can be stoplisted for "DNS anomalies" or for "zero open ports" in the same way as for a vulnerability. While the stoplist is in place the affected device will not appear in this report at all.


Network Discovery Assessment Reports

The Network Discovery Assessment is partial assessment of a range of IP addresses. Its purpose is to identify active systems in the client's address range and assure the client that their configuration remains as intended.

Subnet Summary

Purpose Shows high level trends for the number of devices within a subnet responding to network probes.
Audience Management and technical staff who want a pictorial view of the number of devices visible from the Internet.
Benefits Shows trends that can contribute to a CISO's dashboard or metrics. Provides a view of the numbers of responding devices within an organisations address ranges and the proportion of those devices which could present a high risk.
Pie Chart Shows the number and proportion of high risk (red) and standard (blue) devices that have responded to this assessment. The number of IP addresses that are unused, or not responding, is also shown (light grey).
Bar Chart Shows a rolling twelve month history of the total number of devices found (grey bar); the number of those devices with high risk services visible (red bar); and the total number of responding devices that are not fully vulnerability scanned (blue line), i.e. are not part of the organisationメs Enterprise vulnerability assessment schedule.

Subnets

Purpose Shows which devices within an organisation's address space are visible from the Internet.
Audience Technical management and staff who want to kept track of Internet reachable devices within their organisation.
Benefits Confirms that the devices an organisation shows to the Internet are as intended. Highlights devices not supposed to be visible to the Internet. Shows devices considered to be 'high risk'.
Summary Information Shows:
  • The number of distinct subnet ranges that were scanned.
  • The total number of IP addresses scanned.
  • The start and end date/time for the assessment. This can help when correlating results with firewall logs or IDS alerts.
Summary (Key) Table This table gives a key for the colour coding of the cells in the network map and provides some relevant statistics:
  • The total number of devices within all network address ranges that responded to probes.
  • The total number of IP addresses scanned from which a response could not be obtained (blue), i.e. unused IP addresses.
  • Of the responding devices the number offering high risk (red) services.
  • Of the responding devices the number offering low risk (amber) services.
  • Of the responding devices the number not offering any services (dark blue), i.e. those device only responding with ICMP or TCP RST.
  • The number of devices within the network address ranges that are part of an Enterprise assessment schedule (green stripe).
  • IP addresses not scanned (grey). More often than not this is because the organisation does not own that portion of the IP address space.
Network Details The text above each network map contains:
  • The first three octets of the network address. The last octet is enumerated in each cell of the network map.
  • The e-mail address of the network administrator (or owner) for this IP address range.
  • A free text description about the network address range that may help identify it.
Network Map The network map shows a matrix of 256 contiguous IP address (i.e. a class C subnet). Each cell contains the last octet of the network address range. Cells that are coloured blue indicate that the IP address has been scanned but no device has responded. Cells coloured dark blue indicate the device has responded with a TCP RST or an ICMP service. Cells coloured amber indicate a device at that IP address has responded and is not offering 'high risk' services. Cells coloured red indicate a device at that IP address has responded and is offering 'high risk' services. Cells coloured with a green stripe through them are IP addresses that are part of an Enterprise assessment schedule. Cells coloured grey correspond to IP addresses that were not scanned, usually as a result of them not belonging to the organisation.
Clicking the link in an amber or red cell will display the Subnet Detail report.

Subnet Detail

Purpose Provides a list and description of ports on a device that have responded to Network Discovery probes.
Audience Technical staff, such as firewall and network administrators and system owners, responsible monitoring those services that are visible to the Internet and rectifying resultant security issues.
Benefits Highlights which services are visible to the Internet thereby alerting technical staff to anomalies in their number or type.
Summary Information Lists the device's IP address and domain name (if any); type of scan; the start and end dates/times of the assessment; and a customer defined reference field (can be any text string, such as an asset number).
Ports Section Has two subsections: Open Ports Found and Closed Ports. For each of these subsections the table displays:
  • The port number, in decimal.
  • The 'transport' protocol, e.g. TCP, UDP or ICMP.
  • The name of the service usually assigned to this port, e.g. 'domain' for port 53.
  • A description of the banner or response from the device.
  • A ムnewメ graphic is displayed at the left side of the table adjacent to ports that have been newly discovered this month (i.e. were not present last month).
In the Open Ports Found subsection the port numbers are background coloured red if the port is considered high risk, otherwise they are coloured blue. The Closed Ports subsection lists all ports that were present last month but not detected this month. This table is not coloured to de-emphasise it, reminding the user that these ports are not a risk/no longer present on the device.

Differences

Purpose For devices that have been Network Discovery scanned a concise list is provided of only those devices where a change has been detected in their port configuration. This includes devices newly appearing in, or disappearing off, a network address range.
Audience Technical management and staff who need a view of what network changes have occurred since the last month.
Benefits Provides an immediate indication of a change in the risk exposure of a network segment. Assures network managers that the configuration of their network (or systems attached to it) is not changing unexpectedly. This report can also be useful in identifying changes that have circumvented standard change control procedures.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Summary Information Lists the number of subnet address ranges where differences have been detected this month; the total number of devices with differences; the number of devices where one or more new 'high risk' ports have been detected; the number of devices where one of more ムhigh riskメ ports detected during the last assessment are no longer present; the number of devices where one or more new ムlow riskメ ports have been detected; the number of devices where one of more ムlow riskメ ports detected during the last assessment are no longer present.
Key Cells with a red background colour indicate a change in one or more 'high risk' ports; cells with a blue background indicate a change in one or more 'low risk' ports; cells with a green stripe through them indicate the IP address is already part of an Enterprise assessment schedule; a '+' in the cell indicates an increase in ports detected; a '-' in the cell indicates an decrease in ports detected
Viewing Option Buttons The first button opens the 'New Devices' report (see description below). The next two buttons allow the user to collapse and expand the view for all subnet address ranges, to include or exclude the list of IP address where changes have been detected.
Network Difference Maps Differences within each network address range are described in a table:
  • A view button [-/+] allowing the list of IP address where changes have been detected to be collapsed or expanded.
  • The IP address range for this network.
  • The total number of devices within this IP address range where changes have been detected.
  • A map of cells, each showing the last octet of the IP address of the system where the change was detected. Clicking the link in a cell will display the Subnet Detail report for that IP address.

New Devices

Purpose Identifies devices that have been discovered since the last assessment, via Network Discovery assessment or devices that have been added to your vulnerability assessment schedule.
Audience Technical management and staff who need a view of what network changes have occurred since the last month.
Benefits Provides an immediate indication of new devices that have appeared in an organisationメs address space since the last assessment was performed. Allows network managers to confirm that the configuration of their network (or systems attached to it) is not changing unexpectedly. This report can also be useful in identifying changes that have circumvented standard change control procedures.
Trend Symbols Upward pointing arrowhead symbol indicates the trend is increasing. Downward pointing arrowhead symbol indicates the trend is decreasing. A diamond indicates the trend is static. Symbols coloured red indicated the trend is worsening. Symbols coloured green indicate the trend is improving. Amber indicates no change.
Summary Information Lists the total number of new devices appearing since the last assessment (either discovered by us or added by you to your assessment schedule); the total number of new devices which are not being vulnerability scanned; total number of subnet ranges which have new devices; total number of devices you have added to your vulnerability assessment schedule.
Key Cells with a red background colour indicate a new device with one or more 'high risk' ports; cells with a blue background indicate a new device with one or more 'low risk' ports; cells with a green stripe through them indicate the IP address is already part of an Enterprise assessment schedule.
Viewing Option Buttons Two buttons that allow the user to collapse and expand the view for all subnet address ranges, to include or exclude the list of IP address where new devices have been detected.
Network Maps New devices within each network address range are described in a table:
  • A view button [-/+] allowing the list of IP address of new devices be collapsed or expanded.
  • The IP address range for this network.
  • The total number of new devices within this IP address range.
  • A map of cells, each showing the full IP address of the new device. Clicking the link in a cell will display either the Subnet Detail report, or the Server Detail report if the device is being vulnerability scanned.
Subnet Not Scanned Network Map The final Network Map may be entitled 'Subnet Not Scanned'. In this case new devices that you have added to your vulnerability assessment schedule but are not part of any Network Discovery assessment are described in a table:
  • A view button [-/+] allowing the list of IP address of new devices be collapsed or expanded.
  • The total number of new devices not part of any Network Discovery assessment.
  • A map of cells, each showing the full IP address of the new device added to your assessment schedule. Clicking the link in a cell will display the Server Detail report for the device.

Subnet Ports

Purpose Lists all TCP, UDP and ICMP services that have been discovered across the target device population, cross referenced by device.
Audience Technical managers responsible for organising staff remediation efforts. Technical staff who need to verify which services are visible on which devices.
Benefits Allows management to prioritise the remediation of efforts staff by identifying which devices are offering which services.
TCP Open Ports Lists all open TCP ports that respond to the standard tcp connect three-way packet handshake. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those devices that have that port open.
UDP Open Ports Lists all responding UDP services. Open ports are listed in ascending numerical (decimal) order. Each port also shows its standard service name. Clicking a port number link will scroll the page down to show those devices that have that port open.
ICMP Open Ports Lists all responding ICMP services. ICMP services are listed in ascending numerical (decimal) order. The name of each service is listed next its number. Clicking a service number link will scroll the page down to show those devices that offer that service.
Servers by Port Cross Reference Each responding port or service is listed in its own table:
  • Protocol, port or service number and common name. The background colour of this cell is red if any of these ports are considered high risk, otherwise it is coloured blue.
  • A count of the number of devices that responded on this port/service.
  • A list of all devices, by domain name and IP address, that have this port/service open. Clicking on the device link will display the 'Server Detail' report.


Scans by Clearview Systems