Frontline Users Guide

Frontline User Guide ...................................
Version 5.2.1 March 2013 Copyright 2013 Digital Defense, Inc.
.....
DIGITAL DEFENSE, INC.
FRONTLINE USER GUIDE
CONTENTS
C ONTENTS
...................................
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About Frontline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Client Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Browser Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 New Features in Frontline 5.2.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Veracode Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Unix Authenticated Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 System Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Logging In to Frontline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Change Your Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Password Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Logging Out of Frontline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Frontline Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Systems Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Navigation Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Business Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Navigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Left-Hand Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Security GPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Host Rating by Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Vulnerability Risk by Host Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Average Vulnerability Age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 DDI Cloud Top 5 Critical and High Level Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Last 5 Received Unread Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Client Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Veracode Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 User Roles and Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 DIGITAL DEFENSE, INC. FRONTLINE USER GUIDE
.....
CONTENTS
Add a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Change a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Delete a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Enable a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 View a List of Active Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Network Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Port Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Network Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Add a Network Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Change a Network Alias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Vulnerability Assessment Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4 Services and Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Assessment Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Services and Contract Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Vulnerability Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Host Discovery Assessments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Vulnerability Assessment Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Schedule a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Add a Vulnerability Assessment Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Change or Reschedule a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Delete a Vulnerability Assessment Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Interrupt a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Pause a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Resume a Paused Vulnerability Assessment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 View a Scheduled Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Calendar View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Service Results View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Drill Down to Host Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Reassess a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Delete a Vulnerability Assessment or Host Discovery Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Reconcile a Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Automatic Reconciliation Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Undo a Reconciled Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Undo a Reconciled Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Heuristic Vulnerability Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Assessment View Host Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Assessment View Heuristic Vulnerabilities Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Assessment View Applications Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Assessment View - Heuristic Vulnerability Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Assessment View Inherited Promoted Heuristic Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . 80 Heuristic Vulnerabilities in Assessment Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 The Executive Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 The Detailed Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
FRONTLINE USER GUIDE 2
CONTENTS
Active View Vulnerabilities Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Active View Vulnerabilities Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Active View Host Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Active View Heuristic Vulnerability Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Managing Heuristic Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Remediation and tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Heuristic Vulnerability Action Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 SCAP Compliant Unauthenticated Vulnerability Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 SCAP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 CVE Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 CPE Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 CVSS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Application Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Application Analysis Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Compliance Statuses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Per CVC Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Authenticated Scanning Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Authenticated Scanning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Enabling Authenticated Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Credential Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Client Detail Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Host Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Start Authenticated Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Service Results Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Results Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Export Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Remediation Export File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Active View Executive Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Executive Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Active View Detailed Host Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Detailed Host Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Active View Detailed Report on Selected Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Trending Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Active View Vulnerability Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Rated Hosts Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Consulting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6 Active View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Hosts Management View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Active View Advanced Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Active View Data Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
CONTENTS
Host Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Host Application Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Host Assessment Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Update Host Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Add a Host Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Host Inventory View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Vulnerability Management View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Assigning Vulnerabilities to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Entering Remediation Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Add a Vulnerability Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Attempt a Vulnerability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Indicate that a Vulnerability is False Positive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Rated Hosts View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Active Websites View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Penetration Tests and Manually Added Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
7 Rating, Classification and Valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Rating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 CIA: Confidentiality, Integrity, and Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Classification Weightings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Valuation Weightings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Node Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Node Valuation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
8 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Preferred Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Vulnerability Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Receiving e-mail Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 View Current Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 View Archived Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Scan Completion e-mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
9 Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 10 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
I NTRODUCTION
...................................
In this chapter:
What Client Support Browser Requirements New Features Log in to Frontline Change your password Log out of Frontline Frontline Portal Software Version Navigation Pane Business Card Lists Page page 6 page 6 page 7 page 7 page 8
1
Roles
page 10 page 11 page 10 page 11 page 13 page 13
.....
INTRODUCTION
About Frontline
.................................................................................
The Frontline system provides automated vulnerability discovery, identification, mitigation management, and a variety of detailed reports. These reports enable revision of your network security posture and progress in managing it, providing dramatic evidence and key performance indicators for the success of a security program. Frontline uses the Network Security Awareness System 100 (NSAS-100), a system developed by DDI to deliver vulnerability assessment and penetration testing services to clients in a secure manner.
Client Support
DDI Client Support is available Monday through Friday, 8:00am 6:00pm, Central Standard Time. Toll free: 888.273.1412 e-mail: support@ddifrontline.com
N O T E If you purchased Frontline from a Value-Added Reseller (VAR), please
contact your VAR directly for support issues.
Browser Requirements
Frontline has the following minimum browser requirements: Internet Explorer, version 7.x, Java script enabled Mozilla Firefox, version 3.6, Java script enabled (all features)
INTRODUCTION
New Features in Frontline 5.2.0.1

Veracode Integration
.................................................................................
The Veracode Integration feature provides system integration between Veracode Application Assessment services and Digital Defenses Frontline Vulnerability Management. This feature allows customers who are clients of both Veracode and Digital Defense to view their network vulnerability risks and Veracode application assessed risks simultaneously within the Frontline interface.
Unix Authenticated Scanning

Unix authenticated scanning enables users to check the patch status of select Unix (Linux) based systems by providing them with the capability to set credentials similar to the current Windows Authenticated Scanning.
System Logon
.................................................................................
Logging In to Frontline
The system permits three attempts to log in to Frontline. If the third consecutive attempt is unsuccessful, access is automatically disabled and the account must be unlocked. If your Frontline role is Administrator, Finance Executive, or Executive, contact your Client Supervisor. If you are a Client Supervisor, contact your VAR or DDI Client Support.
N O T E Accounts configured to utilize the Frontline Security Assertion Markup Language
(SAML) feature will access the system as configured by their single sign-on utility. The system supports only one instance of a particular user ID at any given time. The system does not allow the same user ID to be logged in multiple times simultaneously. To log in to Frontline 1 2 Open your browser and establish an active connection to the Internet. Browse to: https://nsas.ddifrontline.com/nsas/. Note the s after http. A secure connection is established and the Login page opens. (Figure 1) Figure 1 Logging In to Frontline
Enter your client ID, user ID, and password. The IDs and password are case-sensitive. FRONTLINE USER GUIDE 7
INTRODUCTION 4 Click Login.

N O T E If you are logging in for the first time, the Client Supervisor changed your
password, or your password has expired (45 days after your last password change), the Change Password page opens. See Change Your Password on page 8. The Dashboard page opens (Figure 2). For details on using the Dashboard, see Dashboard in chapter 2 of this guide. Figure 2 Viewing the Dashboard page
Change Your Password

Passwords automatically expire after 45 days. It is required that they be changed at this time. You can use this procedure to change your password at any time. If you forget your password, contact your Frontline Client Supervisor. To change your password 1 2 Choose Administer | My Account from the menu bar. In the System Users area, choose your name. Your Client Detail page opens. (Figure 3)
INTRODUCTION Figure 3 Viewing Client Details
3 4
Click Reset Password. The Update Password page opens. (Figure 4) Enter your old password, then enter and confirm your new password. Figure 4 Entering a Password
Password Rules Must be at least eight (8) characters long Must contain at least one (1) lower-case letter
DIGITAL DEFENSE, INC. FRONTLINE USER GUIDE 9
INTRODUCTION
Must contain at least one (1) upper-case letter Must contain at least one (1) number or special character Must not be the same as any of the previous 4 passwords
Logging Out of Frontline

After 15 minutes of inactivity, the session will expire. The system automatically logs out the inactive account for security purposes. To log out
Supervisors: Choose Systems | Logout from the menu bar. Users: Choose Administer | Logout from the menu bar.
Figure 5 Logging out
Software Version
Use this procedure to view the current version of the Frontline software as well as the user logged in to the current session. To view the software version
Choose Administer | Version from the menu bar.

The Version page opens. (Figure 6) Figure 6 Viewing the Software Version and Current User
INTRODUCTION
Frontline Portal
.................................................................................
The Frontline portal is a graphical user interface with several header elements that are common to all pages (Figure 7). Figure 7 Viewing the Frontline Portal
Systems Menu
The Systems menu provides access to Frontline Vulnerability Manager, IS Policy Manager and Partner Portal systems provisioned for the user account. Figure 8 Systems Menu
Navigation Pane
The pane on the left side of a page is used to navigate within that page. On many pages, more detailed information is available through the navigation pane. The navigation pane (Figure 9) indicates the availability of specific information and helps you easily return to an overview.
INTRODUCTION Figure 9 Using the Navigation Pane
Items with a white background indicate the path taken to the current page. In the example (Figure 9), the TD10hostSRMS assessment was selected. From that assessment, the 172.10.3.200172.16.3.209 sub-assessment range was selected. In that sub-assessment, the 172.16.3.204 host was selected, and finally the MS03-026 Microsoft RPC DCOM Overflows vulnerability was selected. Click any link to return directly to that page. Navigation arrows enable you to page through a list of items. Use the left and right arrows to page through detected vulnerabilities. Figure 10 shows a sample navigation pane with filters. Figure 10 Using Filters
On pages that display long lists of data, it is possible to filter the list using text boxes and selection lists. To view all data, leave these filters blank.
INTRODUCTION Figure 11 shows a sample wizard navigation pane. Figure 11 Navigating a Wizard
Several wizards throughout the system help you enter complete information for a new user, vulnerability assessment template, or network alias. The current step is displayed with a white background, completed steps have a light blue background, and the remaining steps have a gray background. This list of steps also provides a navigational tool. Each step of a wizard must be viewed in sequence, but to return to a completed step, click the link in the navigation pane.
Business Card
Each page has a business card, or summary box, located in the top center of the page below the common header. The business card displays any of the following: The pages subtitle Instructions Information boxes Input boxes Navigation buttons or links System messages Figure 12 Using the Business Card
Lists
When a list of items is displayed, click an item link to view more specific details.
INTRODUCTION Use the Prev, Next, and page number links to navigate through long lists. The list can also be filtered (Figure 10) to view only relevant entries. Certain long lists provide an additional index to facilitate quick navigation. To go directly to a particular item in a list
Enter the item number in the box in the upper-right of the list and then click Reload.
To change the number of list items
Enter the number (minimum 5, maximum 100) in the box in the lower-right of the list and then
click Reload. Figure 13 Navigating a List
D ASHBOARD
What
...................................
In this chapter:
Page page 15 page 17 Roles
.....
Navigation Components
Supervisor, Administrator, Executive Supervisor, Administrator, Executive
Navigation
.................................................................................
The Dashboard page is the starting point after logging into the Frontline portal. To return to the Dashboard page
Choose Dashboard from the menu bar. (Figure 14).

Figure 14 Menu Bar
Left-Hand Links
The left hand pane within the Dashboard includes a set of navigation links to various locations within Frontline. Figure 15 Navigation Links
DASHBOARD Purpose of each menu item:
The topmost navigational link toggles the Dashboard between the Internal and External active
views. Figure 16 External/Internal link
The "My GPA" link quickly navigates to the Active View Host Rating page where more detailed
information on GPA is available. Figure 17 My GPA link
The "Hosts" link quickly navigates to the Active View Host page where more detailed information
is available on all active view hosts for the given client. Figure 18 Hosts link
The Vulnerabilities link quickly navigates to the Active View Vulnerabilities page where more
detailed information is available on all active view vulnerabilities for the given client. Figure 19 Vulnerabilities link
The "Alerts" link accesses the current users Alerts page. See Chapter 8 for more information on
managing Alerts. Figure 20 Alerts link
For DDI, Enterprise, and VAR users, the left hand navigational area will show an additional button
labeled Client which will allow them to select a different sub-account. When a sub-account is selected, the sub-account will appear as enabled within the top left hand side of the Frontline banner.
DASHBOARD Figure 21 Client button
N O T E Once the sub-account is engaged, all Dashboard components, except the Last 5
Received Unread Alerts table, will display the sub-accounts information.
Components
.................................................................................
Security GPA
The Security GPA component (Figure 22) shows a linear representation of the given client's Security GPA. It provides a trend of the client's monthly security GPA over the last 12 months. This information is updated daily to reflect changes in reconciled assessments. The last data point includes a Security GPA for the current month. For example, if todays date is September 24th, the last data point will only account for the data between September 1st to September 24th. For the case, where there are no hosts in the Active View the graph will not be able to show a point and therefore the line will not be continuous. The Graph is updated daily by the system at 1AM central time. The component also shows the same Security GPA information trend for the entire DDI Cloud.
N O T E The current GPA can be obtained by drilling into any part of the graph. Drilling into the
graph redirects to the Active View Host Rating page where more detailed information on the client's security GPA is provided. Figure 22 Security GPA graph
DASHBOARD
Host Rating by Priority

The Host Rating by Priority component (Figure 23) shows a breakdown of the hosts within the given client's active view by host rating (Excellent, Good, Satisfactory, Fair, Poor, Critical) separated by hosts of High Priority and Others. The legend is dynamically created to only display the ratings that are present in the clients active view. As an example, the graph below does not list fair or critical in the legend because hosts of that rating were not present in the active view. This information is updated each time the Dashboard page is loaded. High Priority hosts are hosts for which their associated client prioritization value (page 143) has been set to 8, 9, or 10. Any host that has its client prioritization value equal to 7 or below, is placed in the Others category.
N O T E Drilling into any part of the graph proceeds to the Active View Host page. Drilling into
any part of the High Priority Host row navigates the user to the Active View Host page where only the high priority hosts are listed. Similarly, drilling into any part of the row for the Other hosts navigates the user to the Active View Host page where only the nonhigh priority hosts are listed. Figure 23 Host Rating by Priority graph
Vulnerability Risk by Host Priority

The Vulnerability Risk component (Figure 24) shows the total number of vulnerability occurrences by risk (Low, Medium, High, Critical) and by Host Priority (High Priority and Others). When a vulnerability of a particular risk level is not present on any of the active view hosts then the legend of the graph will not display that risk level. As an example, the graph below does not list Critical in the legend because vulnerabilities of that rating were not present on any of the hosts. This information is updated each time the Dashboard page is loaded.
N O T E Drilling into any part of the graph navigates the user to the Active View Vulnerabilities
page. Drilling into any part of the High Priority Host column navigates the user to the Active View Vulnerabilities page where only the vulnerabilities for the high priority hosts are listed. Similarly, drilling into any part of the column for the Other hosts navigates the user to the Active View Vulnerabilities page where only the vulnerabilities for the other (non-high priority) hosts are listed.
DASHBOARD Figure 24 Vulnerability Risk by Host Priority graph
Average Vulnerability Age

The Average Vulnerability Age component (Figure 25) shows the client's average vulnerability age (AVA) in days, as well as the DDI Cloud AVA. Clients with smaller AVA are remediating at a faster pace as compared to clients with a larger AVA. This component only accounts for critical and high level vulnerabilities present on high priority hosts. It also accounts for remediated and open (unremediated) vulnerabilities.The AVA increases the longer a vulnerability is left open (un-remediated).
N O T E Your AVA value and the Cloud AVA are updated daily by the system at 1AM central
time. Figure 25 AVA graph
DASHBOARD
DDI Cloud Top 5 Critical and High Level Vulnerabilities

The DDI Cloud Top 5 Critical and High Level Vulnerabilities table (Figure 26) shows the 5 Critical/High vulnerabilities that triggered most often across the DDI Cloud during the past 3 months. The table also displays the corresponding triggers of these 5 vulnerabilities for the given client. The vulnerabilities listed ONLY include vulnerabilities that are either Critical or High level. The Scans On Cloud column represents the total number of hosts scanned in the DDI client base for which the vulnerability may have been detected. New vulnerability detections are released periodically as time progresses. It is possible that a new vulnerability has been released within the past 10 days. In this example, even though the table lists top firing vulnerabilities within the last 3 months, not all vulnerability detections may have had a 3 month window to launch scans. The Cloud Triggers column represents the total number of positive occurrences for the given vulnerability across the DDI cloud. The My Scan column represents the total number of hosts that the given client has scanned which included the given vulnerability detection that may or may not have resulted in an occurrence of that vulnerability.The My Triggers column represents the total number of positive occurrences of that given vulnerability.
N O T E All components in the DDI Cloud Top 5 Critical and High Vulnerabilities table are
updated daily by the system at 1AM central time. Figure 26 DDI Cloud Top 5 Critical and High Vulnerabilities table
Last 5 Received Unread Alerts

The Unread Alerts table (Figure 27) shows the last 5 unread alerts received by the given user. The component does not support drill down. If the user wants to view more information on these alerts or other alerts, they can click on the Alerts side tab located in the left side links of the Dashboard page.
N O T E The information in this component is updated every time the Dashboard page is loaded.
To see the most recent data in the dashboard page for alerts, the dashboard page must be refreshed.
DASHBOARD Figure 27 Unread Alerts table
A DMINISTRATION
What Client Details Contacts ISPs System Users
...................................
In this chapter:
Page page 22 page 24 page 25 page 25 page 26 page 36 page 36 page 37 page 38 page 39 page 41 page 42 Roles
Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive
.....
User Roles and Privileges View a list of Active Sessions. Network Profile Port Management. Network Alias Add a Network Alias Change a Network Alias Vulnerability Assessment Templates
Client Detail
.................................................................................
The Client Detail page is the starting point for all client and assessment administration. To open the Client Detail page
Choose Administer | My Account from the menu bar.

The Client Detail page opens (Figure 28). The business card shows your companys current address as well as your DDI or VAR sales contact information. To change this information, contact your VAR or DDI Client Support.
To restrict DDI system users from accessing, viewing, or managing data
If you are in a Supervisor role, toggle the restrict access option to restrict access. Please note
that if the option to restrict DDI access is selected, alerts are still seen by DDI. Since alerts are quite generic in nature, however, this does not pose a security concern. In the event that you need DDI to debug an issue which requires access to the data, the Supervisor may either toggle the selection back until the issue is resolved or set up an account under your client for DDI support use. Once the issue has been resolved, either reset the password for this account or delete the account altogether.
ADMINISTRATION Figure 28 Client Business Card
Veracode Credentials
The Veracode Credentials button on the business card is visible to users logged in as a client supervisor, enterprise supervisor, or VAR supervisor. Veracode Services must be enabled by a Digital Defense client advocate. If the business card indicates it is disabled, please contact DDI for assistance. The Veracode Credentials button will not be visible until the service has been enabled for your account. Figure 29 Veracode Credentials Button
To provision Veracode Credentials
On the Veracode Credentials page, enter the user name and password for the companys
Veracode API account and select the Update button.
ADMINISTRATION Figure 30 Veracode Credentials Page
If valid user credentials are entered an update is successful message is displayed, otherwise, an
error message is presented. To edit Veracode API credentials you must access your account through the Veracode web portal. Figure 31 Veracode Credential Error
N O T E Frontline supported Veracode API credentials can be up to 256 alphanumeric
characters in length and include symbols from the Basic ASCII character set (however, greater than and less than characters and colons are not permitted in user names).
Contacts
A contact is a person who can make security decisions, but may or may not need access to Frontline. Contacts are administered in the same manner as system users (see System Users on page 25). When a system user is added, the person is automatically added as a company contact; however, deleting a system user does not delete the contact entry. To view a list of contacts
On the Client Detail page, scroll to the Contacts area.

A list of contacts is displayed.
ADMINISTRATION Figure 32 Viewing a List of Contacts
To view or manage contact details
Click the contact Name.

To e-mail the contact
Click the contact e-mail address.

To add a contact
Click Add Contact and then follow the procedure for Add a User on page 27.
ISPs
Your Internet Service Provider (ISP) was set up when you purchased Frontline. To change ISP details, contact your VAR or DDI Client Support. To view a list of ISPs
On the Client Detail page, scroll to the ISPs area.

A list of ISPs is displayed.
Figure 33 Viewing a List of ISPs
To view ISP details
Click the ISP name.

To view ISP contact details
Click the Contact name.

To e-mail your ISP
Click the ISP e-mail address.
System Users
A system user is a person who can log in to and access the Frontline system. When a system user is added, the user is automatically added as a company contact. For each system user, it is necessary to specify a user ID and password, as well as access privileges (see User Roles and Privileges on page 17). To view a list of system users
On the Client Detail page, scroll to the System Users area.

ADMINISTRATION
A list of users is displayed. A red X in the status column indicates that the user has been disabled manually by the Client Supervisor. A gray lock icon indicates that the user has been locked out as the result of a password rule violation.
Figure 34 Viewing a List of System Users
User Roles and Privileges

When logging in to Frontline, a client ID, user ID, and password are required. Everyone in your company uses the same client ID; however, the user ID and password are unique to each user. Access to Frontline features depends on the user privileges defined by your role: Client Supervisor This role has complete access to system client features and can maintain users, network aliases, vulnerability assessment templates, and vulnerability assessment scans. Client Administrator This role has limited access to the system, but can track and resolve vulnerabilities that have been assigned to them. Client Executive This role has read-only access and can view assessment reports as well as vulnerability management progress. Finance Executive This is the only role in the system with editing access to the Valuation Weightings and Node Valuation screens. Additionally, this role has read-only access and can view assessment reports as well as vulnerability management progress. As the Frontline system will mainly be used by information technology or information security staff, this role and its functionality have been isolated to the finance executive role. With this delineation, your financial staff, who may not be information security experts, will be able to enter valuations into the Frontline system.
N O T E With the exception of the Valuation Weightings and Node Valuation screens, the
privileges of the Finance Executive role are identical to those of the Executive role. For the body of the guide, the term Executive will be used to describe the privileges of both groups. Where the privileges between the roles vary, these differences will be described. Table 1 describes each user types access privileges.
ADMINISTRATION Table 1 Access Privileges

Client Privilege View client details (page 22) View network profiles (page 37) Manage vulnerability assessment templates (page 42) Manage system users (page 26) Manage ports to be assessed (page 37) Schedule vulnerability assessments (page 47) Interrupt a vulnerability assessment (page 53) Validate a vulnerability assessment (page 69) Restrict DDI Access (page 22) Reconcile assessment results (page 69) Open Active Views (page 120) View scheduled assessments (page 59) Vulnerability Assessments (page 46) Generate and view reports (page 99) View financial values for valuation weightings and node valuations (page 149) Enter financial values for valuation weightings and node valuations (page 150) Enter Veracode Credentials (page 23) View and associate Veracode Application Data(page 129) Update Veracode Application Data(page 91) Supervisor Administrator Executive Finance Executive
Add a User
To add a user 1 In the System Users area, click Add User.
ADMINISTRATION
The Name and Address page opens. This is the first page of a wizard that guides the user through the rest of the setup process. Use the navigation pane on the left to view the current page of the wizard. To go directly to a previous page, click the link in the navigation pane.
Figure 35 Entering User Details
Enter the requested information about the new user and click Next. Required data is displayed in red text. Table 2 Contact Maximum Characters
Field Type First Name Last Name Title Address1 Address2 Address3 City Province Postal Code Max Characters 50 50 100 80 80 80 80 80 10
Middle Name 50
N O T E A contact name cannot contain the following characters: + = \ &
To change an existing user click the name of the user in the navigation pane.
ADMINISTRATION
The Type page opens, where the users contact type can be specified. Ensure at least one Executive contact and one Technical contact are specified. An Executive or Technical contact does not have to be a system user; a company contact can be designated as such. The users specified as Executive and Technical contacts are displayed on the Client Detail page (Figure 36). DDI Client Support uses this information to determine which types of issues to address to the different points of contact. It also helps to define the escalation path in the event that Frontline detects a critical vulnerability or security breach on your network.
Figure 36 Selecting a Contact Type
Enter the following and click Next: Executive Select this check box if high-level issues should be addressed to this user. Technical Select this check box if system-level issues should be addressed to this user.
The same user can be specified as both the Executive and Technical contact and as the primary contact for both. A primary contact is the person responsible for managing DDI services on a routine basis. This person most frequently uses the Frontline system and communicates with DDIs Client Operations team. At least one person should be specified as the primary contact. The name of the primary Executive contact appears on any reports that are generated. The Contact Information page opens.
Figure 37 Entering Contact Details
Enter the requested information and click Next. FRONTLINE USER GUIDE 29
ADMINISTRATION You must enter at least one contact method if the user is a primary contact. Table 3 Contact Maximum Characters
Field Type Work Phone Cell Phone Fax Pager e-mail Address Max Characters 30 30 30 30 200
The System Access page opens.

Figure 38 Entering System Access Details
Enter the following: Role Select the user role from the list. Always specify No Access for a contact who does not need access to the Frontline system. For a system user, select Supervisor, Administrator, Executive, or Finance Executive. For a description of each role, see User Roles and Privileges on page 26. User ID Enter a unique ID for this user (maximum 40 characters).
N O T E A user ID:
Must have at least one (1) character. Can contain only letters, numbers, and underscores (_). Cannot start with a number. Unassigned is a reserved user ID.
New Password Enter a password for this user (maximum 40 characters).
ADMINISTRATION
NOTE
Must be at least eight (8) characters long Must contain at least one (1) lower-case letter Must contain at least one (1) upper-case letter Must contain at least one (1) number or special character Must not be the same as any of the previous 4 passwords
Confirmation Re-enter the password. Time zone Select the users time zone from the list. The time zone is important for scheduling and reporting purposes, especially if a scheduled assessment covers multiple time zones. Assessments are scheduled in the networks time zone. Reports are generated ondemand and are addressed to the users time zone regardless of where a vulnerability scan or penetration test originated.
N O T E When more than one RNA is deployed to address a network that spans
more than one time zone, the RNA is set to the time zone of the site where the RNA is physically located. Frontline compensates for time zone differences automatically in areas such as the Calendar View. For example, if the RNA is deployed to a site in the Pacific time zone and the user interface is set for the Central time zone, assessments that are scheduled to run on the RNA in the Pacific time zone at 5:00pm (Pacific) will appear in the user interface to be running at 7:00pm. The system displays all times in your default time zone. If a time has not been converted to your current time zone, it will be labeled with its time zone. If a time is unlabeled, it has been converted to your time zone. 6 Disabled Select this check box to prevent the user from logging in to Frontline. This feature allows a user to be disabled without having to delete the users account. Scan Completion E-mail Select this check box if the user is to receive e-mail notification of scan completion.
Click Next.
The Confirmation page opens (Figure 39).
ADMINISTRATION Figure 39 Confirming a New User
Review the user information. To open a previous page, click Prev. To go directly to a particular page, click the link in the navigation pane.
Click Confirm.
The user is added and the Name and Address page appears (Figure 35 on page 28). The message Representative Updated is displayed in the message area. If there were problems saving and validating the user profile, a relevant message is displayed instead.
Change a User
Any user details, including user ID, password, user role and unlock user accounts can be changed. To change a user 1 In the System Users area (Figure 34 on page 26), click the Name of the user to change.
The detail page for the selected user opens.
ADMINISTRATION Figure 40 Viewing User Details
Click Edit.
The Name and Address page opens and the user information is displayed.
Once on this page, it is possible to click the name of another user in the navigation pane. Figure 41 Editing Contact Details
3 4 5
Use the Prev and Next buttons to move through the pages. As with adding a new user, the navigation pane provides access to all pages. When you are finished changing user details, click Next until the Confirmation page opens. Click Confirm.
Delete a User
When a system user is deleted, the person is not deleted as a company contact.
ADMINISTRATION To delete a user 1 In the System Users area (Figure 34 on page 26), click the Name of the user you want to delete.
The detail page for the selected user opens (Figure 40 on page 33).
2 Click Delete.
A confirmation prompt is displayed.

Figure 42 Deleting a User
Click Confirm.
The user is deleted and you return to the Client Detail page (page 22)
Enable a User
There are two ways that a Frontline user can become disabled. A user is allowed three attempts to log in to Frontline. If the third consecutive attempt is unsuccessful, the users access is automatically disabled and the users account must be unlocked. The Client Supervisor disabled the user through the Contact wizard and the user must be reenabled via the wizard. See Change a User on page 32.
A red X next to the users name in the System Users area indicates a disabled user. A gray lock icon indicates that the user has been locked out as the result of a password rule violation. To re-enable access to Frontline, contact your Client Supervisor or your VAR or DDI Client Support. Figure 43 Viewing a Users Status
ADMINISTRATION To reset a users password 1 On the users detail page (Figure 40 on page 33), click Reset Password.
The Update Password page opens.

Figure 44 Resetting a Users Password
Enter and confirm the new password and click Update.
To unlock a users account without resetting the password A lock in the Status column of the System Users section of the Client Detail screen indicates that a user has been locked out due to more than three failed login attempts. Figure 45 Viewing a List of Users with Locked and Unlocked Account Statuses
1 2
Click on the user with a locked account On the users detail page, click the Unlock button. This button is only visible if the account has been locked. Figure 46 Viewing the Details of a User with a Locked Account
ADMINISTRATION 3 The system unlocks the account and once the update is completed the Client Detail screen is displayed with a listing of all contacts. The specific user is now designated with a green check mark indicating he or she is no longer locked out.
View a List of Active Sessions

Use this feature to view a list of active sessions for users logged in to Frontline.
To view a list of active sessions 1 Choose Administer | Active Sessions from the menu bar.
The Active Sessions page opens. To sort the list, click any heading.
Figure 47 Viewing a List of Active Users
Table 4 describes the columns on this page.

Table 4 Active Sessions
Heading User ID Client ID Idle Client Address Login Time Meaning System users login ID and access privileges System users client ID Number of minutes with no user activity IP address of the users workstation or the address of the network appliance used to translate true client IP addresses Date and time the system user logged in to Frontline for the current session
Network Profile
.................................................................................
A network profile specifies the IP address ranges (or boundaries) for your network, including any addresses that should be excluded from scheduled vulnerability assessments. A profile can encompass the entire network or it can be partitioned into multiple profiles. There are two types of network profiles:
Internal Network Profile Defines all internal-facing assets such as workstations, Intranet servers, printers, etc. Internal networks require one or more RNA devices attached to and configured for your network. External Network Profile Defines all external-facing assets such as routers, firewalls, web servers, and e-mail servers. External networks do not require any RNA devices attached to your network.
ADMINISTRATION
Your network profiles were established when you purchased Frontline. To make changes, contact your VAR or DDI Client Support. To facilitate assessment scheduling for a common IP address range, create a network alias. See Add a Network Alias on page 39.
To view a list of network profiles
On the Client Detail page, scroll to the Networks area.

A list of network profiles is displayed. A name in the RNA column indicates that an RNA has been associated with the network. A check mark in the Online column indicates that the RNA is online; a red X indicates that the RNA is offline.
Figure 48 Viewing a List of Networks
To view network profile details
Click the Name of the profile.
Port Management
.................................................................................
The DDI RNA executes two stages in order to discover vulnerabilities on devices. The first stage is the Host Discovery stage. The second is the Vulnerability Assessment phase, in which a more comprehensive test is performed against a default number of approximately 12000 ports. The Client Supervisor has the ability to provision TCP port exclusion in the Host Discovery phase and both inclusion and/or exclusion in the Vulnerability Assessment phase. A port exclusion will prevent all automated tests from running examinations against certain ports on your network. Port exclusions are used to protect equipment that is not robust enough to withstand vulnerability testing. Through a port exclusion, a given port can be identified if being used by unstable software and exclude it from testing. This technique, while not recommended for wide use, will allow you to test healthy nodes without causing network issues due to problematic software. Port exclusions apply across your network; you will not need to add the exclusion on a node-by-node basis.
ADMINISTRATION Figure 49 Viewing Port Exclusions
A port inclusion is used to specify additional ports to be scanned during the Vulnerability Assessment phase. If a device is not discovered during the Host Discovery phase, then it will not be examined during the more comprehensive Vulnerability Assessment phase. If the Client Supervisor is aware of a device that they would like assessed during the second phase, they can include it so that the vulnerabilities associated with that device will be revealed. If you have any active port exclusions on your network, they will be displayed under My Account on the Administer menu. To manage a list of ports within a network profile
Follow the previous steps to view a network profile Click the Edit Network Configuration button. Choose the Scan Speed (the default speed is Moderate) and click the next button. Enter the HD (Host Discovery) port you would like to include and click the next button. Enter the VA (Vulnerability Assessment) port you would like to include and click the next button. If necessary, enter an additional VA port you would like to include and click the next button. If there are no additional ports, just click next. Enter a range for the VA (Vulnerability Assessment) ports you would like to exclude and click the next button. Verify the information and click the Confirm button.
Network Alias
.................................................................................
A network alias helps facilitate assessment scheduling by defining and naming a specific IP address or range of addresses. If the same unique IP addresses, subnets, or branches are tested frequently, consider creating a network alias. To view a list of network aliases
On the Client Detail page, scroll to the Network Aliases area.

A list of aliases is displayed.
Figure 50 Viewing a List of Network Aliases
To view or change alias details
Click the alias Name.

To view parent network details
Click the name of the Parent Network.

ADMINISTRATION
Add a Network Alias

When creating a network alias, a range of IP addresses are specified and can exclude particular addresses from that range. To add a network alias 1 In the Network Aliases area, click Add Network Alias.
The Alias page opens.

Figure 51 Naming a Network Alias
Enter a name for the alias (maximum 30 characters), for example, Printers, All Workstations, Main Street Branch, etc., and click Next.
The Select Network page opens and displays all available parent networks.
Figure 52 Selecting an Alias Network
Select a network and click Next.
The Enter Included Range page opens.
ADMINISTRATION Figure 53 Including Alias IP Addresses
Select the entire network range, or specify the range of IP address for this alias and click Next.
Valid formats are as follows:

Range Enter the beginning and ending IP addresses separated by a hyphen, for example, 111.222.10.1-111.222.10.20. Abbreviated Range Enter the full beginning IP address and the last digits of the final range separated by a hyphen 111.222.10.1-20. Classless Inter-Domain Routing (CIDR) Enter the full beginning IP address and the last digits of the final range separated by a slash 111.222.10.1/20. A CIDR address includes the standard 32-bit IP address as well as information on the number of bits used for the network prefix. For example, in the CIDR address 111.222.10.1/20, the /20 indicates that the first 20 net bits are used to identify the unique network, leaving the remaining bits to identify the specific host. Single Enter a single IP address, for example, 111.222.10.25. When you specify a single IP address, the system automatically expands it to a range format with the same beginning and ending address. Comma-separated List Enter a range or single IP address separated by commas, for example, 111.222.10.1-111.222.10.20, 111.222.10.25, 111.222.10.45-50.
The range is added and the Enter Included Range page opens again.
5 Enter another range of IP address or click Next to proceed.
The Enter Excluded Range page opens.

Figure 54 Excluding Alias IP Addresses
ADMINISTRATION 6 Enter the range of excluded IP address within the inclusion range and click Next, or click Next to skip the exclusion range.
The range is added and the Enter Excluded Range page opens again.
7 Enter another excluded range, or click Next to proceed.
The Alias Confirmation page opens.

Figure 55 Confirming Network Alias Details
Click Confirm.
The alias is displayed in the left side navigation pane. If there were problems saving and validating the alias, a relevant message is displayed instead.
Change a Network Alias

The network can be changed, as well as included and excluded IP ranges, but it is not possible to change an alias name. To change a network alias 1 In the Network Aliases area, click the Name of the alias to change.
The alias details are displayed.

Figure 56 Changing an Alias
2 3
Click Edit. Follow the wizard to make changes.
ADMINISTRATION
Vulnerability Assessment Templates
.................................................................................
A vulnerability assessment template defines the IP addresses that are scanned on your network during a vulnerability scan or penetration test.
N O T E Creating and scheduling vulnerability assessment templates are discussed in detail in
the Assessments chapter of this guide (Chapter 4). To view vulnerability assessment templates 1 Choose Administer | My Account from the menu bar and then scroll to the Assessment Templates area (Figure 57 on page 42).
A list of assessment templates is displayed. To change the number of templates displayed on a single page, enter the number (minimum 5, maximum 100) in the box in the lower right of the list and click Reload.
Figure 57 Viewing a List of Vulnerability Assessment Templates
To view the details, click the Name of the assessment.
S ERVICES AND M ANAGEMENT T OOLS

In this chapter:
What Assessment Services Services and Contract Types Vulnerability Assessment Templates Host Discovery Assessments Vulnerability Assessments Schedule a Vulnerability Assessment Interrupt a Vulnerability Assessment View a Scheduled Vulnerability Assessment Reassess a Vulnerability Assessment Delete a Vulnerability Assessment Reconcile a Vulnerability Assessment Automatic Reconciliation Feature Heuristic Vulnerabilities SCAP Compliant Unauthenticated Scanning Per CVC Scanning Authenticated Scanning Authenticated Scanning Process Enabling Authenticated Scanning Credential Aliases Client Detail Page Host Detail Page Start Authenticated Scan Service Results Page
...................................
Page
4
Roles Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor Supervisor, Administrator, Executive Supervisor Financial Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator Supervisor Supervisor, Administrator Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor
page 44 page 45 page 45 page 46 page 47 page 47 page 53 page 59 page 65 page 68 page 69 page 70 page 76 page 89 page 93 page 95 page 95 page 95 page 95 page 96 page 97 page 97 page 98
.....
SERVICES AND MANAGEMENT TOOLS
Assessment Services
.................................................................................
A list of assessment and penetration test services available for scheduling can now be viewed. To view a list of assessment services
On the Client Detail page, scroll to the Services area.

A list of services is displayed with contract dates.
To view service details

Click the Detail link to view a specific service. Figure 58 Viewing a List of Current Services
Services and Contract Types
.................................................................................
The following Assessment Services table describes the eight types of available services. Table 5 Assessment Services
Service Internal Vulnerability Assessment (IVA) Description This service determines the extent to which your network is vulnerable to an internal attack. IVAs originate from within your network using one or more of the RNA devices specified in your network profile (page 29).
External Vulnerability This service determines the extent to which your network is vulnerable to an Assessment (EVA) external attack. EVAs originate from DDIs Secure Network Operations Center (SNOC). Internal Penetration Test (IPT) External Penetration Test (EPT) Internal Host Discovery (IHD) External Host Discovery (EHD) Internal Host Discovery with Ports (IHDP) External Host Discovery with Ports (EHDP) With this service, DDI security experts interrogate and exploit your internal network. Before an Analyst performs an IPT, an IVA is run on your network. Contact your VAR or DDI Client Support to schedule an IPT. With this service, DDI security experts interrogate and exploit your external network. Before an Analyst performs an EPT, an EVA is run on your network. Contact your VAR or DDI Client Support to schedule an EPT. This service determines the number of hosts that are visible to the internal organization. IHDs originate from within your network using one or more of the RNA devices specified in your network profile (page 29). This service determines the number of hosts that are visible external to the organization. EHDs originate from DDIs Secure Network Operations Center (SNOC). This service determines the number of hosts along with ports that are visible internal to the organization. IHDPs originate from within your network using one or more of the RNA devices specified in your network profile (page 29). This service determines the number of hosts along with ports that are visible external to the organization. EHDPs originate from DDIs Secure Network Operations Center (SNOC).
An assessment can be scheduled according to the type of service contract purchased. A list of current services is displayed in the Services area of the Client Detail page. Table 6 Contract Types
Type Evergreen Description Expires upon contract cancellation. If your contract includes vulnerability assessment services, you can schedule assessments as long as you have a valid contract with DDI or your VAR. Expires as soon as it is used. If your contract includes vulnerability assessment services, you can schedule only one assessment on your network. Expires after a pre-determined length of time. If your contract includes vulnerability assessment services, you can schedule assessments during the valid time frame.
One-time Date Limited
Vulnerability Assessments
.................................................................................
Internal vulnerability assessments (IVAs) and internal penetration tests (IPTs) are performed with a Reconnaissance Network Appliance (RNA) installed on your network. The RNA provides a secure communication and management channel between your network and the other nodes of the NSAS100 that reside at DDIs Secure Network Operations Center (SNOC). The RNA enables NSAS-100 system operators to initiate vulnerability scans, perform penetration testing, and execute security assessments as needed. The RNA, located behind your network firewall, connects to the SNOC-based NSAS-100 nodes through a secure tunnel and provides a means of transmitting security testing results and findings. In carrying out vulnerability assessments, the SNOC-based NSAS-100 nodes generate an encrypted and authenticated request and pass it to the RNA. The request is a pre-formatted data structure that contains the range of IP addresses to test, contract information, etc. The data structure is merged into an encrypted secure container and digitally signed for a unique RNA. DDI employs a bidirectional digital signature for authentication and repudiation. The signature verifies that it is generated by the NSAS-100, and in the process, the NSAS-100 verifies that only a specific RNA can execute the request. The RNA runs the assessment and then encrypts and passes the data back via the secure data connection to the SNOC-based NSAS-100 nodes.
Host Discovery Assessments

A host discovery assessment determines the number of visible devices. Therefore, visible devices are the only hosts available for vulnerability assessments. Host discovery assessments can be performed internally (on intranet-facing devices) or externally (on Internet-facing devices), similar to internal and external vulnerability assessments. The two internal host assessments originate from within your network using one or more of the Reconnaissance Network Appliance (RNA) specified in your network profile. The two external host assessments originate from DDIs Secure Network Operations Center (SNOC). The basic Internal Host Discovery is termed IHD and the basic External Host Discovery is termed EHD. Each of these services can also be performed with port and operating system (OS) information included. An Internal Host Discovery with Port and OS is termed IHDP and an External Host Discovery with Port and OS is termed EHDP. The reports generated from host discovery assessments are similar to those generated by a vulnerability assessment (page 99). For each visible device the report will provide the IP information. However, in order to optimize the speed of the assessment, host name information is not derived. In the cases of IHDP and EHDP assessments, port information is provided (in addition to the IP information). To schedule an internal or external host discovery assessment The steps performed for scheduling a host discovery assessment are the same as those used to schedule a vulnerability assessment (page 47) and originate from the same menu.
Vulnerability Assessment Templates

Vulnerability assessment templates define the IP addresses to be scanned on your network during a vulnerability scan or penetration test. By creating an assessment template, scheduling of future assessments is a simple matter of changing the IP address range, date and time.
Schedule a Vulnerability Assessment

To schedule an internal or external vulnerability assessment scan through the Frontline interface, create a vulnerability assessment template and schedule the scan at the same time. For each assessment scan, specify: Whether to scan internal or external IP addresses as defined in your network profile The target IP addresses or aliases to scan The date and time to start the scan and recurrence details
N O T E The examples in this procedure describe how to add an IVA template; an EVA
template is created in the same manner. In addition, IHD, IHDP, EHD and EHDP templates are all created in the same manner.
Add a Vulnerability Assessment Template

A vulnerability assessment template defines the IP addresses that are scanned on your network during a vulnerability scan or penetration test. After creating a template, it can be reused to schedule additional assessments by changing the IP addresfs or date and time. To add a vulnerability assessment template 1 Choose Start | Vulnerability Assessment | Internal (IVA) or External (EVA) from the menu bar. Alternatively, open the Client Detail page and click New IVA or New EVA in the Assessment Templates area. The Start Internal (or External) Vulnerability Assessment Page opens and the Dynamic Assessment Templates are displayed. These are templates previously created and can be changed or deleted. Figure 59 Adding a Vulnerability Assessment Template
In the business card, click New Assessment. The Name page opens and a default name is displayed. The default name is a combination of assessment type, year, date, and time.
SERVICES AND MANAGEMENT TOOLS Figure 60 Naming a Vulnerability Assessment
Enter a name for the assessment (maximum 60 characters) and then click Next. This name shows up in all lists, including the Calendar View, the Service Results View, and the Vulnerability Assessment Templates list, so be sure to choose a name that is meaningful, for example, Printers IVA or Daily EVA. The IP Addresses page opens and displays a list of IP address ranges and aliases. The time displayed at the top of the list is in your time zone.
N O T E Password Auditing This option defaults to Light, the level typically used
for known defaults and easily guessable passwords. When you set this item to None, there will be no password guessing during the vulnerability assessment. A third option Full is also available. This option is similar to an attackers approach with extensive password guessing. All of the subassessments will inherit the password auditing option from their parent assessment. Figure 61 Selecting IP Addresses to Assess
Select the IP addresses to scan (or specify a range in the last box and click Add). The entire network range is always listed first. You cannot specify overlapping IP address ranges. For example, you cannot choose both the entire network range and an alias within that range. You can specify multiple aliases or ranges if they do not overlap. The Select All IPs checkbox when selected will check/un-check all IPs listed in the associated sub-assessment. It will not check/un-check aliases listed.
Click Next. The Start Times page opens.
SERVICES AND MANAGEMENT TOOLS Figure 62 Scheduling a Vulnerability Assessment
Do one of the following and click Next: To schedule the scans individually, specify the date and time for each range. To specify the same time for all ranges, enter the date and time in the reset all times boxes and click Reset All Times. To schedule the scans to run sequentially, choose the Start immediately after previous network option. Choose this option if running simultaneous scans would diminish your networks performance.
N O T E Scan Now This feature updates all dates and times to your current date
and time. When you use this feature, the start times for the assessments are updated so that the scans will be set to run simultaneously for all IP address ranges and aliases in the vulnerability assessment you are scheduling. However, all sub-assessments set to Start Immediately after previous network will remain as such. They will not be changed to run at the new date and time. The Recurrence page opens. Figure 63 Scheduling a Recurrence
Select one of the following options and click Next:
SERVICES AND MANAGEMENT TOOLS One Time Schedules a scan to run only once. For One Time assessments, the Save Template check box is displayed. Select this check box to save the current assessment as a template that can be rescheduled. If you do not save the assessment as a template, it is deleted when the assessment begins to run. Every <time> from the day selected Schedules a recurring scan when the assessment interval is a fixed number of days, weeks, or months. The assessment is scheduled according to the date you selected on the previous page, for example, Every 3 months from the 14th of the month. Every month from the weekday selected Schedules a recurring scan when the assessment interval is a fixed day of the month. The assessment is scheduled according to the day of the month selected on the previous page. For example, every 3 months from the second Sunday of the month.
For recurring assessments, only the current or upcoming assessment is shown in the Calendar View or the Service Results View. When all sub-assessments have been completed for the current assessment, the next scheduled instance is shown. The Confirmation page opens. Figure 64 Confirming a Vulnerability Assessment
Review the information and click Confirm. To change schedule details, click Prev or use the navigation pane to return to a previous page.
The scan is now scheduled.
Change or Reschedule a Vulnerability Assessment

If an assessment was saved as a template, it can be rescheduled or the template can be changed instead of creating a new assessment. To change a template 1 2 Choose Start | Vulnerability Assessment | Internal (IVA) or External (EVA) from the menu bar. The Start Internal (or External) Vulnerability Assessment Page opens (Figure 59 on page 47). Click the Name of the assessment to change.
SERVICES AND MANAGEMENT TOOLS Figure 65 Changing a Vulnerability Assessment Template
3 4 Or 1
Click Edit. The first page of the wizard is displayed (Figure 60 on page 48). Step through the wizard and change the details of the assessment as desired.
Choose Administer | My Account from the menu bar. The Client Details page opens. Figure 66 Viewing Client Details
Scroll to the Assessment Templates area at the bottom of the page. A list of templates is displayed. Figure 67 Viewing a List of Assessment Templates
SERVICES AND MANAGEMENT TOOLS 3 4 5 Click the Name of the template to change. The Assessment Templates page opens (Figure 65 on page 51). Click Edit. The first page of the wizard is displayed (Figure 60 on page 48). Step through the wizard and change the details of the assessment as desired.
Delete a Vulnerability Assessment Template

Vulnerability assessment templates no longer in use should be periodically purged.
NOTE
Attempting to delete a vulnerability assessment template for an assessment that is running does not stop the assessment; however, it can be interrupted. See Interrupt a Vulnerability Assessment on page 53.
Choose Administer | My Account from the menu bar. The Client Details page opens. Figure 68 Viewing Client Details
Scroll to the Assessment Templates area at the bottom of the page. A list of templates is displayed. Figure 69 Viewing a List of Assessment Templates
Click the Name of the template to delete.
SERVICES AND MANAGEMENT TOOLS The Assessment Templates page opens. Figure 70 Deleting a Recurring Assessment Template
Click Delete. A confirmation prompt is displayed. Figure 71 Confirming a Deletion
Click Confirm.
Interrupt a Vulnerability Assessment

Any sub-assessment with a status of Running, Submitted or Paused can be interrupted. Any results generated by the system are discarded. To interrupt an entire assessment, each sub-assessment must be interrupted individually. To interrupt a vulnerability assessment 1 In the Calendar View or Service Results View, click the Name of the assessment. A list of sub-assessments is displayed.
SERVICES AND MANAGEMENT TOOLS Figure 72 Viewing a List of Sub-assessments
2 3
Click the IP Range of the sub-assessment you want to interrupt. An interrupt page opens. Interrupt the Vulnerability Sub-Assessment Figure 73 Interrupt the Vulnerability Sub-Assessment
Click Interrupt Scan. The sub-assessment stops and a scan details page is displayed. Figure 74 Scan Details
To view the new status of the sub-assessment, click All Sub-assessments in the navigation pane.
SERVICES AND MANAGEMENT TOOLS The list of sub-assessments and their current status is displayed Figure 75 Viewing the Interrupted Status
Pause a Vulnerability Assessment

Any sub-assessment with a status of Running can be paused. To pause an entire assessment, each sub-assessment must be paused individually unless it is set to run after previous. Sub-assessments set to run after previous will automatically be paused when the previous scheduled sub-assessment is paused.
N O T E The Scan Pause option is not available for a Submitted sub-assessment, only a
Running one. To pause a vulnerability assessment 1 In the Calendar View or Service Results View, click the Name of the assessment. A list of sub-assessments is displayed.
SERVICES AND MANAGEMENT TOOLS Figure 76 Viewing a List of Sub-assessments
2 3
Click the IP Range of the sub-assessment you want to pause. A new page displays with the Interrupt Scan and Pause Scan buttons. Pause the Vulnerability Sub-Assessment Figure 77 Pause the Vulnerability Sub-Assessment
Click Pause Scan. The sub-assessment stops and a scan details page is displayed. Figure 78 Scan Details
To view the new status of the sub-assessment, click All Sub-assessments in the navigation pane. FRONTLINE USER GUIDE 56
SERVICES AND MANAGEMENT TOOLS The list of sub-assessments and their current status is displayed Figure 79 Viewing the Paused Status
Resume a Paused Vulnerability Assessment

Any sub-assessment with a status of Paused can be resumed or interrupted. Sub-assessments set to run after previous will automatically be resumed when the previous scheduled sub-assessment is resumed. To resume a vulnerability assessment 1 In the Calendar View or Service Results View, click the Name of the assessment. A list of sub-assessments is displayed. Figure 80 Viewing a Paused Sub-assessment
2 3
Click the IP Range of the paused sub-assessment you want to resume. A new page displays with the Interrupt Scan and Resume Scan buttons. Resume the Vulnerability Sub-Assessment
SERVICES AND MANAGEMENT TOOLS Figure 81 Resume the Paused Vulnerability Sub-Assessment
Click Resume Scan. The sub-assessment starts and a scan details page is displayed. Figure 82 Scan Details
To view the new status of the sub-assessment, click All Sub-assessments in the navigation pane. The list of sub-assessments and their current status is displayed and the sub-assessment will go from Paused to Resuming and then back to Running.
N O T E If the RNA was updated while the sub-assessment was in the Paused state, the
assessment scan will start over from the beginning instead of picking up where it left off. This is to ensure result accuracy with the latest vulnerability release.
View a Scheduled Vulnerability Assessment

The current status of a vulnerability assessment can be viewed in the Calendar View or Service Results View. Table 7 describes the possible statuses of a vulnerability assessment as shown in the Completed column. Two status fields are maintained for each assessment: an overall assessment status and a status for each sub-assessment. It is possible for the overall assessment to have a status of Running, but a sub-assessment is still in a Submitted status. It is possible to drill down into an assessment or sub-assessment after the assessment status is in the Running status. Table 7 Vulnerability Assessment Statuses
Status Submitted Running Running Rescan Ready for Validation Meaning The assessment is scheduled to run, but has no completion date. The assessment is currently running and can be interrupted or paused. A reassessment is currently running and can be interrupted or paused. The assessment is under review by DDI. This status is skipped if you initiate the assessment or if DDI has elected to bypass scan validation.
Ready for Reconcile (Date) The date and time the assessment finished running. An exclamation point in the Reconciled column indicates that the assessment is ready to be reconciled to the Active View. Interrupted Error The assessment has been interrupted. The assessment is in an error state and has stopped running. There are four possible causes for an error: A fault occurred during transmission. There was a time-out due to the RNA being offline. The file containing the vulnerability assessment data was corrupted. A component failed or was placed in a maintenance state during the assessment scan, for example, the RNA was power-cycled.
Calendar View
The Calendar View provides a quick overview of the status of any assessment for the selected month. To view the calendar
Choose Assessments | Calendar from the menu bar.

The Calendar page opens and displays the current day. Use the navigation pane to select the month and year as well as whether to view vulnerability assessments for a single day, week, or month. Dates that include data are displayed in bold text on the calendar. In the week or month view, click a date on the calendar to jump to that day.
SERVICES AND MANAGEMENT TOOLS Figure 83 Using the Calendar View
To view the details of a service result, click the Name.

N O T E When selecting an assessment that is in the Submitted status, the
Assessment Template page opens and the assessment can be changed. See Change or Reschedule a Vulnerability Assessment on page 50.
Service Results View

This page provides a quick overview of the status of any active vulnerability assessment, such as those submitted, running, or recently completed. If an assessment has been reconciled, it will still be displayed in the Service Results View as well. To view reconciled assessments, use the Calendar View (page 59). To view the service results 1 Choose Assessments | Results from the menu bar. The Service Results page opens and displays all active assessments. Figure 84 Using the Service Results View
SERVICES AND MANAGEMENT TOOLS 2 To view the details of a service result, click the Name. A list of sub-assessments and their current status is displayed.
Assessment Template page opens and the assessment can be changed. See Change or Reschedule a Vulnerability Assessment on page 50. Figure 85 Viewing the Service Results
Drill Down to Host Details

It is possible to drill down through an assessment to view information on sub-assessments, the Assessment Results Summary, and the un-assessed host impact. To drill down to host details 1 In the Calendar View or Service Results View, click the Name of the assessment. The Service Results page opens and displays a list of sub-assessments and the Assessment Results Summary.
Assessment Template page opens and the assessment can be changed. See Change or Reschedule a Vulnerability Assessment on page 50.
SERVICES AND MANAGEMENT TOOLS Figure 86 Viewing Sub-assessments
In the Sub-assessment area, click an IP Range. Detected host and vulnerability details are displayed. Figure 87 Viewing a List of Detected Hosts
In the Hosts area, click a Host Name. The Host page opens and displays a list of services, websites, and vulnerabilities detected on a particular host. It is also possible to add comments about the host on this page.
SERVICES AND MANAGEMENT TOOLS Figure 88 Viewing a List of Services and Vulnerabilities
Optional: To add a comment about the host, scroll to the bottom of the page.
N O T E All comments are saved with the host and are also included in the detailed
report from this assessment. To associate a comment with a host over time, use the Active View. Comments will not appear in the Executive Summary Report. The Client Host Notes area is displayed. Figure 89 Entering Host Notes
Enter the text of your note and click Add Note. To edit a note, select it, change the text, and click Update Note. To delete a note, select it and click Delete Note.
N O T E To view vulnerability details, click the vulnerability name in the
Vulnerabilities area. 6 Displays the websites detected on the selected assessment host.
SERVICES AND MANAGEMENT TOOLS Figure 90 Viewing vulnerability details
Click a Vulnerability Name. The Service Detection page opens and displays details about the vulnerability. Comments about the vulnerability can be added on this page. Comments about vulnerabilities (Vulnerability Notes) are saved with the vulnerability and are also included in assessment reports. Figure 91 Viewing Vulnerability Details
SERVICES AND MANAGEMENT TOOLS 8 Optional: To update the binary encoding method, select it from the list and click Update Encoding Method.
N O T E The binary encoding method determines how non-printable characters in
vulnerability test data are displayed on the page.
Reassess a Vulnerability Assessment

It is possible to reassess any vulnerability assessment that has been initiated and required no analyst review (validation was bypassed). It is also possible to reassess any sub-assessment that has a Ready for Reconcile status or that has been interrupted. To reassess a reconciled assessment, it is necessary to undo the reconcile (see Undo a Reconciled Assessment on page 74). To reassess a vulnerability assessment 1 In the Calendar View or Service Results View, click the Name of the assessment. The Service Results page opens. Figure 92 Selecting Assessment
In the Sub-assessments area, click the IP Range to reassess.
SERVICES AND MANAGEMENT TOOLS Figure 93 Select Sub-assessment IP range
A reassess page opens. Figure 94 Scheduling a Reassessment
Click Reassess. The Reason page opens where a reason for the reassessment is required. This information is required for reporting purposes. Figure 95 Entering a Reason for the Reassessment
SERVICES AND MANAGEMENT TOOLS 4 Enter a reason for the reassessment and click Next. The IP Addresses page opens. Figure 96 Specifying an IP Address
Enter a different IP address range if desired, and click Next.

N O T E The IP address ranges or aliases must fall within the original assessment
ranges for reassessments. The Start Times page opens (Figure 97 on page 67). Figure 97 Scheduling a Reassessment
Enter the times and click Next. The Confirmation page opens.
SERVICES AND MANAGEMENT TOOLS Figure 98 Confirming a Reassessment
Click Confirm.
Delete a Vulnerability Assessment or Host Discovery Scan

The ability to delete a Vulnerability Assessment is helpful in instances where an assessment has terminated with an error condition or if an assessment does not contain any hosts. The following conditions are necessary for an assessment to be available for deletion: The logged in user is a DDI Supervisor, Client Supervisor or DDI user. The assessment must not be reconciled (if it has been reconciled, the Undo Reconcile button must be clicked before the assessment can be deleted). The assessment cannot be a Penetration Test-type service.
In addition to Vulnerability Assessments, Internal and External Host Discoveries or Internal and External Host Discoveries with Ports can also be deleted. To Delete a Vulnerability Assessment 1 In the Calendar View or Service Results View, click the Name of the assessment (Figure 83 on page 60) to delete. The Service Results page opens. Figure 99
2 3
In the business card, click Delete Assessment. Within the business card you will receive a confirmation message Are you sure you want to delete this assessment?
SERVICES AND MANAGEMENT TOOLS Figure 100
Click the Confirm button. The assessment is now deleted and completely removed from the system and you are returned to the calendar page.
Reconcile a Vulnerability Assessment

Reconciliation is a utility that enables management of the day-to-day churn that occurs on your network. Examples of churn include adding and removing hosts due to growth of your business, the obsolescence of a particular computing device, and hosts that are assigned dynamic IP addresses. When reconciling a vulnerability assessment, the assessment results are placed into the Active View. The Active View is essentially a workspace in the system that enables management and maintenance of the detected hosts and vulnerabilities on your network. The term reconcile is used because new assessment results are compared and contrasted with results that have previously been placed in the Active View. Once in the Active View, detected hosts and vulnerabilities can be managed. Management capabilities include, but are not limited to, amending information about the host, assigning IT resources to resolve detected vulnerabilities, and tracking remediation progress. Reconciliation enables you to maintain an accurate and comprehensive view of the hosts and vulnerabilities on your network. As additional assessments are scheduled and reconciled, a history of detected vulnerabilities is maintained. It is possible to subsequently generate Trending Reports based upon this historical data. When reconciling, the system matches previously detected hosts from past assessments to hosts that have just been detected, but not yet processed. Certain situations require user intervention. For example, if a server is removed from your network, the scanner will not detect the machine; therefore, the vulnerabilities for that missing host, even if resolved, are considered to not be resolved or still existing.
N O T E A scanner cannot distinguish between a machine that is simply offline and one that has
been removed from the network. As another example, if a host is upgraded with new software and a new network card with a new MAC address, host matching from a current assessment to past results is not automatically possible and the hosts must manually be matched. The data found in the assessments remains the same; only the data placed in the Active View is amended based upon the actions taken during the reconciliation process. The combination of reconciliation and ongoing assessments provides a clear, accurate picture of the current state of your computing network. Note that the portion of the Active View can help maintain data about such hardware changes.
SERVICES AND MANAGEMENT TOOLS Occasionally, a vulnerability assessment scan will detect a vulnerability that does not exist on the network. For example, if timing parameters between the host machine and the RNA device are not in sync or a firewall configuration prevents the host from returning a data packet. When a DDI Analyst validates your assessment results, he or she can detect these false positives and remove them from your assessment results. This check ensures that only valid, verifiable vulnerabilities are presented for resolution. If you have requested DDI to validate a vulnerability assessment, the assessment goes into a Ready for Validation status. After validation, the assessment moves to a Ready for Reconcile status, indicated by the date and time in the Completed column and an exclamation point in the Reconciled column. If you have not requested DDI to validate an assessment, the assessment bypasses the Ready for Validation status and moves directly to the Ready for Reconcile status. The number of hosts detected is also displayed. In the example in Figure 101 on page 70, the last assessment is ready to be reconciled. A check mark indicates that the assessment has been reconciled. The Detailed Reports and Executive Reports are generated from data in the assessment view. The data in an assessment cannot be changed. A host or set of hosts can be reassessed, but the data from the first assessment is still contained in the reports. It is also possible to add notes to the data, which are included in the reports.
N O T E Any changes made to data in the Active View are not reflected in the Detailed Reports
or Executive Reports. Changes made in the Active View regarding host visibility are not reflected in the assessment view or the reports. Figure 101 Viewing a List of Current Vulnerability Assessments
Automatic Reconciliation Feature

The Automatic reconciliation feature provides system ability to automatically reconcile completed assessments (post validation). The system will allow clients to configure themselves for automatic reconciliation. When configured for automated reconciliation, completed assessments are automatically moved into an Autoreconcile Pending state (post validation). The system will periodically reconcile all assessments in this state within 24 hours of the assessment completion.
SERVICES AND MANAGEMENT TOOLS A client configured for automatic reconcile may un-reconcile assessments to handle them manually, or leave them unreconciled for a period of time. This feature will not automatically reconcile an unreconciled assessment. This feature respects reconcile locking. If a reconcile is in progress, this feature will not interfere. While auto-reconcile is running, manual reconcile is not possible until auto-reconcile is complete. To reconcile a vulnerability assessment 1 In the Calendar View or Service Results View, click the Name of the assessment that is ready for reconcile. The Service Results page opens. Figure 102 Reconciling a Vulnerability Assessment
In the business card, click Reconcile Now. The Auto Reconcile page opens (Figure 103 on page 72) and displays a list of hosts detected during the scan as well as details about the host such as operating system and host type. This page shows a list of the system proposed matches for each host in the assessment to the Active View. The host list is split into two areas. The left side shows the hosts detected during the current assessment or penetration test. The Active View Host List on the right side shows the host information for the same IP address that has already been reconciled to your Active View. If a new host is detected during a scan, the option Add this host to the Active View is displayed instead of existing host details.
SERVICES AND MANAGEMENT TOOLS Figure 103 Reconciling Hosts
After comparing all four columns for each host, do one of the following and click Accept. If the system-proposed match is correct, select the check box. If the proposed match is not correct and you want to manually reconcile the host, clear the check box.
If any check boxes on the Automatic Reconciliation page are cleared, the Host-by-Host Reconciliation page opens (Figure 104 on page 73). On this page, it is possible to reconcile any mismatched hosts in the assessment to unmatched machines in the Active View. If check boxes were not cleared on the previous page, the Reconciled Hosts confirmation page opens instead (Figure 105 on page 73).
SERVICES AND MANAGEMENT TOOLS Figure 104 Reconciling a Mismatched Host
Do one of the following and click Accept: If the host is new, select the Add this Host to the Active View option. This option does not reconcile the assessment to an existing host. The host is treated as a new host with new assessment results. If the host no longer exists on your network because, for example, you decommissioned a server or a visiting laptop was connected to your network during the assessment scan, select the Ignore this Host option. Ignoring hosts because they are temporarily on your network, such as visiting contractors or devices under evaluation, is an option. Ignored results are not included in vulnerability report totals or considered in risk posture calculations, and will not be available in the Active View or to the Rating function. To reconcile the assessment to an existing host in your Active View, select that host. Existing hosts are sorted according to a system-assigned best match. The list of unmatched machines becomes shorter as they are reconciled to current assessments.
If check boxes are cleared for more than one host, the next host opens for manual reconciliation. The Completed column in the business card counts the number of reconciled hosts. When all hosts have been reconciled, a confirmation page opens. Figure 105 Confirming a Reconciliation
In the business card, click Confirm All.
SERVICES AND MANAGEMENT TOOLS This will prompt a return to the Service Results page and a check mark is displayed in the reconciled column.
Undo a Reconciled Host

If a mistake is made during reconciliation, use this procedure to correct the error. To undo a reconciled host 1 In the navigation pane, click Undo Host. An undo page opens and lists all of the reconciled hosts for the current assessment. Figure 106 Undoing a Reconciled Host
Click the check box of each reconciled host to undo and click Undo. The Host-by-Host Reconciliation page opens (Figure 104 on page 73) and the hosts can be manually reconciled (see step 4 on page 73).
Undo a Reconciled Assessment

When undoing a reconciled assessment, any changes made to the hosts are discarded, including any notes added.
SERVICES AND MANAGEMENT TOOLS To undo a reconciled assessment
On the Reconcile page (Figure 103 on page 72), click Undo Reconcile in the navigation pane.
Heuristic Vulnerability Feature
.................................................................................
The Artificial Intelligence engine infers the presence of heuristics vulnerabilities in real time for the EVA, EPT, IVA (with or without authenticated scans) and IPT using rules dependent upon detected host applications. The system associates heuristic vulnerabilities into probability levels from the lowest (level 1) to the highest (level 5).
N O T E Explicit vulnerability tests for specific vulnerabilities will not show up within the heuristic
sections of the Frontline interface.
Assessment View Host Detail page

Within the host assessment view, heuristic vulnerabilities are determined at the time the assessment host is accessed. The Assessment View Host Detail page contains new Heuristic Vulnerabilities and Applications panes (Figure 107 on page 76). These panes can be expanded and collapsed by clicking on the + and symbols located at the right end of the Heuristic Vulnerabilities pane. Figure 107 Assessment Host Detail Page - Heuristic Vulnerabilities and Applications panes
Assessment View Heuristic Vulnerabilities Pane

The Heuristic Vulnerabilities pane displays host-specific vulnerability names along with their risk levels.
SERVICES AND MANAGEMENT TOOLS To sort by vulnerability name or risk level 1 click on column headings
By default, the heuristic vulnerabilities list contains only level 5 high probability vulnerabilities. Use the Heuristic Probability drop down box in the bottom part of the pane to adjust the probability setting. For example, if level 3 is set, all heuristic vulnerabilities for probability levels 3, 4 and 5 are displayed. To display all heuristic vulnerabilities 1 set the Heuristic Probability setting to level 1 low probability
To query a customized list of heuristic vulnerabilities 1 2 3 select an application from the application drop down box select a Heuristic Probability level select a vulnerability risk level
To filter by application 1 2 3 4 use the Application drop down box to select the application set the Heuristic Probability level set the Risk level click Search.
To filter by probability 1 Use the Heuristic Probability drop down box in the Heuristic Vulnerabilities pane to filter vulnerabilities based on the probability of their presence. The probabilities are divided into five levels: Level 1 Low, Level 2, Level 3, Level 4, and Level 5 High.
A heuristic vulnerability with a probability of level 1 is unlikely to be present. A heuristic vulnerability at level 5 indicates the vulnerability has a high likelihood of being present on the specified hosts. When the drop box is set to a level, the search will include vulnerabilities for the specified level and for all higher levels. For example, if the Heuristic Probability is set to level 1, the system will list all vulnerabilities for levels 1, 2, 3, 4, and 5. The following figure illustrates the Heuristic Probability drop down box levels.
SERVICES AND MANAGEMENT TOOLS Figure 108 Heuristic Vulnerabilities - Probability Menu
To filter by risk 1 The Risk drop down box (Figure 109 on page 79) provides the option to filter the heuristic vulnerabilities based on different levels of risks.
SERVICES AND MANAGEMENT TOOLS Figure 109 Heuristic Vulnerabilities - Risk Menu
The Application drop down box lists all applications detected for the given host and provides the ability to filter the heuristic vulnerabilities by application by selecting one of the applications from the list.
Assessment View Applications Pane

The applications pane on the host details page displays the vendor, the application name, the version for all detected applications for the given host, and can be sorted by columns. The Application drop box in the Heuristic Vulnerabilities pane (Figure 110 on page 80) provides the ability to query the heuristic vulnerabilities related to the given selected applications. This drop down list will only list the applications detected for the given host, and includes an All option.
SERVICES AND MANAGEMENT TOOLS Figure 110 Heuristic Vulnerabilities - Applications Menu
Assessment View - Heuristic Vulnerability Detail Page

Clicking one of the vulnerabilities listed in the Heuristic Vulnerabilities pane of the Assessment Host Detail page accesses the Heuristic Vulnerability Detail page. This page contains the Heuristic Reasons pane listing the reasons the vulnerability was inferred. Figure 111 Heuristic Vulnerability detail page
Assessment View Inherited Promoted Heuristic Vulnerabilities

A heuristic vulnerability may be promoted to a true risk within the Active View. When heuristic vulnerabilities are promoted within the Active View, they will inherit to the assessment on reconcile. The promoted heuristic vulnerability will appear in the explicit vulnerabilities pane with a symbol indicating it is a promoted heuristic vulnerability (Figure 112 on page 81). Promoted heuristic vulnerabilities inherited to assessments impact the host assessment and host type assessment ratings.
SERVICES AND MANAGEMENT TOOLS Figure 112 Heuristic Vulnerability promoted and inherited to assessment
Heuristic Vulnerabilities in Assessment Reports

The Executive and Detailed Assessment reports include heuristic vulnerabilities that have been promoted in the Active View and which have been inherited to the assessment view. Inherited promoted heuristic vulnerabilities impact the assessment rating and, as a result, are included in the assessment reports.
The Executive Summary Report

Section 1.8 Heuristic Vulnerabilities Promoted by Client provides the definition of heuristic vulnerabilities and lists all heuristic vulnerabilities promoted by the client, along with their ratings and the associated host IP addresses.
The Detailed Report

Section 2.7 Heuristic Vulnerabilities Promoted by Client provides the definition of heuristic vulnerabilities, and lists all heuristic vulnerabilities promoted by the client, along with their ratings and the associated host IP addresses.
Active View Vulnerabilities Page

The Active Vulnerabilities page contains the Active View Heuristic Vulnerabilities pane (Figure 113 on page 82).
SERVICES AND MANAGEMENT TOOLS Figure 113 Active View Heuristic Vulnerabilities pane
The list can be filtered using the search panel located at the bottom of the list. Filtering can be done based on Application, Heuristic Probability, and Risk (Figure 114 on page 82). Figure 114 Active View Heuristics Vulnerabilities List
Clicking on a unique heuristic vulnerability reveals the Heuristic Vulnerability detail page (Figure 115 on page 83).
SERVICES AND MANAGEMENT TOOLS Figure 115 Vulnerability detail page
Active View Vulnerabilities Menu

Heuristic and explicit vulnerabilities can also be accessed directly by selecting the Active View / Vulnerabilities menu. Figure 116 Active View Vulnerabilities Menu
The Active View Vulnerabilities page (Figure 117 on page 84) lists all vulnerabilities including risk level and number of occurrences, and includes the search pane. Explicit and Heuristic vulnerabilities are displayed in separate panes.
SERVICES AND MANAGEMENT TOOLS Figure 117 Active View Vulnerabilities Page
Drill into a specific vulnerability to access the Active View vulnerability details (Figure 118 on page 85). Vulnerability Name, Host, Method, and Visibility are displayed for all occurrences across all Active View hosts for the selected Explicit or Heuristic Vulnerability . All occurrences of a given vulnerability can be searched in the left hand search pane. It is also possible to search for all occurrences of the given vulnerability based on the different states of host visibility (Visible, Non-Protected, Protected, Hidden). By default, both searches are set at Visible.
SERVICES AND MANAGEMENT TOOLS Figure 118 Active View Vulnerability Details
Active View Host Detail page

The Active View Host Detail page includes the Websites, Heuristic Vulnerabilities, and Detected Applications panes. Clients configured for Veracode Services will also have a Veracode Applications column. The Heuristic Vulnerabilities pane (Figure 119 on page 86) lists the vulnerability names along with their risk level. Filter the list in the same fashion as in the Assessment View. All heuristic vulnerabilities can be sorted by Name and Risk Level.
SERVICES AND MANAGEMENT TOOLS Figure 119 Active View Host Detail Screen
Active View Heuristic Vulnerability Detail Page

Vulnerabilities listed in the Active View Heuristic Vulnerabilities section are hyper linked to the Active View Heuristic Vulnerability Detail page (Figure 120 on page 87). The vulnerability Action pane allows the user to update the status of the promoted heuristic vulnerability. Use the Vulnerability action pane to set the promoted heuristic to Attempted, Acceptable Risk or False Positive. The False Positive status requires a reason in the notes box.
SERVICES AND MANAGEMENT TOOLS Figure 120 Active View Heuristic Vulnerability Detail page
Managing Heuristic Vulnerabilities

DDI Supervisors, DDI Analysts, Client Supervisors, VAR Supervisors (for their account and client accounts they are provisioned to manage), and Enterprise Supervisors (for Enterprise accounts) may manage heuristic vulnerabilities. To promote heuristic to explicit 1 2 Select the heuristic vulnerability and click the Validate Heuristic Vulns button
SERVICES AND MANAGEMENT TOOLS The system moves the vulnerability from the Active View Heuristic Vulnerabilities to the Active View Vulnerabilities. Promoted heuristic vulnerabilities are listed in the Active View Vulnerabilities section with a green asterisk symbol. This symbol is also included in the legend of the Active View Detailed Host screen. To demote from explicit to heuristic Heuristic vulnerabilities promoted to an explicit vulnerability may be demoted to a heuristic vulnerability. 1 2 select the promoted vulnerability within the Active View Vulnerabilities section click the Reset Heuristic Vulns button
To attain fixed status In order for the promoted vulnerability to attain a fixed status, the vulnerability must be set to Attempted. When a promoted heuristic vulnerability has been marked as fix confirmed, the vulnerability will no longer be deemed an active vulnerability.
Remediation and tracking

A promoted heuristic vulnerability is treated as an explicit vulnerability. It is possible to assign a vulnerability to a user, attempt it, un-attempt it, and mark it as acceptable risk. It is not possible, however, to mark a promoted heuristic vulnerability as a false positive. Only heuristic vulnerabilities promoted to explicit vulnerabilities will be tracked.
Heuristic Vulnerability Action Tracking

The Active Vulnerability Actions pane tracks when a heuristic vulnerability was first promoted, demoted, attempted, and fix confirmed. The tracking entries described below are only applicable for heuristic vulnerabilities that have been promoted at some point. If a heuristic vulnerability has been promoted and is demoted at a later time, tracking will still apply.
N O T E Heuristic Vulnerabilities are not tracked over time within Active View unless the
vulnerability has been promoted to a true risk. When a heuristic vulnerability is promoted, an entry will appear in the Active Vulnerability Actions pane indicating the date the promotion took place, who instigated the promotion, and a promotion note. However, the system cannot determine whether or not the promoted heuristic vulnerability has been fixed. If a promoted heuristic is demoted, tracking notes will not be seen in the heuristic pane. The heuristic vulnerability must be promoted to see tracking notes. To move the promoted heuristic vulnerability to fix confirmed 1 The vulnerability must first be set to Attempted
If a heuristic vulnerability is ever demoted after having been promoted, an entry will appear in the pane indicating when the demotion occurred, who instigated the demotion, and the term Heuristic Demoted will appear in the Notes column.
SCAP Compliant Unauthenticated Vulnerability Scanning

SCAP Implementation
The Digital Defense Frontline Vulnerability Manager provides unauthenticated as well as authenticated scanning capabilities, vulnerability management, and compliance services. Frontline provides for: Unauthenticated scanning functionality designed to provide SCAP Unauthenticated capability. Compatibility with the CVE and CPE SCAP components. Detected vulnerabilities include references to CVE IDs and links where appropriate. CVSS scores and vectors are available on all vulnerability detailed screens.
In addition to confirmed vulnerabilities, Frontline uses proprietary technology to infer implicit vulnerabilities known within the interface as "Heuristic Vulnerabilities". The technology employs an artificial intelligence engine which consults a wide set of rules in order to infer implicit vulnerabilities. These rules include the CPE to CVE mappings that are provided within SCAP feeds. Implicit vulnerabilities are seen within the Frontline interface at the assessment level as well as within the workflow management system known as Active View.
CVE Implementation
The Frontline Solutions Platform (FSP) is the engine that powers the Frontline Vulnerability Manager and consists of a wide range of proprietary vulnerability detections. The Digital Defense Vulnerability Research Team (VRT) researches and implements all vulnerability detections. The implementation maps vulnerabilities to their corresponding title, description, remediation steps, and other related information, including external references. Frontline users view vulnerabilities for specific assessments that have been launched, within the workflow management interface known as Active View, or they may browse all vulnerabilities within the FSP Dictionary. Many of the FSP proprietary vulnerability detections are related to vulnerability entries that are tracked within the Common Vulnerabilities and Exposures (CVE) database. Whenever there is a corresponding CVE, Frontline presents an external link to the related CVE entry. These external CVE references are available for vulnerabilities within any of the three previously mentioned locations within Frontline. When users of the system click on the external reference, they are redirected within a new browser window to the corresponding vulnerability within that CVE.
CPE Implementation
Digital Defense's FSP provides support for the Common Platform Enumeration (CPE). CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. The FSP utilizes a proprietary technique to fingerprint third party devices, operating systems, and applications. These are known within the FSP as the "application detections". These detections are shown in Frontline within the Assessment screens as well as the workflow management tool known as Active View. Integral to the FSP is an application programmer's interface (API) that allows users to interface directly with the system without having to use a browser. This API, known as the Frontline SOA-API, is primarily used by users to integrate the Frontline with third party products. The application detections are shown within the XML output for several of the FSP SOA-API calls. All of the FSP DIGITAL DEFENSE, INC. FRONTLINE USER GUIDE 89
SERVICES AND MANAGEMENT TOOLS application detections have corresponding CPE URLs. The CPE entries are pulled directly from SCAP data feeds and imported into the FSP system. Many of these URLs are found within the official CPE dictionary. Although the CPE URI is not shown within the FSP interface for their corresponding application detections, they are present within the output XML for the various SOA-API calls that use it. This allows for a simplified integration with third party products that are also compliant with CPE. In addition, the FSP provides an ability to infer vulnerabilities that may be present on assessed systems using artificial intelligence. This capability, known as Frontline Heuristic Vulnerabilities, uses CPE as well as SCAP data and feeds that related CPE to CVE vulnerabilities as part of its rule-based expert system in determining the vulnerabilities to infer. The inferred vulnerabilities are listed within the Frontline Assessment and Active View screens for every detected host.
CVSS Implementation
The FSP displays the CVSS base scores as well as the temporal scores for vulnerabilities within Frontline that are related to a CVE. These are seen within the vulnerability screens at the Assessment and Active View levels as well as within the FSP Vulnerability Dictionary.
Application Analysis
.................................................................................
The application data displayed on the Application Analysis page is updated daily at 2am CDT from the Veracode API Server. Additionally, the page includes an update button that allows the Administrators and Supervisors to manually update the data. To navigate to this page select Application Analysis on the Assessments menu from the Frontline menu bar. Figure 121 Application Analysis menu
Application Analysis Page

The Application Analysis page business card shows the date of the last data pull from Veracode and the date of the last data pull completed by Frontline. Figure 122 Application Analysis page
N O T E This page is only visible to clients with Veracode Services enabled.(page 23). The only
users that will see the Update Application Data button are Client, Enterprise, and VAR Supervisors. The button will not display for sub-Enterprise Supervisors, Administrators, or any other types of users.
Table 8 Application Analysis columns

Application The name of the application.
SERVICES AND MANAGEMENT TOOLS Table 8 Application Analysis columns

Build Name Compliance Status The build version of the application reviewed. Status of the application, according to Veracode evaluation.
Compliance Statuses
Pass: the application has passed all aspects of the policy, including rules, required scans, and grace period. Did not Pass: the application has not completed all required scans, has not achieved the target Veracode Level, or has one or more policy relevant flaws that have exceeded the grace period to fix. Conditional Pass: the application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.
To manually update Application Data Select the Update Application Data button located on the Application Analysis business card. Applications in the status of request incomplete are not imported from Veracode. Once the data has been updated an Update Successful message will appear on the business card. If the Veracode API credentials are invalid, they could potentially be locked out. Please verify your submitted API credentials are correct and that they are not locked out on the Veracode account portal.
Per CVC Assessments
.................................................................................
The Frontline Per CVC Assessment feature allows users to use IVA and EVA assessments to test for specific vulnerabilities. The assessment wizard prompts the user to specify a scan option indicating whether to test for all vulnerabilities, which is inherently set as the default option, or a single vulnerability selected from a drop down list. The scan test option applies to all sub-assessments within the assessment. Figure 123 Assessment Wizard - Specify scan option
Complete the assessment wizard to configure hosts to include, scan times and recurrence options (Figure 124 on page 93). Figure 124 Assessment Wizard - Confirm scan selections
Service results are available as reports, and can be explored in the assessment view service results pane.
SERVICES AND MANAGEMENT TOOLS Figure 125 Assessment View - Service Results
N O T E Assessments run against a single vulnerability cannot be reconciled into the Active
View, either manually or through automatic reconciliation.
Authenticated Scanning Feature
.................................................................................
The new IVA and IPT Authenticated Scanning feature provides the ability to dig deeper into certain specific Windows and Unix based operating system hosts to detect internal, application-specific vulnerabilities. An authenticated scan includes all non-authenticated scan CVCs and the new authenticated scan CVCs. Authenticated Scanning is available on a per client basis and only applicable to internal services. Operating Systems supported by Auth Scanning: Microsoft Windows domain joined Hosts Redhat 5 and 6, server and client Ubuntu 11 and 12, server and client Solaris 10
The following sections apply to accounts configured to enable Authenticated Scanning.
Authenticated Scanning Process

Contact customer service to enable AUTH scanning Prompt the RNA to update by initiating an assessment (IHD/IHDP/IVA) Create credential aliases (there is a propagation time of approximately 8hrs for the key to be updated) Configure and run AUTH scan using scheduling wizard Remediate detected vulnerabilities Re-run AUTH scan Reconcile assessment
Enabling Authenticated Scanning

Authenticated Scanning is provisioned as an option within the Internal Vulnerability Assessment (IVA) and the Internal Penetration Test (IPT) services. To enable this feature, simply contact your DDI Customer Support representative to have your account provisioned for Authenticated Scanning.
N O T E Once Auth Scanning is enabled, an Internal Host Discovery is required to enable the
RNA to update with the required encryption key pair.
Credential Aliases
Client account supervisors must create Credential Aliases within Frontline to use this feature.Clients can enable multiple credential aliases. Credential Alias passwords used for Unix Authenticated Scanning cannot be over 128 characters in length.
SERVICES AND MANAGEMENT TOOLS Figure 126 Create a Credential Alias
N O T E It is recommended that a separate domain account be set up to administer
Authenticated Scanning. The system encrypts the username and password components of the credentials with the public key of a GPG key-pair. The system does not encrypt the domain name portion of the credentials. Clients provisioned for Auth Scanning will have one CSI GPG key-pair with the public key piece stored in Frontline and the private component stored on the client RNA(s). Figure 127 Credential Alias Management
DDI does not have access to encrypted data, and misplaced credentials cannot be recovered. Disabled Credential Aliases must be updated by an account administrator.
N O T E For VAR clients provisioned with the authenticated scans option, the My Account page
business card will show a new Allow VAR_NAME to provision credential aliases checkbox. VAR_NAME is the short name (Client ID) of the VAR client. VAR clients have the option of allowing their VAR permission to manage their credential aliases.
Client Detail Page

The client detail page Services section designates Authenticated Scanning services and contains a new section designating enabled Credential Aliases.
SERVICES AND MANAGEMENT TOOLS Figure 128 Authenticated Scans in Client Detail Services
Host Detail Page

The Host Detail page contains a new Scan Methods Used section designating enabled Remote Windows Authenticated (RWA) Scanning or Remote Unix Authenticated (RUA) Scanning. The Vulnerability section also designates the method by which each item was detected. Figure 129 Authenticated Scans on Host Detail page
Start Authenticated Scan

Authenticated Scans are initiated using the scan configuration wizard process. The wizard includes a new credentials column with a drop down selection box in the sub-assessment configuration screen in which a credential alias can be selected to initiate an authenticated scan on the sub assessment. Users provision an authenticated scan on a per sub-assessment basis within the assessment wizard.
SERVICES AND MANAGEMENT TOOLS Figure 130 Credential Alias drop down box
A sub-assessment launches with the authenticated scan option by selecting the appropriate credential alias for the given sub-assessment from the new drop down selection box. An assessment may consist of both authenticated scan sub-assessments and non-authenticated scan subassessments. When a sub-assessment launches, the RNA receives the credentials for the credential alias selected. The RNA decrypts the username and password components of the credentials with the private key of the CSI GPG key-pair.
Service Results Page

The Service Results page business card shows Scan Methods used for each assessment. RWA Remote Windows Authenticated or RUA - Remote Unix Authenticated for sub-assessments provisioned for Authenticated Scanning Figure 131 Authenticated Scans on Service results page
.
N O T E Remediation of vulnerabilities detected in an Authenticated Scan will only be validated
with another Authenticated Scan.
R EPORTS
...................................
In this chapter:
What Generate and view results reports Export a report for import into a spreadsheet Export a remediation file for use with an automated vulnerability remediation service Generate and view an Active View Executive Summary Report Generate and view a Trending Report Generate and view a Rated Hosts Report Consulting Reports Page
5
Roles Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive
page 99 page 103 page 103 page 104 page 108 page 108 page 117
.....
Results Reports
.................................................................................
It is possible to view several types of results reports for assessments and penetration tests. The Executive Summary and Detailed Network reports are available to all Frontline users. The TippingPoint Filter report is available to select clients who have the TippingPoint IPS system. Consulting Services reports are available to clients in accordance with various DDI services. Executive Summary Report This report provides a high-level summary as well as general and specific recommendations for improving security. The information is intended for executive-level contacts and users. Detailed Network Report This report builds on the high-level detail in the Executive Summary Report, and includes specific host and vulnerability information, as well as recommendations for improving security. The information is intended for technical contacts and users. Detailed Host Report This report builds on the data in the Active View workflow tool, and includes specific host status, services, and vulnerability information. The information is intended for the statistical measurement of network health by the client. TippingPoint Filter Report - This report lists all filters that should be enabled on TippingPoint IPS given the DDI vulnerabilities and operating systems identified in the given assessment. The report is enabled on a per client basis by Digital Defense within the DDI Frontline interface. Consulting Reports - This feature provides service reports through the Frontline interface for clients with contracted consulting services.
To view results reports 1 In the Calendar View or Service Results View, click the name of the assessment or penetration test. The Service Results page opens and the reports are listed in the business card.
REPORTS Figure 132 Viewing a List of Results Reports
Do any of the following depending on the type of report you want to view.
N O T E The reports in PDF format have been optimized for printing. If a report is
printed in HTML format, it will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon of the report you wish to view. The Processing Report page opens in a new browser window. Figure 133 Viewing Report Progress
The report is displayed.
REPORTS Figure 134 Viewing a HTML Report
To print the report, choose File | Print from the menu bar.
To view a PDF report 1 Click the PDF icon of the report you wish to view. The Processing Report page opens in a new browser window (Figure 133). Acrobat Reader is launched and the report is displayed. Figure 135 Viewing a PDF Report
To print the report, click the Print button on the Acrobat tool bar.
To download a PDF report 1 Click the PDF tool bar save icon of the report you want to save. FRONTLINE USER GUIDE 101
REPORTS Figure 136 Saving a PDF Report
Click Save and then choose the location where you want to save the file.
REPORTS
Export Results
.................................................................................
It is possible to export report results into a comma separated values (CSV) format that can subsequently be imported to a spreadsheet or database. Exported results are useful for trend analysis over time. To export a report 1 Click the CSV icon of the report you want to export. The File Download dialog box opens. Figure 137 Downloading an Export File
Click Save and then choose the location where you want to save the file.
Remediation Export File
.................................................................................
The data gleaned from a vulnerability assessment and collected in Active View is made available in two Remediation Export file types, in OVAL standard and Citadel Hercules formats. These file formats are not made available by default, but can be activated by contacting DDI Client Support. To export a Citadel Hercules file 1 Click the Citadel icon of the report you want to export. The File Download dialog box opens. Figure 138 Downloading an Export File
REPORTS 2 Click Save and then choose the location where you want to save the file.
printed in HTML format, it will be subject to individual browser settings. To export an OVAL XML report 1 2 Choose Active View | Vulnerabilities from the menu bar and then click the network you wish to view. The Active Vulnerabilities page opens. Click the OVAL Report icon (Figure 114). The File Download dialog box opens. Choose Save and then the desired location for the file. Figure 139 Downloading an OVAL XML file
Active View Executive Summary Report
.................................................................................
The Active View Executive Summary Report shows a graphical view of vulnerabilities over time. The data in this historical report is most valuable after several assessments have been run and corrective action has been taken on vulnerabilities identified by the assessments.
Executive Summary Report

Executive Summary Report contents include: Vulnerability Rating and Host Posture summaries Hosts Reported Section - describes any filtering used to generate the report. This section also lists the total number of hosts in the Active View and the total number of hosts included in the report.
Detailed Host Information - includes host security rating, host services and their ports, as well as vulnerability counts and ratings for each host in the report. To view an Active View Executive Summary Report 1 Choose Active View | Hosts from the menu bar and click the network you want to view. The Active Hosts page opens.
REPORTS Figure 140 Viewing the Active View Executive Summary Report
Do any of the following depending on the type of report you wish to view.
printed in HTML format, the printed report will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window. Figure 141 Viewing Report Progress
The report is displayed. Figure 142 Viewing an HTML Active View Executive Summary Report
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window (Figure 141). Acrobat Reader is launched and the report is displayed.
REPORTS Figure 143 Viewing a PDF Active View Executive Summary Report
Active View Detailed Host Report
.................................................................................
The Active View Detailed Host Report provides host specific information for hosts currently in the Active View workflow tool. The Detailed Host Report can be generated as a Global Host report for every host currently in Active View, or as a Filtered Host report for hosts in the current host filter list. The filter list is located at the left side of the screen. Notes can be added to individual hosts by selecting a host and using the Active Host Note window at the bottom of the page. Notes can be effective in remediation efforts.
Detailed Host Report

Detailed Host Report contents include: Vulnerability Rating and Host Posture Definitions Hosts Reported Section - describes any filtering used to generate the report. This section also lists the total number of hosts in the Active View and the total number of hosts included in the report. Detailed Host Information - includes host security rating, host services and their ports, as well as vulnerability counts and ratings for each host in the report.
N O T E See Active View Advanced Search on page 121
To view an Active View Detailed Host Report 1 Choose Active View | Hosts from the menu bar and then select the Detailed Report button located on the third row of the business card. The Detailed Host Report page opens.
REPORTS Figure 144 Viewing the Active View Detailed Host Report
Choose the report format you wish to view.

printed in HTML format, the printed report will be subject to individual browser settings.
Active View Detailed Report on Selected Hosts

Figure 145 Detailed Report Options
The Active View Detailed Report can be generated in several formats for a group of hosts identified through search filters. Use the report option buttons on the Summary Card to select the desired report format. The first section of the Summary Card generates full reports for all hosts in the Active View. The second section contains HTML and PDF buttons to generate detailed reports for the hosts identified in the search. The third section provides three different types of CSV reports for the hosts identified in the search. The CSV Host Info report provides host and vulnerability information for the selected hosts.
REPORTS The CSV Vulnerability Dictionary Info report provides the unique vulnerabilities and their corresponding descriptions and solutions. The CSV Reference Info report provides the unique vulnerabilities along with their associated reference information.
Trending Report
.................................................................................
The Trending Report shows a graphical view of vulnerabilities over time. The data in this historical report is most valuable after several assessments have been run and corrective action on vulnerabilities identified by the assessments has been taken. To view a Trending Report 1 Choose Active View| Hosts from the menu bar and then click the network you wish to view. The Active Hosts page opens. Figure 146 Viewing the Trending Report
Do any of the following depending on the type of report you wish to view.
printed in HTML format, the printed report will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window.
REPORTS Figure 147 Viewing Report Progress
The report is displayed. Figure 148 Viewing an HTML Trending Report
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window (Figure 141). Acrobat Reader is launched and the report is displayed. Figure 149 Viewing a PDF Trending Report
REPORTS
Active View Vulnerability Detail Report
.................................................................................
The Active View Vulnerability Detail Report provides a summary of current active vulnerabilities on your network as displayed in your Active View, in addition to recently remediated vulnerabilities. To view an Active View Vulnerability Detail Report 1 Choose Active View | Vulnerabilities from the menu bar and then click the network you wish to view. The Active Vulnerabilities page opens. Figure 150 Viewing the Active View Vulnerability Detail Report
To view a report, click the Report Output button. Options include HTML or PDF format, risk level, number of days included, and sort order. Click the Submit button to create the report. The report Table of Contents includes active links to facilitate navigation. Figure 151 Detailed Vulnerability Report TOC
Data is presented in tables and graphs to accurately represent vulnerability status.
REPORTS Figure 152 Active View Detailed Report Last Identified Chart
To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window. Figure 153 Viewing Report Progress
The report is displayed.
REPORTS Figure 154 Viewing an HTML Active View Vulnerability Detail Report
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window (Figure 153). Acrobat Reader is launched and the report is displayed. Figure 155 Viewing a PDF Active View Vulnerability Detail Report
REPORTS .
printed in HTML format, the printed report will be subject to individual browser settings.
REPORTS
Rated Hosts Report
.................................................................................
The Rated Hosts report displays the state of your network prioritized by your organizations view of each device on your network. The data in this historical report is most valuable after node classification and node weighting information has been entered into the Weightings and Valuations screens. To view a Rated Hosts Report 1 Choose Active View| Rating | Rated Hosts from the menu bar and then click the network you wish to view. The Rated Hosts page opens. Figure 156 Viewing the Rated Hosts Page
Do any of the following depending on the type of report you want to view.
printed in HTML format, the printed report will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window.
REPORTS Figure 157 Viewing Report Progress
The report is displayed. Figure 158 Viewing an HTML Rated Hosts Report
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window. Acrobat Reader is launched and the report is displayed.
REPORTS Figure 159 Viewing a PDF Rated Hosts Report
REPORTS
Consulting Reports
.................................................................................
The Consulting Reports page is accessed through the summary card of the Client Detail page, and lists all confirmed Consulting Reports by type, name and date posted Figure 160 Access Consulting Reports
This feature makes Consulting Reports available to clients through the Frontline interface.The Consulting Reports feature will provide the following report types: Password Audit Report PCI Report NetCraft Report Onsite Physical Security Report Social Engineering Report Network Architecture Review Report Policy Documents Enterprise Risk Assessment Report Custom Report Figure 161 Consulting Reports Page
REPORTS The Consulting Reports page shows the Client Name, Report Storage Quota, and Percentage of report storage used (Storage Used). The left hand search pane allows the user to search reports by date posted or report type. A dropdown box allows the user to select valid report types by which to search. Available Consulting Reports can be sorted by Type, Name or Date Posted. Title links are provided to access each report. Users can specify the number of records to be displayed, and can navigate the list using provided prev, next and page number links. All clients are initially provided Consulting Reports storage of 100 MB. Additional storage is available on a per client basis.
A CTIVE V IEW
What
...................................
In this chapter:
Page
6
Roles Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive
.....
Active Views Hosts Management View Host Assessment Mapping Update Host Details Add a Host Note Host Inventory View Vulnerability Management View Assigning Vulnerabilities to Users Change the Status of a Vulnerability Entering Remediation Time Add a Vulnerability Note Attempt a Vulnerability Indicate a Vulnerability is False positive Rated Hosts Review Websites View Penetration Tests and Manually Added Vulnerabilities
page 120 page 120 page 129 page 131 page 132 page 132 page 133 page 135 page 136 page 136 page 137 page 138 page 141 page 142 page 144 page 145
ACTIVE VIEW
Active Views
.................................................................................
An Active View displays all results you have chosen to view and monitor when assessment results are reconciled. It also assists in managing and maintaining the assessment findings on an ongoing basis. There are five Active Views: Active Hosts View This view displays a host-oriented view of the Active View data (page 120). Use this view to filter the list of hosts, assign a host type and responsible administrator, and hide a particular host from view. Active Host Inventory View This view displays the name, IP address, and device type of the hosts found on your network. It also allows you to enter additional information to identify the host for asset management purposes. Active Vulnerabilities View This view displays a vulnerability-oriented view of the Active View data (page 133). Use this view to filter the list of vulnerabilities, assign a vulnerability to a user, and manage a vulnerabilitys status. Active Websites View This view displays a website-oriented view of the Active View data (page 144). Use this view to examine a comprehensive list of websites found on all active view hosts.
Hosts Management View

Figure 162 Host Management View
This view is used to assign a host type, assign a responsible administrator, or hide a particular host from the Active View.
ACTIVE VIEW Figure 163 Viewing a List of Active Hosts
Active View Advanced Search

Frontline features an advanced search capability. It is possible to search for Active View hosts based on the following criteria or any combination thereof: host OS, host IP ranges, host name, host device type, host visibility, vulnerability title string, vulnerability ID, ports, and vulnerability state. To access the advanced search feature
Navigate to the Active View Host page and select the Advanced Search button.
ACTIVE VIEW Figure 164 Advanced Search Button
ACTIVE VIEW Figure 165 Advanced search filter options
It is possible to save the search as global or private. Once saved, a global search is accessible to other users in the same account. A private search, however, is only available to the user who saved the search. To conduct an advanced search
Select search terms from drop down menus or enter the desired search terms in designated text
boxes in the left pane.
ACTIVE VIEW Figure 166 Select and save advanced search parameters
Click the add button to add criteria, and click the remove button to remove criteria. Type part of a vulnerability title to select from a suggested list
Figure 167 Vulnerability auto-suggest list
Click the Search button to perform the search.
ACTIVE VIEW Figure 168 Selecting a saved search
Execute an existing search by selecting from drop down. Edit an existing search by loading the existing search, modifying criteria, then click Save &
Search. The existing search name should display in the Search Name field. To delete a search
Select it from the list and click Delete. A confirm delete will appear in the left navigation pane to
approve the delete. To exit Advanced Search
Select from the left navigation pane All Internal or All External filters, or use the Active View |
Hosts menu option.
Active View Data Management

The Frontline system provides automatic management of outdated Active View data. Active View Auto-Hide automatically hides hosts not matched with new assessment hosts after a specified number of days. Orphan Host Hide tries to detect duplicate hosts in Active View, and hides the host with the least amount of data after a specified number of days. Active View Auto-Delete removes hidden hosts from Active View after a specified number of days.
To enable and adjust these data management parameters, contact your client support representative.
Auto-Hide Freeze Feature

Designating host visibility as Protected under the visibility setting excludes the host from the automated data management features described above.
Host Visibility
Host visibility can be designated as Non-protected, Protected or Hidden from the Active Hosts page.
ACTIVE VIEW Non-protected hosts are visible in the Active View Hosts list, and can be hidden. Protected hosts are visible in the Active View Hosts list, but cannot be hidden. Hidden hosts do not appear in the list, but can be accessed through the search pane visibility drop down menu. When the visibility drop down menu item is selected, the associate and disassociate application buttons are disabled.
Figure 169 Protected Host Visibility
When a host is hidden from view, Frontline continues to include its vulnerabilities in the Trending Report. However, after the host has been hidden, its vulnerabilities are set to zero (to indirectly indicate the vulnerabilities have been addressed by removing the given host). Table 9 shows an example of a hidden hosts vulnerabilities over time. The host was hidden from view between the months of December and January and vulnerabilities were set to zero for subsequent months. Table 9 Host Vulnerabilities Trend Example
Month October November December Host Hidden January February Hidden Hidden 0 0 Status Viewable Viewable Viewable Vulnerabilities 55 40 20
ACTIVE VIEW To view active hosts
Choose Active View | Hosts from the menu bar.

The Active Hosts page opens. Use the navigation pane to filter the list. To view hidden hosts, choose All from the Visibility box in the navigation pane. Figure 170 Visibility Options
The Active View Hosts list shows all hosts that have been reconciled into your Active View. A green check mark designates visible hosts; a red X designates hidden hosts.
ACTIVE VIEW Figure 171 Viewing a List of Active Hosts
Table 10 describes the host posture ratings and recommended action, if any. Table 10 Host Posture Ratings
Rating Critical Color Black Meaning The host has vulnerabilities which indicate the host has been compromised. This system should be immediately disconnected from the network, rebuilt or restored from the ground up, and secured before reconnecting to the network. If a criminal investigation is sought, take appropriate steps to preserve any forensic evidence. This host is easily vulnerable to penetration. It requires minimal or no in-depth skills to gain access. Intruders can easily obtain penetration tools from the Internet or use educated guessing to gain access. This host is vulnerable to skilled penetration attempts. An intruder would require an in-depth understanding of the host, strong programming skills, and/or a great deal of time to gain access to this system. This host is not immediately vulnerable to penetration, but provides an intruder with information and services that could be helpful in future penetration attempts.
Poor
Red
Fair
Orange
Satisfactory Yellow
Good
Lime Green No significant vulnerabilities were noted, but it may still be possible to harden this host against advanced information gathering techniques. Most hosts can attain and maintain a Good rating with consistent vigilance. Green There were no problems found on this host. This rating is the goal for all hosts, even though it may be unattainable for some due to limitations in the operating system or access requirements for proprietary network applications that prohibit secure communications.
Excellent
ACTIVE VIEW
Host Application Association

Host Application Association is only accessible to clients configured with Veracode Services. Applications can be associated from the Active View Hosts page and from the Active View Host Detail page. The Active View Hosts page enables the user to associate and disassociate a single application, selected from the drop down menu, with multiple hosts. Begin by selecting one or more Hosts by clicking the checkbox next to the host name. Selecting an Application name from the drop down menu will disable the Update Selected Hosts and Add Note to Selected buttons. Click on the Associate or Disassociate button to complete the task. If the Associate Application button was selected then the Number of Applications columns value will increase by one for all selected hosts. The disassociate button will decrease the columns value by one provided the application was initially associated to the respective Host. If the user has inadvertently chosen to associate an application that is already associated with that host then the column value will not change. Figure 172 Host Application Association.
To view and update applications associated with a single host
Click on the Host name to go to the Hosts Detail Page. Select the Applications Association button on the host business card.
The Active Hosts Applications Association page opens.
ACTIVE VIEW Figure 173 Applications Association Button on the host detail business card
Figure 174 Application Association Page.
To update applications associated with a single host The Active Hosts Applications Association page enables the user to associate and disassociate several applications with a single host. Applications currently associated with the host shown on the business card are already checked when the page opens. To disassociate those applications, un-check the box next to the application name. To add new associations, select one or more applications, selection is indicated by the check mark next to the application name. Select the Update button to complete the task. An Update Successful message will appear on the business card. To see application details select Assessment | Applications Analysis(page 91) from the menu bar.
ACTIVE VIEW
Host Assessment Mapping

Access the Host detail page by clicking on a host name. The Host Mapping History is located on the Host page below the business card and above the Active View Internet Services section. When the [+] symbol is clicked, the section expands to reveal host assessment information for all assessments mapped to the given active view host Figure 175 Host Mapping History.
The information presented includes: IP Address Assessment name with a link to the given assessment Scan time (completion time of the assessment) Reconcile time
Update Host Details

Use this procedure to change the host type, assign a user as the host administrator, and show or hide a host in the Active View. To update host details 1 In the Hosts area, click the check boxes of the hosts you want to update. (Figure 163 on page 121) All checked hosts will be updated with the same information. 2 In the business card, perform any of the following: To change the host type (server, firewall, printer, etc.), select it from the Type list. To assign a user as the host administrator, select the user from the Admin list. All new vulnerabilities found on the host are automatically assigned to the hosts administrator for resolution. To show or hide a host in the Active View, select the status from the Visibility list.
ACTIVE VIEW Figure 176 Host Business Card - Visibility
Click Update.
Add a Host Note

Comments added to hosts in the Active View (Active Host Note) are saved with the host, but are not reflected in the assessment reports. To add a host note 1 2 3 Scroll to the Active Host Note at the bottom of the page.(Figure 163 on page 121) Click the check box of the desired host or hosts. Enter the text of the comment and click Add Note to Selected.
N O T E To view, change, or delete a comment, click the link in the Host Name
column and then scroll to the bottom of the page.
Host Inventory View

This view lists the hosts found on the network and allows you to enter information about the devices to assist in asset management. Use this view to: Track the IP addresses assigned to a certain host in a DHCP environment Maintain a record of physical and logical information about the devices on your network, including Type Physical Location Description Owner Serial Number Manufacturers Name Manufacturers Model Number or Part Number Operating System Version, Update Revision or Field Change Number
To add host inventory information
Choose Active View | Host Inventory from the menu bar.

The Host Inventory view is displayed.
ACTIVE VIEW Figure 177 Entering Host Inventory Data
The information in the Computer Asset, IP Address, and MAC Address columns will be populated automatically. The device type will be populated automatically, but it can be changed manually as well.
Check the box beside the host(s) to be updated. Enter the text to be added to these hosts into the white box above the appropriate column. Click Update Selected Hosts to add the entered text to the hosts selected.
Vulnerability Management View

This view provides a list of all detected vulnerabilities. Use this view to: View the current vulnerabilities for a network profile. View the vulnerabilities detected on a per-assessment scan basis. Assign vulnerabilities to a user for follow-up. Add a note to a vulnerability. View a history of vulnerabilities, including vulnerability assignments, actions and fixed/confirmed dates. Browse past results.
To view active vulnerabilities
Choose Active View | Vulnerabilities from the menu bar.

The Active Vulnerabilities page opens. Use the filters in the navigation pane to select the results you want to view.
ACTIVE VIEW Figure 178 Viewing a List of Active Vulnerabilities
This screen shows the list of active vulnerabilities on your network, along with the frequency of occurrences. To view further information about a given vulnerability, or to view a list of the devices on which it occurred, click on the name of the vulnerability.
ACTIVE VIEW Figure 179 Viewing a Vulnerability Detail Page
Assigning Vulnerabilities to Users

Vulnerabilities can be assigned to users for investigation and resolution.
N O T E If a user has been assigned as a Host Administrator (Update Host Details on page
115), that user will automatically appear as the default Assignee on all new vulnerabilities associated with that host for future assessments. However, vulnerabilities can still be reassigned to a different user. Whenever vulnerabilities are assigned to a user, an alert will be created within the system and an e-mail will be sent to the assigned user if that user has an e-mail address provisioned within the system. To assign a vulnerability to a user 1 2 3 Select a user from the drop down menu located under Assignee. Select the vulnerability to assign to that user by checking the box in the Select column next to the vulnerability. It is possible to assign more than one vulnerability to the same user. Click the Update Selected Vulns button located at the bottom of the list to save your preferences.
To select all of the vulnerabilities on the list, check the top box in the Select column. This box is located in the tan bar immediately underneath the header row. REMINDER: Click the Update Selected Vulns button located at the bottom of the list to save your preferences. The message in the Active Vulnerabilities business card at the top of the page will indicate if the update was successful.
ACTIVE VIEW
Changing the status of a vulnerability

The default status of a vulnerability will read new. To show that the user has tried to remediate a vulnerability, the status of a vulnerability can be changed by selecting a new status from the drop down menu and following the same procedures used to assign a vulnerability to a user (see above). Unattempted Resets the status to its previous state (new, recurred, or fix failed). Attempted Sets the status to Attempted. The assignee should change the status to Attempted when the user believes the vulnerability has been resolved. Acceptable Risk Sets the status to Acceptable Risk. Though this indication will not change the risk level of the host or of the vulnerability, it can be useful for issue tracking.
REMINDER: Click the Update Selected Vulns button located at the bottom of the list to save your preferences. The message in the Active Vulnerabilities business card at the top of the page will confirm the update was successful.
Entering Remediation Time

The Frontline system will allow a user to add an estimated remediation time for each vulnerability repaired. This field is intended for personal time tracking, not for tracking the duration of network exposure. To enter remediation time: 1 2 3 Select Active View | Hosts from the menu bar. Click on the name of the host for which to enter a remediation duration in order to view the Host Detail page for that device. Scroll down to the vulnerability list for the host, and click the Remediation time button at the end of the list. The Remediation Time column will be displayed.
ACTIVE VIEW Figure 180 Remediation Time Column

\
Select the vulnerability (or vulnerabilities) for which you would like to enter a remediation time, and enter the time in the white box at the base of the column. Note that time values are entered in calendar days. Click Update Selected Vulns to save the data.
Add a Vulnerability Note

It is possible to view notes that are added to a vulnerability in the Active View (Active Vulnerability Notes) through the Frontline interface, but the notes are not included in reports. To add a vulnerability note 1 Scroll to the bottom of the page. The Active Vulnerability Note area is displayed.
ACTIVE VIEW Figure 181 Adding a Vulnerability Note
2 3
Click the check box of the desired vulnerability or vulnerabilities. Enter the text of the comment and then click Add Note.
N O T E To view, change, or delete a comment, click the link in the Vulnerability
column and then scroll to the bottom of the page.
Attempt a Vulnerability
After an assignee resolves a vulnerability for a particular host, the user should change the status to Attempted and explain the steps taken to resolve the issue. Table 11 describes the possible statuses for active vulnerabilities. Table 11 Active Vulnerabilities Statuses
Status new attempted fix failed Meaning The vulnerability was detected by a vulnerability assessment or penetration test and has not been marked attempted since its discovery. An attempt was made to remediate this vulnerability; no new assessments or penetration tests have been reconciled since this designation was entered. This vulnerability was marked as attempted by a Frontline user; however, when a later assessment or penetration test was reconciled, the vulnerability was still present. This vulnerability was marked as attempted by a Frontline user; upon reconciliation of a later assessment or penetration test, the vulnerability was not found.
fix confirmed
ACTIVE VIEW Table 11 Active Vulnerabilities Statuses

Status fixed Meaning This vulnerability was not marked as attempted by a Frontline user; however, upon reconciliation of a later assessment or penetration test, the vulnerability was not found. This vulnerability was previously found and repaired; however, this security hole has been re-opened and will need to be repaired again. (This state can arise through the installation of patches that overwrite certain security settings.) This vulnerability was added manually during a penetration test, and was marked as attempted by a Frontline user before the reconciliation of a later vulnerability assessment or penetration test. As the fix cannot be validated automatically by the assessment engine, a DDI security analyst will need to test the system to confirm that this security hole has been closed effectively. For more information on this status, please see the Penetration Test section of this User Guide on page 77. This is an indicator state for your personal use. It is not set by the engine or by a security analyst, and does not indicate a view from DDI of the severity of the vulnerability. However, for users who have deemed a given vulnerability an acceptable risk and have decided not to pursue remediation, this flag will help to organize vulnerabilities.
recurred
awaiting confirmation
acceptable risk
To attempt a vulnerability 1 On the individual Active View Hosts page (Figure 163 on page 121), click a host name, and then click a vulnerability name. The Vulnerabilities page opens and displays a business card summary, its current status, vulnerability data, and a description of the problem, as well as a recommended solution, external references, vulnerability notes, and actions.
N O T E Selecting the binary encoding method, which allows you to display non-
printable characters, is an option. This is especially useful for the case where binary data has been detected for a given vulnerability.
ACTIVE VIEW Figure 182 Update Vulnerability Status
N O T E If the vulnerability exists in a third-party database, the source and a link to
the description are displayed in the Reference List area. To view reference details, click the link in the Code column of the Reference List. Frontline will inform you that you are viewing a non-DDI page, and will open the reference in a new window. 2 3 From the Action list in the Vulnerability Action area below the business card, choose Attempted. In the Vulnerability Action Notes area, describe what resolved the problem and click Update Action. The notes area maintains a history of all notes added by a user, the Frontline system, or your VAR or DDI Client Support. They are available only in the Active View for the vulnerability. They are not included in a report.
ACTIVE VIEW
Indicate that a Vulnerability is False Positive

Instances may arise when it would be helpful to indicate that a particular vulnerability is a False Positive vulnerability. This most often occurs when a patch is installed to remedy a vulnerability detected by software version number, but the software version for the affected software has not changed. Only a supervisor has the ability to mark a given vulnerability as False Positive. All vulnerabilities marked as False Positive require an explanatory note. To mark a vulnerability as False Positive 1 On the individual Active View Vulnerabilities page (Figure 178 on page 134), click the name of Vulnerability. The Vulnerabilities page opens and displays a listing of the hosts that contain the vulnerability along with False Positive Notes and Active Vulnerability Notes. Figure 183 Viewing the Hosts Containing a Particular Vulnerability
2 3 4
Choose the vulnerabilities you would like listed as False Positive. In the Assignee column, choose a person assigned to the vulnerability and in the Status column choose False Positive. Enter a False Positive note describing the reason for changing the status to False Positive.
ACTIVE VIEW Figure 184 Updating a Vulnerability Status to False Positive
Click the Update Selected Vulns button. The vulnerabilities will disappear from the screen and a message will appear indicating the update was successful.
Rated Hosts View

The Rated Hosts view combines DDIs objective view of the risk level of each host on the network with a client view of the host based on its role in the organization. These ratings are based on the weightings created in the Classification Weightings and the Node Classification screens. To view Rated Host data 1 Choose Active View | Ratings | Rated Hosts from the menu bar. The Rated Hosts screen will be sorted by Asset Rating by default.
ACTIVE VIEW Figure 185 Rated Host View
The Client Prioritization value is a summarization of the weighted confidentiality, integrity, and availability scores(page 148) using the formula: (where ATW represents Asset Type Weighting)
ClientPrioritization = ATWxC + ATWxI + ATWxA

3 The Weighted Score value: Table 12 Host Rating to Host Rating Score
Host Rating Excellent Good Satisfactory Fair Poor Critical Rating Score 4 3 2 1 0 0
Weighted Score = WeightedHost x RatingScore

4 The Weighted Host value:
WeightedHost = CIAxHostRatingScore
ACTIVE VIEW
GPA = Summation of WeightedHost / Summation of HostWeight

Table 13 Host Rating to Host Weight
Host Rating Excellent Good Satisfactory Fair Poor Critical
Host Weight 1 1.25 2 3.5 5 20
To view specific information about an individual host, click on the name of that host. This leads to the Active View Host Details page for that host. Figure 186 Navigation within Rated Host View
Use the two navigation arrows on the left side of the screen to move between hosts in the rated order.
N O T E These rankings are based on the most recent assessment reconciled, so
after remediating security issues, its a good idea to run and reconcile a new assessment.
Active Websites View

This view lists the websites found on active view hosts. Websites appear or disappear from this list upon assessment host reconciliation. Use this view to: Examine a comprehensive list of detected websites. The websites listed are hyperlinks that will redirect the user to the active view host the selected website was detected on.
ACTIVE VIEW Figure 187 Active Website View
Penetration Tests and Manually Added Vulnerabilities
.................................................................................
Penetration tests are performed externally (on Internet-facing devices) as well as internally (on intranet-facing devices), similar to internal and external vulnerability assessments. Where a vulnerability assessment identifies possible security vulnerabilities, a penetration test determines the potential damage of an attack on your network. A DDI Analyst runs a vulnerability assessment and then performs a comprehensive white hat attack on your network, recording the results for each host tested. Results are viewed and reconciled in the same way as for a vulnerability assessment. To schedule a penetration test Contact your VAR or DDI Client Support. Manually added vulnerabilities During a penetration test, the analyst may add vulnerabilities to certain hosts on your network. Once added, these vulnerabilities will be tracked in the Active View just as the vulnerabilities discovered by the assessment engine are. Given that the assessment engine will not be able to validate repairs of these vulnerabilities, an analyst will need to re-examine these nodes to confirm that the fix was successful. These manually added vulnerabilities are represented with an asterisk: On the list of vulnerabilities for a certain host, the asterisk will indicate which vulnerabilities have been added manually.
ACTIVE VIEW Figure 188 Identifying Manually Added Vulnerabilities
Remediating manually added vulnerabilities 1 2 Follow the remediation instructions in the vulnerability solution field. Mark the vulnerabilitys status as attempted. Run another assessment on the affected device. Be certain that the assessment is of the same type as the penetration test in which the vulnerability was discovered (i.e., an internal vulnerability assessment for an internal penetration test, an external vulnerability assessment for an external penetration test). Reconcile the new vulnerability assessment. The vulnerability will now be in awaiting confirmation status. Figure 189 Vulnerabilities in Awaiting Confirmation State
If your contract includes follow-up confirmation of fixes on manually added vulnerabilities, a DDI analyst will examine the node and move the vulnerability to a status of either fix confirmed or fix failed.
R ATING , C LASSIFICATION AND V ALUATION

In this chapter:
What Rating Classification Ratings Node Classification Valuation Weightings Node Valuation
...................................
Page
7
Roles Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor, Administrator, Executive
page 148 page 149 page 150 page 151 page 151
.....
RATING, CLASSIFICATION AND VALUATION
Rating
.................................................................................
The Rating subsystem allows the different hosts on your network to be rated according to their significance in your business structure. By combining these ratings with the objective vulnerability analysis of each host, Frontline delivers a prioritized view of which devices on the network require remediation most urgently. The Rating system also allows for the tracking of financial valuations for different devices and device types on the network, for the purposes of obtaining e-liability insurance.
N O T E The Rating subsystem only applies to results that have been reconciled into the Active
View. The Rating system has five main components: Classification Weightings: this area is for entering overall weightings that apply across an entire network to classes of hosts. Valuation Weightings: this area is for entering financial weightings that apply across an entire network to classes of hosts. Node Classification: this area is for entering individual weightings for specific hosts. Node Valuation: this area is for entering individual financial value for association with a host. Rating Active View: this area displays a rated security view of your network, integrating objective DDI vulnerability views with client-entered ratings of the importance of each host.
All ratings are based on three main criteria of the data on the host: confidentiality, integrity, and availability.
CIA: Confidentiality, Integrity, and Availability

These three criteria define different types of data sensitivity. Data is not all sensitive in the same way: some data (and thus some hosts) must be consistently accessible to be valuable (such as servers hosting web-based applications), while others may be accessed very rarely but must be safe from data compromise (such as a disaster recovery backup system). To define these different types of data sensitivity, most organizations use the criteria of confidentiality, integrity, and availability. These terms may be defined in the following way: Confidentiality: the importance of preventing information from being disclosed to unauthorized users Integrity: the importance of ensuring that the information input into the system is the same information being output by the system Availability: the importance of ensuring that the information is available when requested By balancing these three criteria, you can describe the sensitivity of the devices on your network with precision.
RATING, CLASSIFICATION AND VALUATION
Classification Weightings
Classification weightings allow a ratio of these three data security criteria to be applied to a type of host. For example, a user might place a high availability rating on all printers, or a high integrity rating to a web server. To open the Classification Weightings screen 1 Choose Administer | Weightings and Valuations | Classification Weightings from the menu bar. The Classification Weightings page opens. This page allows the user to customize the asset type weightings that will be applied to the confidentiality, integrity, and availability values as shown in the Node Classification section. Figure 190 Classification Weighting Screen
Check the box beside the host(s) to be updated. Enter the values to be associated with these hosts into the text entry boxes at the base of the relevant columns. Values will be normalized to equal 100% after editing, so you can see the relative weights associated with each criterion in the percentages beside the numeric value. As you update, feel free to use values that do not add up to 100; the system will recalculate based on the cardinal number values used.
Click Update to add the entered values to the hosts selected. To edit these values at a later point, repeat steps 2 and 3.
Valuation Weightings
When obtaining e-liability insurance, many organizations require a resource that will allow them to track the sensitivity of different hosts on their networks. This is in order to determine the cost to the organization of any given hosts outage. The cost of an outage is measured in three ways: Daily Outage Cost: the cost to the organization of this node being unavailable for one day Data Exposure Cost: the cost to the organization of the data on this node being exposed to unauthorized users Replacement Cost: the cost to the organization of replacing the hardware node itself
RATING, CLASSIFICATION AND VALUATION By balancing these three criteria, the financial value of protecting your network can be described with precision.
N O T E The values entered into this portion of the interface are intended to support financial
activities, and as such are quite separate from the main Frontline functionality. As a result, only users in the Finance Executive role have access to these screens. To enter data into the Valuation Weightings Table 1 Choose Administer | Weightings and Valuations | Node Valuation from the menu bar. Figure 191 Node Valuation Screen
Check the box beside the host type(s) to be updated. Enter the values to be associated with these hosts into the white boxes at the base of the relevant columns. Values will be normalized to equal 100% after editing, so it is possible to see the relative weights associated with each criterion in the percentages beside the numeric value. While updating, it is acceptable to use values that do not add up to 100 as the system will recalculate based on the cardinal number values used.
Click Update Selected Hosts to add the entered text to the hosts selected. To edit these values at a later point, repeat steps 2 and 3.
Node Classification
Node classifications allow association of specific values with individual nodes. These values are multiplied by the asset type weighting entered into the Classification Weighting screen to determine the CIA/Client Prioritization value of each host on your network. This data is then combined with the objective security information from vulnerability assessments to create an integrated, prioritized view of the hosts which need attention most rapidly. To enter data into the Node Classification Table 1 Choose Administer | Weightings and Valuations | Node Classification from the menu bar. The Node Classification screen opens.
RATING, CLASSIFICATION AND VALUATION Figure 192 Node Classification Screen
Check the box beside the host type(s) to be updated. Select the values to be associated with these hosts from the drop-down menus in the text entry boxes at the base of the relevant columns. These menus offer a range of values (from 1 - not important to 10- extremely important) for each host.
Click Update Selected Assets to associate the selected values with the hosts selected. To edit these values at a later point, repeat steps 2 and 3.
Node Valuation
The Node Valuation screen provides an opportunity to enter dollar values for losses of individual hosts. These values will be weighted according to the values from the Valuation Weighting table before being displayed.
N O T E The values entered into this portion of the interface are intended to support financial
activities, and as such are quite separate from the main Frontline functionality. As a result, only users in the Finance Executive role have access to these screens. To enter data into the Node Valuation Table 1 2 Choose Administer | Weightings and Valuations | Node Valuation from the menu bar. Check the box beside the host(s) to be updated. Enter the dollar values to be associated with these hosts into the white text entry boxes at the base of the relevant columns.
RATING, CLASSIFICATION AND VALUATION Figure 193 Node Valuation Screen
Click Update Selected Assets The valuations of these nodes will be updated.
F EATURES
...................................
In this chapter:
What Preferred Hostname Vulnerability Dictionary Alerts Receiving e-mail Alerts Viewing Current Alerts Viewing Archived Alerts Scan Completion e-mails Page
8
Roles Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor
page 154 page 155 page 157 page 157 page 158 page 159 page 159
.....
FEATURES
Preferred Hostname
.................................................................................
The Preferred Hostname feature is included on the Client Detail page (Administer | Accounts). It is possible to prioritize the naming convention utilized by the Frontline system. Changing the hostname priority method affects future assessments and will have no impact on data currently in the system. The hostname priority interface utilizes a drag and drop mechanism to build a visual priority list. The order can be changed by simply dragging the available items into the desired order. The default priority list includes the following items: NetBIOS Name, SNMP sysName, SMTP Banner Hostname, FTP Banner Hostname, POP3 Banner Hostname and Reverse DNS Query. Figure 194 Preferred Hostname
FEATURES
Vulnerability Dictionary
.................................................................................
The dictionary displays a list of all vulnerabilities in the Frontline database, and includes the vulnerabilitys risk level to both internal and external networks. The descriptions and solutions are compiled from several recognized vulnerability tracking sources, such as Nessus, Bugtraq, and CVE, as well as DDIs additional research. The Vulnerability Dictionary list page also provides search capabilities. To view the vulnerability dictionary 1 Choose Administer | Vulnerability Dictionary from the menu bar. The Vulnerability Dictionary page opens. Use the search pane to search by vulnerability title and test method. Click on column headings to sort vulnerabilities by title or risk level. To change the number of vulnerabilities displayed on a single page, enter the number (minimum 5, maximum 100) in the box in the lower right of the list and click Reload. Figure 195 Viewing the Vulnerability Dictionary
To view vulnerability details, click the title.
A vulnerability detail page opens. The business card for each explicit and heuristic vulnerability in the Vulnerability Dictionary includes Explicit Remote Test, Explicit Authenticated Test, and additional information for the Common Vulnerability Scoring System (CVSS).
FEATURES Figure 196 Viewing Vulnerability Details
FEATURES
Alerts
.................................................................................
An alert icon displayed in the header indicates one of three message types: Reconnaissance Network Appliance (RNA) online / offline notification. An informational alert is sent to the Client Supervisor when an RNA residing on a client network changes from an online state to an offline state or vice versa. A new vulnerability has been detected as the result of a scheduled assessment. A critical alert is sent when a critical level vulnerability is detected, regardless of assessment type, or when a high level vulnerability is detected for an external assessment. An informational alert is sent to the Client Supervisor when a vulnerability assessment reaches the Ready for Reconcile status. A software plug-in has been uploaded to the RNA, which could potentially affect your system. Scheduling a vulnerability assessment to detect any potential new vulnerabilities is advised. Vulnerability scan has completed. An informational alert is sent to any specified users when a vulnerability scan is complete.
Receiving e-mail Alerts

The Frontline system will send e-mail alerts to system users. Automatic alerts will be sent when the RNA online/offline status changes, and when assessments complete. By default, users with user accounts and e-mail addresses entered into their Frontline contact information will receive these alerts. Users will also receive alerts when a vulnerability has been assigned to the user through one of two scenarios: The user has been previously set as the host administrator for a device If a vulnerability has been assigned to the user by their supervisor
Users may opt out of this service by removing their e-mail addresses from their contact data within Frontline. If a user wants to begin receiving alerts again at a later point, the address may be readded, and alerts will begin again. This same process may be used to update the e-mail addresses to which alerts are sent. To change e-mail alerts preferences 1 2 Choose Administer | My Account from the menu bar. Scroll down to the System Users portion of the screen. Click on the name of the user for whom you would like to change the e-mail preferences. Click the Edit button, then click Next twice to reach the Contact Information screen of the wizard.
FEATURES Figure 197 Contact Information Screen of Client Contact Wizard
Add, delete, or modify the e-mail address for the contact. When finished, click Next two more times to complete the wizard, then click Confirm to finalize the changes.
View Current Alerts

To view an alert 1 Click the alert icon. Or, choose Administer | Alerts | Unread from the menu bar. The New Alerts page opens and displays a list of current alerts. To change the number of alerts displayed on a single page, enter the number (minimum 5, maximum 100) in the box in the lower right of the list and click Reload. Figure 198 Viewing an Alert
Select an alert and then do one of the following: To save the alert, click Mark Read. The message can be viewed any time in the alert archives. To delete the alert entirely, click Delete. To leave the alert in your current view, do nothing. The alert icon is displayed as long as there are alerts in the current view.
FEATURES
View Archived Alerts

Archived alerts are available for 90 days. To view old alerts 1 Choose Administer | Alerts | View Read from the menu bar. The Archived Alerts page opens. To change the number of archived alerts displayed on a single page, enter the number (minimum 5, maximum 100) in the box in the lower-right of the list and then click Reload. Figure 199 Viewing Archived Alerts
Select an alert and then do any of the following: To move the alert to the current view, click Mark Unread. The alert icon is displayed as long as there are alerts the current view. To delete the alert entirely, click Delete. To leave the alert in the archives, do nothing.
Scan Completion e-mails

User profiles can be configured by Supervisor roles to receive e-mail notifications upon vulnerability scan completion. To configure a users profile for scan completion e-mails: 1 2 3 Choose Administer | My Account from the menu bar. Select the System User or Contact profile to edit, or create a new profile. If creating a new profile, fill out the required information until Step 3 Contact Information is reached. Enter an e-mail address in the appropriate form. If editing a profile, select Edit on the users profile and click through the screens until Step 3 Contact Information is reached. Verify that the existing e-mail address is correct, or add a new email address if necessary. 4 Click Next. Step 4 System Access opens. Check the Scan Completion E-mail checkbox.
FEATURES Figure 200 System Access
Click Next. Step 5 Confirmation opens. Ensure that the Scan Completion E-mail field is set to yes. Figure 201 Confirmation
G L O S S A R Y O F TE R M S
G LOSSARY OF T ERMS
...................................
ACTIVE SESSIONS ANALYZER
A list of all users currently logged into Frontline. A hardware component that sends Internet messages to other hardware components with the goal of determining the services that run on these as well as their vulnerabilities. There are two types of analyzers:
NSAS-100 Analyzer Resides in the SNOC and scans EVAs. RNA device A NSAS-100 Analyzer residing on the clients premises scans IVAs.
.....
ASSESSMENT EPT
See EVA and IVA. External Penetration Test. While the EVA and the IVA identify your network security vulnerabilities, external penetration testing [from the DDI Secure Network Operations Center (SNOC)] goes one step further and allows you to see what the consequences of having these security holes could be. A criminal hacker does not simply find the security holes and then leave; he burrows through your network, finding valuable resources (client credit card and account numbers, for example) and exploits them. External penetration testing is comprehensive, exposing not only the intruders view of the system, but also examining the configuration and management of the systems. Penetration testing is custom-designed to cover the system platforms, network connections, software, and databases that comprise your IT facilities. External Vulnerability Assessment. This service determines the extent to which your network is vulnerable to an external attack. DDI employs a variety of scanning techniques to survey your existing security posture. These scans proactively test for known vulnerabilities and best practices security architecture. The EVA scans all externalfacing assets such as routers, firewalls, web servers, and e-mail servers for potential security weaknesses, checking for any open doors that would allow a hacker to gain unauthorized access to the network and exploit critical assets. External Host Discovery. This service determines the number of hosts that are visible external to the organization. EHDs originate from DDIs Secure Network Operations Center (SNOC). External Host Discovery with Ports. This service determines the number of hosts and ports that are visible external to the organization. EHDPs originate from DDIs Secure Network Operations Center (SNOC). Explicit vulnerabilities are detected with 100% certainty as present on a scanned host. The common web-based graphical user interface (GUI) with which all users interact with the system. Graphical User Interface. A graphical representation of an operating system that uses web pages, screens, windows, menus, buttons, and icons to assist a user in navigating a software application.
EVA
EHD
EHDP
EXPLICIT VULNERABILITY FRONTLINE PORTAL GUI
HEURISTIC VULNERABILITY IHD
A heuristic vulnerability is a vulnerability which has a certain probability of being present on a scanned host. Internal Host Assessment. This service determines the number of hosts that are visible to the internal organization. IHDs originate from within your network using one or more of the RNA devices specified in your network profile Internal Host Assessment with Ports. This service determines the number of hosts along with ports that are visible internal to the organization. IHDPs originate from within your network using one or more of the RNA devices specified in your network profile Internal Penetration Test. Similar to an external penetration test (EPT), internal penetration testing is executed remotely through the Reconnaissance Network Appliance (RNA) residing on your network. It exposes what the results of a network attack would be if carried out from inside the network. There are hundreds, if not thousands, of opportunities to open up new paths between the internal network and the Internetall from within the network and most without any malicious intent on the part of the employee. With an IPT, you can see where your most dangerous security weaknesses are and can take immediate action to rectify them. Internal Vulnerability Assessment. Properly implemented network security controls are essential in order to ward off unintentional mistakes from trusted insiders and prevent exposure of your valuable internal assets. The IVA scans all internal-facing assets such as workstations, intranet servers, printers, etc. for trojans, misconfigured workstations, PTP file sharing such as Morpheus, Kazaa, etc., and more. An IVA is executed within the internal network using the Reconnaissance Network Appliance (RNA). A logical name, selected by the user, which refers to an IP address range or list of IP address ranges. Maps the network and is a means of segregating it into logical partitions. It specifies the IP address ranges for the portion of the network for which it encompasses. DDI defines network profiles based on information provided in the pre-assessment questionnaire. Assessments are run in the context of a network profile. When a vulnerability assessment runs, the results (online hosts, open ports, vulnerabilities) are traced back to the network profile with which it is associated. Network Security Awareness System 100. A system developed by DDI to deliver vulnerability assessment and penetration testing services to clients in a secure manner. A hardware node that resides in the SNOC and execute EVAs on a clients network. A hardware node that acts as a security gateway for messages that pass between the NSAS-100 scan controller and the RNA devices. See EPT and IPT.
IHDP
IPT
IVA
NETWORK ALIAS NETWORK PROFILE
NSAS-100
NSAS-100 ANALYZER NSAS-100 PROXY SERVER PENETRATION TEST
RNA
Reconnaissance Network Appliance. A RNA is the only client premise-based node of the NSAS-100. The RNA is installed on your network to perform internal vulnerability assessment (IVA) scans or internal penetration tests (IPTs) and provides a secure communication and management channel between the RNA and the other nodes of the NSAS-100 that reside at DDIs Secure Network Operations Center (SNOC). The act of running a vulnerability assessment in order to detect hosts and their associated vulnerabilities on a computer network. A hardware node that communicates with the NSAS-100 Analyzer and the RNA device to start and stop scans, as well as retrieve scan status and results. Secure Network Operations Center. DDIs brick-and-mortar facility where the NSAS-100 intelligence resides. Specifies IP address ranges and/or a list of single IP addresses that is created either by you, your VAR or DDI Client Support. The profile can be run multiple times without having to specify IP address ranges for each scan run.
SCAN SCAN CONTROLLER SNOC VULNERABILITY ASSESSMENT TEMPLATE
INDEX
I NDEX
...................................
A account log out 10 password 8 Active Host Note 106 active sessions 36 Active View about 120 reconcile 69 Active View Detailed Host Report 106 Add a Host Note 132 Add a Vulnerability Note 137, 141 advanced search 121 alert archive 159 current 157 alias adding 39 changing 41 list 38 assessment per CVC 93 assessment services 44 Authenticated Scanning 95 authentication 46 B binary encoding method 65 Bugtraq 155 business card 13 C Calendar View 59 Client Administrator role 26 client details 15, 22 Client Executive role 26 Client Supervisor role 26 contact adding 25 Executive 29
primary 29 Technical 29 contract type 45 CVE 155 D Date Limited contract 45 Detailed Network Report 99 Detailed Report - selected hosts 107 digital signature 46 E encryption 46 EPT about 45 scheduling 46, 145 EVA about 45 scheduling 47 Evergreen contract 45 Executive contact 29 Executive Summary Report 99 External Penetration Test. See EPT External Vulnerability Assessment. See EVA F Finance Executive 26 H heuristic vulnerability 76 host active 120 details 61 hiding 120, 131 note 132 notes 63 Trending Report 120 undo reconciliation 74 updating 131 host administrator, assigning 131
.....
host posture rating 128 host type, changing 131 Hosts Management View 120 I Internal Penetration Test. See IPT Internal Vulnerability Assessment. See IVA Internet Service Provider (ISP) 25 IPT about 45 scheduling 46, 145 IS Policy Manager 11 IVA about 45 scheduling 47 L lists 13 N navigation pane 11 Nessus 155 network alias. See alias network profile 17, 18, 19, 20, 36 NSAS-100 6, 46 O One-time contract 45 P Partner Portal 11 password 8 changing 8 expiration 8 resetting 8, 34 rules 9, 30 penetration test 46, 145 Per CVC Assessments 93 R reconcile about 69
INDEX
undoing 74 vulnerability assessment 68, 71 Reconnaissance 46 Reconnaissance Network Appliance. See RNA report contact name 29 Detailed Network 99 Executive Summary 99 exporting 103 HTML 100, 105, 108, 111, 114 optimized for printing 100, 104, 105, 107, 108, 113, 114 PDF 101, 105, 109, 112, 115 PDF, downloading 101 Trending 104, 106, 108, 114, 120 RNA about 46 status alert 157 status icon 37 S SCAP 89 Service Results View 60 single sign-on 7
SNOC 46 software version 10 sub-assessment 53, 55, 57 Systems Menu 11 T Technical contact 29 template. See vulnerability assessment template time zone 31 Trending Report 104, 106, 108, 114, 120 U user active 36 adding 27 changing 32 deleting 33 disabling 31 enabling 34 ID rules 30 roles and privileges 26 status 25, 34 vulnerability assignment 135 user interface 11 V vulnerability assigning to a user 135
attempting 138 note 137, 141 vulnerability assessment changing 50 interrupting 53, 55, 57 reassessing 65 reconciling 69 reoccurrence 49 rescheduling 50 scheduling 47 statuses 59 viewing 59 vulnerability assessment template 46, 47 adding 47 deleting 52 list 42 one-time 50 reoccurring 50 saving 50 vulnerability dictionary 155 Vulnerability Management View 133 W white hat attack 145 wizard 13

Frontline Users Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Frontline Users Guide

Uploaded by

Copyright:

Available Formats

Frontline User Guide ...................................

Version 5.2.1 March 2013 Copyright 2013 Digital Defense, Inc.

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE

4 Services and Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 2

6 Active View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 3

7 Rating, Classification and Valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

9 Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 10 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 4

page 10 page 11 page 10 page 11 page 13 page 13

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 5

contact your VAR directly for support issues.

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 6

New Features in Frontline 5.2.0.1

Unix Authenticated Scanning

DIGITAL DEFENSE, INC.

INTRODUCTION 4 Click Login.

Change Your Password

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 8

INTRODUCTION Figure 3 Viewing Client Details

Logging Out of Frontline

Choose Administer | Version from the menu bar.

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 10

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 11

INTRODUCTION Figure 9 Using the Navigation Pane

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 12

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 13

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 14

Supervisor, Administrator, Executive Supervisor, Administrator, Executive

Choose Dashboard from the menu bar. (Figure 14).

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 15

DASHBOARD Purpose of each menu item:

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 16

DASHBOARD Figure 21 Client button

Received Unread Alerts table, will display the sub-accounts information.

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 17

Host Rating by Priority

Vulnerability Risk by Host Priority

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 18

DASHBOARD Figure 24 Vulnerability Risk by Host Priority graph

Average Vulnerability Age

time. Figure 25 AVA graph

DIGITAL DEFENSE, INC.

FRONTLINE USER GUIDE 19

DDI Cloud Top 5 Critical and High Level Vulnerabilities

Last 5 Received Unread Alerts

DIGITAL DEFENSE, INC.