Professional Documents
Culture Documents
.....
CONTENTS
C ONTENTS
...................................
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
About Frontline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Client Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Browser Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 New Features in Frontline 5.2.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Veracode Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Unix Authenticated Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 System Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Logging In to Frontline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Change Your Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Password Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Logging Out of Frontline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Frontline Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Systems Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Navigation Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Business Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Navigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Left-Hand Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Security GPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Host Rating by Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Vulnerability Risk by Host Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Average Vulnerability Age . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 DDI Cloud Top 5 Critical and High Level Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Last 5 Received Unread Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Client Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Veracode Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 System Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 User Roles and Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 DIGITAL DEFENSE, INC. FRONTLINE USER GUIDE
.....
CONTENTS
Add a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Change a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Delete a User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Enable a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 View a List of Active Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Network Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Port Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Network Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Add a Network Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Change a Network Alias. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Vulnerability Assessment Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
CONTENTS
Active View Vulnerabilities Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Active View Vulnerabilities Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Active View Host Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Active View Heuristic Vulnerability Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Managing Heuristic Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Remediation and tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Heuristic Vulnerability Action Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 SCAP Compliant Unauthenticated Vulnerability Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 SCAP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 CVE Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 CPE Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 CVSS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Application Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Application Analysis Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Compliance Statuses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Per CVC Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Authenticated Scanning Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Authenticated Scanning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Enabling Authenticated Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Credential Aliases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Client Detail Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Host Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Start Authenticated Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Service Results Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5 Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Results Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Export Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Remediation Export File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Active View Executive Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Executive Summary Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Active View Detailed Host Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Detailed Host Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Active View Detailed Report on Selected Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Trending Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Active View Vulnerability Detail Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Rated Hosts Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Consulting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
CONTENTS
Host Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Host Application Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Host Assessment Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Update Host Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Add a Host Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Host Inventory View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Vulnerability Management View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Assigning Vulnerabilities to Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Entering Remediation Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Add a Vulnerability Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Attempt a Vulnerability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Indicate that a Vulnerability is False Positive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Rated Hosts View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Active Websites View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Penetration Tests and Manually Added Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
8 Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Preferred Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Vulnerability Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Receiving e-mail Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 View Current Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 View Archived Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Scan Completion e-mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
I NTRODUCTION
...................................
In this chapter:
What Client Support Browser Requirements New Features Log in to Frontline Change your password Log out of Frontline Frontline Portal Software Version Navigation Pane Business Card Lists Page page 6 page 6 page 7 page 7 page 8
1
Roles
.....
INTRODUCTION
About Frontline
.................................................................................
The Frontline system provides automated vulnerability discovery, identification, mitigation management, and a variety of detailed reports. These reports enable revision of your network security posture and progress in managing it, providing dramatic evidence and key performance indicators for the success of a security program. Frontline uses the Network Security Awareness System 100 (NSAS-100), a system developed by DDI to deliver vulnerability assessment and penetration testing services to clients in a secure manner.
Client Support
DDI Client Support is available Monday through Friday, 8:00am 6:00pm, Central Standard Time. Toll free: 888.273.1412 e-mail: support@ddifrontline.com
N O T E If you purchased Frontline from a Value-Added Reseller (VAR), please
Browser Requirements
Frontline has the following minimum browser requirements: Internet Explorer, version 7.x, Java script enabled Mozilla Firefox, version 3.6, Java script enabled (all features)
INTRODUCTION
.................................................................................
The Veracode Integration feature provides system integration between Veracode Application Assessment services and Digital Defenses Frontline Vulnerability Management. This feature allows customers who are clients of both Veracode and Digital Defense to view their network vulnerability risks and Veracode application assessed risks simultaneously within the Frontline interface.
System Logon
.................................................................................
Logging In to Frontline
The system permits three attempts to log in to Frontline. If the third consecutive attempt is unsuccessful, access is automatically disabled and the account must be unlocked. If your Frontline role is Administrator, Finance Executive, or Executive, contact your Client Supervisor. If you are a Client Supervisor, contact your VAR or DDI Client Support.
N O T E Accounts configured to utilize the Frontline Security Assertion Markup Language
(SAML) feature will access the system as configured by their single sign-on utility. The system supports only one instance of a particular user ID at any given time. The system does not allow the same user ID to be logged in multiple times simultaneously. To log in to Frontline 1 2 Open your browser and establish an active connection to the Internet. Browse to: https://nsas.ddifrontline.com/nsas/. Note the s after http. A secure connection is established and the Login page opens. (Figure 1) Figure 1 Logging In to Frontline
Enter your client ID, user ID, and password. The IDs and password are case-sensitive. FRONTLINE USER GUIDE 7
password, or your password has expired (45 days after your last password change), the Change Password page opens. See Change Your Password on page 8. The Dashboard page opens (Figure 2). For details on using the Dashboard, see Dashboard in chapter 2 of this guide. Figure 2 Viewing the Dashboard page
3 4
Click Reset Password. The Update Password page opens. (Figure 4) Enter your old password, then enter and confirm your new password. Figure 4 Entering a Password
Password Rules Must be at least eight (8) characters long Must contain at least one (1) lower-case letter
DIGITAL DEFENSE, INC. FRONTLINE USER GUIDE 9
INTRODUCTION
Must contain at least one (1) upper-case letter Must contain at least one (1) number or special character Must not be the same as any of the previous 4 passwords
Supervisors: Choose Systems | Logout from the menu bar. Users: Choose Administer | Logout from the menu bar.
Figure 5 Logging out
Software Version
Use this procedure to view the current version of the Frontline software as well as the user logged in to the current session. To view the software version
INTRODUCTION
Frontline Portal
.................................................................................
The Frontline portal is a graphical user interface with several header elements that are common to all pages (Figure 7). Figure 7 Viewing the Frontline Portal
Systems Menu
The Systems menu provides access to Frontline Vulnerability Manager, IS Policy Manager and Partner Portal systems provisioned for the user account. Figure 8 Systems Menu
Navigation Pane
The pane on the left side of a page is used to navigate within that page. On many pages, more detailed information is available through the navigation pane. The navigation pane (Figure 9) indicates the availability of specific information and helps you easily return to an overview.
Items with a white background indicate the path taken to the current page. In the example (Figure 9), the TD10hostSRMS assessment was selected. From that assessment, the 172.10.3.200172.16.3.209 sub-assessment range was selected. In that sub-assessment, the 172.16.3.204 host was selected, and finally the MS03-026 Microsoft RPC DCOM Overflows vulnerability was selected. Click any link to return directly to that page. Navigation arrows enable you to page through a list of items. Use the left and right arrows to page through detected vulnerabilities. Figure 10 shows a sample navigation pane with filters. Figure 10 Using Filters
On pages that display long lists of data, it is possible to filter the list using text boxes and selection lists. To view all data, leave these filters blank.
INTRODUCTION Figure 11 shows a sample wizard navigation pane. Figure 11 Navigating a Wizard
Several wizards throughout the system help you enter complete information for a new user, vulnerability assessment template, or network alias. The current step is displayed with a white background, completed steps have a light blue background, and the remaining steps have a gray background. This list of steps also provides a navigational tool. Each step of a wizard must be viewed in sequence, but to return to a completed step, click the link in the navigation pane.
Business Card
Each page has a business card, or summary box, located in the top center of the page below the common header. The business card displays any of the following: The pages subtitle Instructions Information boxes Input boxes Navigation buttons or links System messages Figure 12 Using the Business Card
Lists
When a list of items is displayed, click an item link to view more specific details.
INTRODUCTION Use the Prev, Next, and page number links to navigate through long lists. The list can also be filtered (Figure 10) to view only relevant entries. Certain long lists provide an additional index to facilitate quick navigation. To go directly to a particular item in a list
Enter the item number in the box in the upper-right of the list and then click Reload.
To change the number of list items
Enter the number (minimum 5, maximum 100) in the box in the lower-right of the list and then
click Reload. Figure 13 Navigating a List
D ASHBOARD
What
...................................
In this chapter:
Page page 15 page 17 Roles
.....
Navigation Components
Navigation
.................................................................................
The Dashboard page is the starting point after logging into the Frontline portal. To return to the Dashboard page
Left-Hand Links
The left hand pane within the Dashboard includes a set of navigation links to various locations within Frontline. Figure 15 Navigation Links
The topmost navigational link toggles the Dashboard between the Internal and External active
views. Figure 16 External/Internal link
The "My GPA" link quickly navigates to the Active View Host Rating page where more detailed
information on GPA is available. Figure 17 My GPA link
The "Hosts" link quickly navigates to the Active View Host page where more detailed information
is available on all active view hosts for the given client. Figure 18 Hosts link
The Vulnerabilities link quickly navigates to the Active View Vulnerabilities page where more
detailed information is available on all active view vulnerabilities for the given client. Figure 19 Vulnerabilities link
The "Alerts" link accesses the current users Alerts page. See Chapter 8 for more information on
managing Alerts. Figure 20 Alerts link
For DDI, Enterprise, and VAR users, the left hand navigational area will show an additional button
labeled Client which will allow them to select a different sub-account. When a sub-account is selected, the sub-account will appear as enabled within the top left hand side of the Frontline banner.
N O T E Once the sub-account is engaged, all Dashboard components, except the Last 5
Components
.................................................................................
Security GPA
The Security GPA component (Figure 22) shows a linear representation of the given client's Security GPA. It provides a trend of the client's monthly security GPA over the last 12 months. This information is updated daily to reflect changes in reconciled assessments. The last data point includes a Security GPA for the current month. For example, if todays date is September 24th, the last data point will only account for the data between September 1st to September 24th. For the case, where there are no hosts in the Active View the graph will not be able to show a point and therefore the line will not be continuous. The Graph is updated daily by the system at 1AM central time. The component also shows the same Security GPA information trend for the entire DDI Cloud.
N O T E The current GPA can be obtained by drilling into any part of the graph. Drilling into the
graph redirects to the Active View Host Rating page where more detailed information on the client's security GPA is provided. Figure 22 Security GPA graph
DASHBOARD
any part of the High Priority Host row navigates the user to the Active View Host page where only the high priority hosts are listed. Similarly, drilling into any part of the row for the Other hosts navigates the user to the Active View Host page where only the nonhigh priority hosts are listed. Figure 23 Host Rating by Priority graph
page. Drilling into any part of the High Priority Host column navigates the user to the Active View Vulnerabilities page where only the vulnerabilities for the high priority hosts are listed. Similarly, drilling into any part of the column for the Other hosts navigates the user to the Active View Vulnerabilities page where only the vulnerabilities for the other (non-high priority) hosts are listed.
DASHBOARD
updated daily by the system at 1AM central time. Figure 26 DDI Cloud Top 5 Critical and High Vulnerabilities table
To see the most recent data in the dashboard page for alerts, the dashboard page must be refreshed.
A DMINISTRATION
What Client Details Contacts ISPs System Users
...................................
In this chapter:
Page page 22 page 24 page 25 page 25 page 26 page 36 page 36 page 37 page 38 page 39 page 41 page 42 Roles
Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive
.....
User Roles and Privileges View a list of Active Sessions. Network Profile Port Management. Network Alias Add a Network Alias Change a Network Alias Vulnerability Assessment Templates
Client Detail
.................................................................................
The Client Detail page is the starting point for all client and assessment administration. To open the Client Detail page
If you are in a Supervisor role, toggle the restrict access option to restrict access. Please note
that if the option to restrict DDI access is selected, alerts are still seen by DDI. Since alerts are quite generic in nature, however, this does not pose a security concern. In the event that you need DDI to debug an issue which requires access to the data, the Supervisor may either toggle the selection back until the issue is resolved or set up an account under your client for DDI support use. Once the issue has been resolved, either reset the password for this account or delete the account altogether.
Veracode Credentials
The Veracode Credentials button on the business card is visible to users logged in as a client supervisor, enterprise supervisor, or VAR supervisor. Veracode Services must be enabled by a Digital Defense client advocate. If the business card indicates it is disabled, please contact DDI for assistance. The Veracode Credentials button will not be visible until the service has been enabled for your account. Figure 29 Veracode Credentials Button
On the Veracode Credentials page, enter the user name and password for the companys
Veracode API account and select the Update button.
If valid user credentials are entered an update is successful message is displayed, otherwise, an
error message is presented. To edit Veracode API credentials you must access your account through the Veracode web portal. Figure 31 Veracode Credential Error
characters in length and include symbols from the Basic ASCII character set (however, greater than and less than characters and colons are not permitted in user names).
Contacts
A contact is a person who can make security decisions, but may or may not need access to Frontline. Contacts are administered in the same manner as system users (see System Users on page 25). When a system user is added, the person is automatically added as a company contact; however, deleting a system user does not delete the contact entry. To view a list of contacts
Click Add Contact and then follow the procedure for Add a User on page 27.
ISPs
Your Internet Service Provider (ISP) was set up when you purchased Frontline. To change ISP details, contact your VAR or DDI Client Support. To view a list of ISPs
System Users
A system user is a person who can log in to and access the Frontline system. When a system user is added, the user is automatically added as a company contact. For each system user, it is necessary to specify a user ID and password, as well as access privileges (see User Roles and Privileges on page 17). To view a list of system users
ADMINISTRATION
A list of users is displayed. A red X in the status column indicates that the user has been disabled manually by the Client Supervisor. A gray lock icon indicates that the user has been locked out as the result of a password rule violation.
Figure 34 Viewing a List of System Users
N O T E With the exception of the Valuation Weightings and Node Valuation screens, the
privileges of the Finance Executive role are identical to those of the Executive role. For the body of the guide, the term Executive will be used to describe the privileges of both groups. Where the privileges between the roles vary, these differences will be described. Table 1 describes each user types access privileges.
Add a User
To add a user 1 In the System Users area, click Add User.
ADMINISTRATION
The Name and Address page opens. This is the first page of a wizard that guides the user through the rest of the setup process. Use the navigation pane on the left to view the current page of the wizard. To go directly to a previous page, click the link in the navigation pane.
Figure 35 Entering User Details
Enter the requested information about the new user and click Next. Required data is displayed in red text. Table 2 Contact Maximum Characters
Field Type First Name Last Name Title Address1 Address2 Address3 City Province Postal Code Max Characters 50 50 100 80 80 80 80 80 10
Middle Name 50
To change an existing user click the name of the user in the navigation pane.
ADMINISTRATION
The Type page opens, where the users contact type can be specified. Ensure at least one Executive contact and one Technical contact are specified. An Executive or Technical contact does not have to be a system user; a company contact can be designated as such. The users specified as Executive and Technical contacts are displayed on the Client Detail page (Figure 36). DDI Client Support uses this information to determine which types of issues to address to the different points of contact. It also helps to define the escalation path in the event that Frontline detects a critical vulnerability or security breach on your network.
Figure 36 Selecting a Contact Type
Enter the following and click Next: Executive Select this check box if high-level issues should be addressed to this user. Technical Select this check box if system-level issues should be addressed to this user.
The same user can be specified as both the Executive and Technical contact and as the primary contact for both. A primary contact is the person responsible for managing DDI services on a routine basis. This person most frequently uses the Frontline system and communicates with DDIs Client Operations team. At least one person should be specified as the primary contact. The name of the primary Executive contact appears on any reports that are generated. The Contact Information page opens.
Figure 37 Entering Contact Details
Enter the requested information and click Next. FRONTLINE USER GUIDE 29
ADMINISTRATION You must enter at least one contact method if the user is a primary contact. Table 3 Contact Maximum Characters
Field Type Work Phone Cell Phone Fax Pager e-mail Address Max Characters 30 30 30 30 200
Enter the following: Role Select the user role from the list. Always specify No Access for a contact who does not need access to the Frontline system. For a system user, select Supervisor, Administrator, Executive, or Finance Executive. For a description of each role, see User Roles and Privileges on page 26. User ID Enter a unique ID for this user (maximum 40 characters).
N O T E A user ID:
Must have at least one (1) character. Can contain only letters, numbers, and underscores (_). Cannot start with a number. Unassigned is a reserved user ID.
ADMINISTRATION
NOTE
Must be at least eight (8) characters long Must contain at least one (1) lower-case letter Must contain at least one (1) upper-case letter Must contain at least one (1) number or special character Must not be the same as any of the previous 4 passwords
Confirmation Re-enter the password. Time zone Select the users time zone from the list. The time zone is important for scheduling and reporting purposes, especially if a scheduled assessment covers multiple time zones. Assessments are scheduled in the networks time zone. Reports are generated ondemand and are addressed to the users time zone regardless of where a vulnerability scan or penetration test originated.
N O T E When more than one RNA is deployed to address a network that spans
more than one time zone, the RNA is set to the time zone of the site where the RNA is physically located. Frontline compensates for time zone differences automatically in areas such as the Calendar View. For example, if the RNA is deployed to a site in the Pacific time zone and the user interface is set for the Central time zone, assessments that are scheduled to run on the RNA in the Pacific time zone at 5:00pm (Pacific) will appear in the user interface to be running at 7:00pm. The system displays all times in your default time zone. If a time has not been converted to your current time zone, it will be labeled with its time zone. If a time is unlabeled, it has been converted to your time zone. 6 Disabled Select this check box to prevent the user from logging in to Frontline. This feature allows a user to be disabled without having to delete the users account. Scan Completion E-mail Select this check box if the user is to receive e-mail notification of scan completion.
Click Next.
Review the user information. To open a previous page, click Prev. To go directly to a particular page, click the link in the navigation pane.
Click Confirm.
The user is added and the Name and Address page appears (Figure 35 on page 28). The message Representative Updated is displayed in the message area. If there were problems saving and validating the user profile, a relevant message is displayed instead.
Change a User
Any user details, including user ID, password, user role and unlock user accounts can be changed. To change a user 1 In the System Users area (Figure 34 on page 26), click the Name of the user to change.
Click Edit.
The Name and Address page opens and the user information is displayed.
Once on this page, it is possible to click the name of another user in the navigation pane. Figure 41 Editing Contact Details
3 4 5
Use the Prev and Next buttons to move through the pages. As with adding a new user, the navigation pane provides access to all pages. When you are finished changing user details, click Next until the Confirmation page opens. Click Confirm.
Delete a User
When a system user is deleted, the person is not deleted as a company contact.
ADMINISTRATION To delete a user 1 In the System Users area (Figure 34 on page 26), click the Name of the user you want to delete.
The detail page for the selected user opens (Figure 40 on page 33).
2 Click Delete.
Click Confirm.
The user is deleted and you return to the Client Detail page (page 22)
Enable a User
There are two ways that a Frontline user can become disabled. A user is allowed three attempts to log in to Frontline. If the third consecutive attempt is unsuccessful, the users access is automatically disabled and the users account must be unlocked. The Client Supervisor disabled the user through the Contact wizard and the user must be reenabled via the wizard. See Change a User on page 32.
A red X next to the users name in the System Users area indicates a disabled user. A gray lock icon indicates that the user has been locked out as the result of a password rule violation. To re-enable access to Frontline, contact your Client Supervisor or your VAR or DDI Client Support. Figure 43 Viewing a Users Status
ADMINISTRATION To reset a users password 1 On the users detail page (Figure 40 on page 33), click Reset Password.
To unlock a users account without resetting the password A lock in the Status column of the System Users section of the Client Detail screen indicates that a user has been locked out due to more than three failed login attempts. Figure 45 Viewing a List of Users with Locked and Unlocked Account Statuses
1 2
Click on the user with a locked account On the users detail page, click the Unlock button. This button is only visible if the account has been locked. Figure 46 Viewing the Details of a User with a Locked Account
ADMINISTRATION 3 The system unlocks the account and once the update is completed the Client Detail screen is displayed with a listing of all contacts. The specific user is now designated with a green check mark indicating he or she is no longer locked out.
The Active Sessions page opens. To sort the list, click any heading.
Figure 47 Viewing a List of Active Users
Network Profile
.................................................................................
A network profile specifies the IP address ranges (or boundaries) for your network, including any addresses that should be excluded from scheduled vulnerability assessments. A profile can encompass the entire network or it can be partitioned into multiple profiles. There are two types of network profiles:
Internal Network Profile Defines all internal-facing assets such as workstations, Intranet servers, printers, etc. Internal networks require one or more RNA devices attached to and configured for your network. External Network Profile Defines all external-facing assets such as routers, firewalls, web servers, and e-mail servers. External networks do not require any RNA devices attached to your network.
ADMINISTRATION
Your network profiles were established when you purchased Frontline. To make changes, contact your VAR or DDI Client Support. To facilitate assessment scheduling for a common IP address range, create a network alias. See Add a Network Alias on page 39.
To view a list of network profiles
Port Management
.................................................................................
The DDI RNA executes two stages in order to discover vulnerabilities on devices. The first stage is the Host Discovery stage. The second is the Vulnerability Assessment phase, in which a more comprehensive test is performed against a default number of approximately 12000 ports. The Client Supervisor has the ability to provision TCP port exclusion in the Host Discovery phase and both inclusion and/or exclusion in the Vulnerability Assessment phase. A port exclusion will prevent all automated tests from running examinations against certain ports on your network. Port exclusions are used to protect equipment that is not robust enough to withstand vulnerability testing. Through a port exclusion, a given port can be identified if being used by unstable software and exclude it from testing. This technique, while not recommended for wide use, will allow you to test healthy nodes without causing network issues due to problematic software. Port exclusions apply across your network; you will not need to add the exclusion on a node-by-node basis.
A port inclusion is used to specify additional ports to be scanned during the Vulnerability Assessment phase. If a device is not discovered during the Host Discovery phase, then it will not be examined during the more comprehensive Vulnerability Assessment phase. If the Client Supervisor is aware of a device that they would like assessed during the second phase, they can include it so that the vulnerabilities associated with that device will be revealed. If you have any active port exclusions on your network, they will be displayed under My Account on the Administer menu. To manage a list of ports within a network profile
Follow the previous steps to view a network profile Click the Edit Network Configuration button. Choose the Scan Speed (the default speed is Moderate) and click the next button. Enter the HD (Host Discovery) port you would like to include and click the next button. Enter the VA (Vulnerability Assessment) port you would like to include and click the next button. If necessary, enter an additional VA port you would like to include and click the next button. If there are no additional ports, just click next. Enter a range for the VA (Vulnerability Assessment) ports you would like to exclude and click the next button. Verify the information and click the Confirm button.
Network Alias
.................................................................................
A network alias helps facilitate assessment scheduling by defining and naming a specific IP address or range of addresses. If the same unique IP addresses, subnets, or branches are tested frequently, consider creating a network alias. To view a list of network aliases
ADMINISTRATION
Enter a name for the alias (maximum 30 characters), for example, Printers, All Workstations, Main Street Branch, etc., and click Next.
The Select Network page opens and displays all available parent networks.
Figure 52 Selecting an Alias Network
Select the entire network range, or specify the range of IP address for this alias and click Next.
The range is added and the Enter Included Range page opens again.
5 Enter another range of IP address or click Next to proceed.
ADMINISTRATION 6 Enter the range of excluded IP address within the inclusion range and click Next, or click Next to skip the exclusion range.
The range is added and the Enter Excluded Range page opens again.
7 Enter another excluded range, or click Next to proceed.
Click Confirm.
The alias is displayed in the left side navigation pane. If there were problems saving and validating the alias, a relevant message is displayed instead.
2 3
ADMINISTRATION
.................................................................................
A vulnerability assessment template defines the IP addresses that are scanned on your network during a vulnerability scan or penetration test.
N O T E Creating and scheduling vulnerability assessment templates are discussed in detail in
the Assessments chapter of this guide (Chapter 4). To view vulnerability assessment templates 1 Choose Administer | My Account from the menu bar and then scroll to the Assessment Templates area (Figure 57 on page 42).
A list of assessment templates is displayed. To change the number of templates displayed on a single page, enter the number (minimum 5, maximum 100) in the box in the lower right of the list and click Reload.
Figure 57 Viewing a List of Vulnerability Assessment Templates
...................................
Page
4
Roles Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor Supervisor, Administrator, Executive Supervisor Financial Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator Supervisor Supervisor, Administrator Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor
page 44 page 45 page 45 page 46 page 47 page 47 page 53 page 59 page 65 page 68 page 69 page 70 page 76 page 89 page 93 page 95 page 95 page 95 page 95 page 96 page 97 page 97 page 98
.....
Assessment Services
.................................................................................
A list of assessment and penetration test services available for scheduling can now be viewed. To view a list of assessment services
.................................................................................
The following Assessment Services table describes the eight types of available services. Table 5 Assessment Services
Service Internal Vulnerability Assessment (IVA) Description This service determines the extent to which your network is vulnerable to an internal attack. IVAs originate from within your network using one or more of the RNA devices specified in your network profile (page 29).
External Vulnerability This service determines the extent to which your network is vulnerable to an Assessment (EVA) external attack. EVAs originate from DDIs Secure Network Operations Center (SNOC). Internal Penetration Test (IPT) External Penetration Test (EPT) Internal Host Discovery (IHD) External Host Discovery (EHD) Internal Host Discovery with Ports (IHDP) External Host Discovery with Ports (EHDP) With this service, DDI security experts interrogate and exploit your internal network. Before an Analyst performs an IPT, an IVA is run on your network. Contact your VAR or DDI Client Support to schedule an IPT. With this service, DDI security experts interrogate and exploit your external network. Before an Analyst performs an EPT, an EVA is run on your network. Contact your VAR or DDI Client Support to schedule an EPT. This service determines the number of hosts that are visible to the internal organization. IHDs originate from within your network using one or more of the RNA devices specified in your network profile (page 29). This service determines the number of hosts that are visible external to the organization. EHDs originate from DDIs Secure Network Operations Center (SNOC). This service determines the number of hosts along with ports that are visible internal to the organization. IHDPs originate from within your network using one or more of the RNA devices specified in your network profile (page 29). This service determines the number of hosts along with ports that are visible external to the organization. EHDPs originate from DDIs Secure Network Operations Center (SNOC).
An assessment can be scheduled according to the type of service contract purchased. A list of current services is displayed in the Services area of the Client Detail page. Table 6 Contract Types
Type Evergreen Description Expires upon contract cancellation. If your contract includes vulnerability assessment services, you can schedule assessments as long as you have a valid contract with DDI or your VAR. Expires as soon as it is used. If your contract includes vulnerability assessment services, you can schedule only one assessment on your network. Expires after a pre-determined length of time. If your contract includes vulnerability assessment services, you can schedule assessments during the valid time frame.
Vulnerability Assessments
.................................................................................
Internal vulnerability assessments (IVAs) and internal penetration tests (IPTs) are performed with a Reconnaissance Network Appliance (RNA) installed on your network. The RNA provides a secure communication and management channel between your network and the other nodes of the NSAS100 that reside at DDIs Secure Network Operations Center (SNOC). The RNA enables NSAS-100 system operators to initiate vulnerability scans, perform penetration testing, and execute security assessments as needed. The RNA, located behind your network firewall, connects to the SNOC-based NSAS-100 nodes through a secure tunnel and provides a means of transmitting security testing results and findings. In carrying out vulnerability assessments, the SNOC-based NSAS-100 nodes generate an encrypted and authenticated request and pass it to the RNA. The request is a pre-formatted data structure that contains the range of IP addresses to test, contract information, etc. The data structure is merged into an encrypted secure container and digitally signed for a unique RNA. DDI employs a bidirectional digital signature for authentication and repudiation. The signature verifies that it is generated by the NSAS-100, and in the process, the NSAS-100 verifies that only a specific RNA can execute the request. The RNA runs the assessment and then encrypts and passes the data back via the secure data connection to the SNOC-based NSAS-100 nodes.
N O T E The examples in this procedure describe how to add an IVA template; an EVA
template is created in the same manner. In addition, IHD, IHDP, EHD and EHDP templates are all created in the same manner.
In the business card, click New Assessment. The Name page opens and a default name is displayed. The default name is a combination of assessment type, year, date, and time.
Enter a name for the assessment (maximum 60 characters) and then click Next. This name shows up in all lists, including the Calendar View, the Service Results View, and the Vulnerability Assessment Templates list, so be sure to choose a name that is meaningful, for example, Printers IVA or Daily EVA. The IP Addresses page opens and displays a list of IP address ranges and aliases. The time displayed at the top of the list is in your time zone.
N O T E Password Auditing This option defaults to Light, the level typically used
for known defaults and easily guessable passwords. When you set this item to None, there will be no password guessing during the vulnerability assessment. A third option Full is also available. This option is similar to an attackers approach with extensive password guessing. All of the subassessments will inherit the password auditing option from their parent assessment. Figure 61 Selecting IP Addresses to Assess
Select the IP addresses to scan (or specify a range in the last box and click Add). The entire network range is always listed first. You cannot specify overlapping IP address ranges. For example, you cannot choose both the entire network range and an alias within that range. You can specify multiple aliases or ranges if they do not overlap. The Select All IPs checkbox when selected will check/un-check all IPs listed in the associated sub-assessment. It will not check/un-check aliases listed.
Do one of the following and click Next: To schedule the scans individually, specify the date and time for each range. To specify the same time for all ranges, enter the date and time in the reset all times boxes and click Reset All Times. To schedule the scans to run sequentially, choose the Start immediately after previous network option. Choose this option if running simultaneous scans would diminish your networks performance.
N O T E Scan Now This feature updates all dates and times to your current date
and time. When you use this feature, the start times for the assessments are updated so that the scans will be set to run simultaneously for all IP address ranges and aliases in the vulnerability assessment you are scheduling. However, all sub-assessments set to Start Immediately after previous network will remain as such. They will not be changed to run at the new date and time. The Recurrence page opens. Figure 63 Scheduling a Recurrence
SERVICES AND MANAGEMENT TOOLS One Time Schedules a scan to run only once. For One Time assessments, the Save Template check box is displayed. Select this check box to save the current assessment as a template that can be rescheduled. If you do not save the assessment as a template, it is deleted when the assessment begins to run. Every <time> from the day selected Schedules a recurring scan when the assessment interval is a fixed number of days, weeks, or months. The assessment is scheduled according to the date you selected on the previous page, for example, Every 3 months from the 14th of the month. Every month from the weekday selected Schedules a recurring scan when the assessment interval is a fixed day of the month. The assessment is scheduled according to the day of the month selected on the previous page. For example, every 3 months from the second Sunday of the month.
For recurring assessments, only the current or upcoming assessment is shown in the Calendar View or the Service Results View. When all sub-assessments have been completed for the current assessment, the next scheduled instance is shown. The Confirmation page opens. Figure 64 Confirming a Vulnerability Assessment
Review the information and click Confirm. To change schedule details, click Prev or use the navigation pane to return to a previous page.
3 4 Or 1
Click Edit. The first page of the wizard is displayed (Figure 60 on page 48). Step through the wizard and change the details of the assessment as desired.
Choose Administer | My Account from the menu bar. The Client Details page opens. Figure 66 Viewing Client Details
Scroll to the Assessment Templates area at the bottom of the page. A list of templates is displayed. Figure 67 Viewing a List of Assessment Templates
SERVICES AND MANAGEMENT TOOLS 3 4 5 Click the Name of the template to change. The Assessment Templates page opens (Figure 65 on page 51). Click Edit. The first page of the wizard is displayed (Figure 60 on page 48). Step through the wizard and change the details of the assessment as desired.
Attempting to delete a vulnerability assessment template for an assessment that is running does not stop the assessment; however, it can be interrupted. See Interrupt a Vulnerability Assessment on page 53.
Choose Administer | My Account from the menu bar. The Client Details page opens. Figure 68 Viewing Client Details
Scroll to the Assessment Templates area at the bottom of the page. A list of templates is displayed. Figure 69 Viewing a List of Assessment Templates
SERVICES AND MANAGEMENT TOOLS The Assessment Templates page opens. Figure 70 Deleting a Recurring Assessment Template
Click Confirm.
2 3
Click the IP Range of the sub-assessment you want to interrupt. An interrupt page opens. Interrupt the Vulnerability Sub-Assessment Figure 73 Interrupt the Vulnerability Sub-Assessment
Click Interrupt Scan. The sub-assessment stops and a scan details page is displayed. Figure 74 Scan Details
To view the new status of the sub-assessment, click All Sub-assessments in the navigation pane.
SERVICES AND MANAGEMENT TOOLS The list of sub-assessments and their current status is displayed Figure 75 Viewing the Interrupted Status
Running one. To pause a vulnerability assessment 1 In the Calendar View or Service Results View, click the Name of the assessment. A list of sub-assessments is displayed.
2 3
Click the IP Range of the sub-assessment you want to pause. A new page displays with the Interrupt Scan and Pause Scan buttons. Pause the Vulnerability Sub-Assessment Figure 77 Pause the Vulnerability Sub-Assessment
Click Pause Scan. The sub-assessment stops and a scan details page is displayed. Figure 78 Scan Details
To view the new status of the sub-assessment, click All Sub-assessments in the navigation pane. FRONTLINE USER GUIDE 56
SERVICES AND MANAGEMENT TOOLS The list of sub-assessments and their current status is displayed Figure 79 Viewing the Paused Status
2 3
Click the IP Range of the paused sub-assessment you want to resume. A new page displays with the Interrupt Scan and Resume Scan buttons. Resume the Vulnerability Sub-Assessment
SERVICES AND MANAGEMENT TOOLS Figure 81 Resume the Paused Vulnerability Sub-Assessment
Click Resume Scan. The sub-assessment starts and a scan details page is displayed. Figure 82 Scan Details
To view the new status of the sub-assessment, click All Sub-assessments in the navigation pane. The list of sub-assessments and their current status is displayed and the sub-assessment will go from Paused to Resuming and then back to Running.
N O T E If the RNA was updated while the sub-assessment was in the Paused state, the
assessment scan will start over from the beginning instead of picking up where it left off. This is to ensure result accuracy with the latest vulnerability release.
Ready for Reconcile (Date) The date and time the assessment finished running. An exclamation point in the Reconciled column indicates that the assessment is ready to be reconciled to the Active View. Interrupted Error The assessment has been interrupted. The assessment is in an error state and has stopped running. There are four possible causes for an error: A fault occurred during transmission. There was a time-out due to the RNA being offline. The file containing the vulnerability assessment data was corrupted. A component failed or was placed in a maintenance state during the assessment scan, for example, the RNA was power-cycled.
Calendar View
The Calendar View provides a quick overview of the status of any assessment for the selected month. To view the calendar
Assessment Template page opens and the assessment can be changed. See Change or Reschedule a Vulnerability Assessment on page 50.
SERVICES AND MANAGEMENT TOOLS 2 To view the details of a service result, click the Name. A list of sub-assessments and their current status is displayed.
N O T E When selecting an assessment that is in the Submitted status, the
Assessment Template page opens and the assessment can be changed. See Change or Reschedule a Vulnerability Assessment on page 50. Figure 85 Viewing the Service Results
Assessment Template page opens and the assessment can be changed. See Change or Reschedule a Vulnerability Assessment on page 50.
In the Sub-assessment area, click an IP Range. Detected host and vulnerability details are displayed. Figure 87 Viewing a List of Detected Hosts
In the Hosts area, click a Host Name. The Host page opens and displays a list of services, websites, and vulnerabilities detected on a particular host. It is also possible to add comments about the host on this page.
SERVICES AND MANAGEMENT TOOLS Figure 88 Viewing a List of Services and Vulnerabilities
Optional: To add a comment about the host, scroll to the bottom of the page.
N O T E All comments are saved with the host and are also included in the detailed
report from this assessment. To associate a comment with a host over time, use the Active View. Comments will not appear in the Executive Summary Report. The Client Host Notes area is displayed. Figure 89 Entering Host Notes
Enter the text of your note and click Add Note. To edit a note, select it, change the text, and click Update Note. To delete a note, select it and click Delete Note.
N O T E To view vulnerability details, click the vulnerability name in the
Vulnerabilities area. 6 Displays the websites detected on the selected assessment host.
Click a Vulnerability Name. The Service Detection page opens and displays details about the vulnerability. Comments about the vulnerability can be added on this page. Comments about vulnerabilities (Vulnerability Notes) are saved with the vulnerability and are also included in assessment reports. Figure 91 Viewing Vulnerability Details
SERVICES AND MANAGEMENT TOOLS 8 Optional: To update the binary encoding method, select it from the list and click Update Encoding Method.
N O T E The binary encoding method determines how non-printable characters in
Click Reassess. The Reason page opens where a reason for the reassessment is required. This information is required for reporting purposes. Figure 95 Entering a Reason for the Reassessment
SERVICES AND MANAGEMENT TOOLS 4 Enter a reason for the reassessment and click Next. The IP Addresses page opens. Figure 96 Specifying an IP Address
ranges for reassessments. The Start Times page opens (Figure 97 on page 67). Figure 97 Scheduling a Reassessment
Enter the times and click Next. The Confirmation page opens.
Click Confirm.
In addition to Vulnerability Assessments, Internal and External Host Discoveries or Internal and External Host Discoveries with Ports can also be deleted. To Delete a Vulnerability Assessment 1 In the Calendar View or Service Results View, click the Name of the assessment (Figure 83 on page 60) to delete. The Service Results page opens. Figure 99
2 3
In the business card, click Delete Assessment. Within the business card you will receive a confirmation message Are you sure you want to delete this assessment?
Click the Confirm button. The assessment is now deleted and completely removed from the system and you are returned to the calendar page.
been removed from the network. As another example, if a host is upgraded with new software and a new network card with a new MAC address, host matching from a current assessment to past results is not automatically possible and the hosts must manually be matched. The data found in the assessments remains the same; only the data placed in the Active View is amended based upon the actions taken during the reconciliation process. The combination of reconciliation and ongoing assessments provides a clear, accurate picture of the current state of your computing network. Note that the portion of the Active View can help maintain data about such hardware changes.
SERVICES AND MANAGEMENT TOOLS Occasionally, a vulnerability assessment scan will detect a vulnerability that does not exist on the network. For example, if timing parameters between the host machine and the RNA device are not in sync or a firewall configuration prevents the host from returning a data packet. When a DDI Analyst validates your assessment results, he or she can detect these false positives and remove them from your assessment results. This check ensures that only valid, verifiable vulnerabilities are presented for resolution. If you have requested DDI to validate a vulnerability assessment, the assessment goes into a Ready for Validation status. After validation, the assessment moves to a Ready for Reconcile status, indicated by the date and time in the Completed column and an exclamation point in the Reconciled column. If you have not requested DDI to validate an assessment, the assessment bypasses the Ready for Validation status and moves directly to the Ready for Reconcile status. The number of hosts detected is also displayed. In the example in Figure 101 on page 70, the last assessment is ready to be reconciled. A check mark indicates that the assessment has been reconciled. The Detailed Reports and Executive Reports are generated from data in the assessment view. The data in an assessment cannot be changed. A host or set of hosts can be reassessed, but the data from the first assessment is still contained in the reports. It is also possible to add notes to the data, which are included in the reports.
N O T E Any changes made to data in the Active View are not reflected in the Detailed Reports
or Executive Reports. Changes made in the Active View regarding host visibility are not reflected in the assessment view or the reports. Figure 101 Viewing a List of Current Vulnerability Assessments
SERVICES AND MANAGEMENT TOOLS A client configured for automatic reconcile may un-reconcile assessments to handle them manually, or leave them unreconciled for a period of time. This feature will not automatically reconcile an unreconciled assessment. This feature respects reconcile locking. If a reconcile is in progress, this feature will not interfere. While auto-reconcile is running, manual reconcile is not possible until auto-reconcile is complete. To reconcile a vulnerability assessment 1 In the Calendar View or Service Results View, click the Name of the assessment that is ready for reconcile. The Service Results page opens. Figure 102 Reconciling a Vulnerability Assessment
In the business card, click Reconcile Now. The Auto Reconcile page opens (Figure 103 on page 72) and displays a list of hosts detected during the scan as well as details about the host such as operating system and host type. This page shows a list of the system proposed matches for each host in the assessment to the Active View. The host list is split into two areas. The left side shows the hosts detected during the current assessment or penetration test. The Active View Host List on the right side shows the host information for the same IP address that has already been reconciled to your Active View. If a new host is detected during a scan, the option Add this host to the Active View is displayed instead of existing host details.
After comparing all four columns for each host, do one of the following and click Accept. If the system-proposed match is correct, select the check box. If the proposed match is not correct and you want to manually reconcile the host, clear the check box.
If any check boxes on the Automatic Reconciliation page are cleared, the Host-by-Host Reconciliation page opens (Figure 104 on page 73). On this page, it is possible to reconcile any mismatched hosts in the assessment to unmatched machines in the Active View. If check boxes were not cleared on the previous page, the Reconciled Hosts confirmation page opens instead (Figure 105 on page 73).
Do one of the following and click Accept: If the host is new, select the Add this Host to the Active View option. This option does not reconcile the assessment to an existing host. The host is treated as a new host with new assessment results. If the host no longer exists on your network because, for example, you decommissioned a server or a visiting laptop was connected to your network during the assessment scan, select the Ignore this Host option. Ignoring hosts because they are temporarily on your network, such as visiting contractors or devices under evaluation, is an option. Ignored results are not included in vulnerability report totals or considered in risk posture calculations, and will not be available in the Active View or to the Rating function. To reconcile the assessment to an existing host in your Active View, select that host. Existing hosts are sorted according to a system-assigned best match. The list of unmatched machines becomes shorter as they are reconciled to current assessments.
If check boxes are cleared for more than one host, the next host opens for manual reconciliation. The Completed column in the business card counts the number of reconciled hosts. When all hosts have been reconciled, a confirmation page opens. Figure 105 Confirming a Reconciliation
SERVICES AND MANAGEMENT TOOLS This will prompt a return to the Service Results page and a check mark is displayed in the reconciled column.
Click the check box of each reconciled host to undo and click Undo. The Host-by-Host Reconciliation page opens (Figure 104 on page 73) and the hosts can be manually reconciled (see step 4 on page 73).
On the Reconcile page (Figure 103 on page 72), click Undo Reconcile in the navigation pane.
.................................................................................
The Artificial Intelligence engine infers the presence of heuristics vulnerabilities in real time for the EVA, EPT, IVA (with or without authenticated scans) and IPT using rules dependent upon detected host applications. The system associates heuristic vulnerabilities into probability levels from the lowest (level 1) to the highest (level 5).
N O T E Explicit vulnerability tests for specific vulnerabilities will not show up within the heuristic
SERVICES AND MANAGEMENT TOOLS To sort by vulnerability name or risk level 1 click on column headings
By default, the heuristic vulnerabilities list contains only level 5 high probability vulnerabilities. Use the Heuristic Probability drop down box in the bottom part of the pane to adjust the probability setting. For example, if level 3 is set, all heuristic vulnerabilities for probability levels 3, 4 and 5 are displayed. To display all heuristic vulnerabilities 1 set the Heuristic Probability setting to level 1 low probability
To query a customized list of heuristic vulnerabilities 1 2 3 select an application from the application drop down box select a Heuristic Probability level select a vulnerability risk level
To filter by application 1 2 3 4 use the Application drop down box to select the application set the Heuristic Probability level set the Risk level click Search.
To filter by probability 1 Use the Heuristic Probability drop down box in the Heuristic Vulnerabilities pane to filter vulnerabilities based on the probability of their presence. The probabilities are divided into five levels: Level 1 Low, Level 2, Level 3, Level 4, and Level 5 High.
A heuristic vulnerability with a probability of level 1 is unlikely to be present. A heuristic vulnerability at level 5 indicates the vulnerability has a high likelihood of being present on the specified hosts. When the drop box is set to a level, the search will include vulnerabilities for the specified level and for all higher levels. For example, if the Heuristic Probability is set to level 1, the system will list all vulnerabilities for levels 1, 2, 3, 4, and 5. The following figure illustrates the Heuristic Probability drop down box levels.
SERVICES AND MANAGEMENT TOOLS Figure 108 Heuristic Vulnerabilities - Probability Menu
To filter by risk 1 The Risk drop down box (Figure 109 on page 79) provides the option to filter the heuristic vulnerabilities based on different levels of risks.
SERVICES AND MANAGEMENT TOOLS Figure 109 Heuristic Vulnerabilities - Risk Menu
The Application drop down box lists all applications detected for the given host and provides the ability to filter the heuristic vulnerabilities by application by selecting one of the applications from the list.
SERVICES AND MANAGEMENT TOOLS Figure 110 Heuristic Vulnerabilities - Applications Menu
SERVICES AND MANAGEMENT TOOLS Figure 112 Heuristic Vulnerability promoted and inherited to assessment
SERVICES AND MANAGEMENT TOOLS Figure 113 Active View Heuristic Vulnerabilities pane
The list can be filtered using the search panel located at the bottom of the list. Filtering can be done based on Application, Heuristic Probability, and Risk (Figure 114 on page 82). Figure 114 Active View Heuristics Vulnerabilities List
Clicking on a unique heuristic vulnerability reveals the Heuristic Vulnerability detail page (Figure 115 on page 83).
The Active View Vulnerabilities page (Figure 117 on page 84) lists all vulnerabilities including risk level and number of occurrences, and includes the search pane. Explicit and Heuristic vulnerabilities are displayed in separate panes.
SERVICES AND MANAGEMENT TOOLS Figure 117 Active View Vulnerabilities Page
Drill into a specific vulnerability to access the Active View vulnerability details (Figure 118 on page 85). Vulnerability Name, Host, Method, and Visibility are displayed for all occurrences across all Active View hosts for the selected Explicit or Heuristic Vulnerability . All occurrences of a given vulnerability can be searched in the left hand search pane. It is also possible to search for all occurrences of the given vulnerability based on the different states of host visibility (Visible, Non-Protected, Protected, Hidden). By default, both searches are set at Visible.
SERVICES AND MANAGEMENT TOOLS Figure 118 Active View Vulnerability Details
SERVICES AND MANAGEMENT TOOLS Figure 119 Active View Host Detail Screen
SERVICES AND MANAGEMENT TOOLS Figure 120 Active View Heuristic Vulnerability Detail page
SERVICES AND MANAGEMENT TOOLS The system moves the vulnerability from the Active View Heuristic Vulnerabilities to the Active View Vulnerabilities. Promoted heuristic vulnerabilities are listed in the Active View Vulnerabilities section with a green asterisk symbol. This symbol is also included in the legend of the Active View Detailed Host screen. To demote from explicit to heuristic Heuristic vulnerabilities promoted to an explicit vulnerability may be demoted to a heuristic vulnerability. 1 2 select the promoted vulnerability within the Active View Vulnerabilities section click the Reset Heuristic Vulns button
To attain fixed status In order for the promoted vulnerability to attain a fixed status, the vulnerability must be set to Attempted. When a promoted heuristic vulnerability has been marked as fix confirmed, the vulnerability will no longer be deemed an active vulnerability.
vulnerability has been promoted to a true risk. When a heuristic vulnerability is promoted, an entry will appear in the Active Vulnerability Actions pane indicating the date the promotion took place, who instigated the promotion, and a promotion note. However, the system cannot determine whether or not the promoted heuristic vulnerability has been fixed. If a promoted heuristic is demoted, tracking notes will not be seen in the heuristic pane. The heuristic vulnerability must be promoted to see tracking notes. To move the promoted heuristic vulnerability to fix confirmed 1 The vulnerability must first be set to Attempted
If a heuristic vulnerability is ever demoted after having been promoted, an entry will appear in the pane indicating when the demotion occurred, who instigated the demotion, and the term Heuristic Demoted will appear in the Notes column.
In addition to confirmed vulnerabilities, Frontline uses proprietary technology to infer implicit vulnerabilities known within the interface as "Heuristic Vulnerabilities". The technology employs an artificial intelligence engine which consults a wide set of rules in order to infer implicit vulnerabilities. These rules include the CPE to CVE mappings that are provided within SCAP feeds. Implicit vulnerabilities are seen within the Frontline interface at the assessment level as well as within the workflow management system known as Active View.
CVE Implementation
The Frontline Solutions Platform (FSP) is the engine that powers the Frontline Vulnerability Manager and consists of a wide range of proprietary vulnerability detections. The Digital Defense Vulnerability Research Team (VRT) researches and implements all vulnerability detections. The implementation maps vulnerabilities to their corresponding title, description, remediation steps, and other related information, including external references. Frontline users view vulnerabilities for specific assessments that have been launched, within the workflow management interface known as Active View, or they may browse all vulnerabilities within the FSP Dictionary. Many of the FSP proprietary vulnerability detections are related to vulnerability entries that are tracked within the Common Vulnerabilities and Exposures (CVE) database. Whenever there is a corresponding CVE, Frontline presents an external link to the related CVE entry. These external CVE references are available for vulnerabilities within any of the three previously mentioned locations within Frontline. When users of the system click on the external reference, they are redirected within a new browser window to the corresponding vulnerability within that CVE.
CPE Implementation
Digital Defense's FSP provides support for the Common Platform Enumeration (CPE). CPE is a structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. The FSP utilizes a proprietary technique to fingerprint third party devices, operating systems, and applications. These are known within the FSP as the "application detections". These detections are shown in Frontline within the Assessment screens as well as the workflow management tool known as Active View. Integral to the FSP is an application programmer's interface (API) that allows users to interface directly with the system without having to use a browser. This API, known as the Frontline SOA-API, is primarily used by users to integrate the Frontline with third party products. The application detections are shown within the XML output for several of the FSP SOA-API calls. All of the FSP DIGITAL DEFENSE, INC. FRONTLINE USER GUIDE 89
SERVICES AND MANAGEMENT TOOLS application detections have corresponding CPE URLs. The CPE entries are pulled directly from SCAP data feeds and imported into the FSP system. Many of these URLs are found within the official CPE dictionary. Although the CPE URI is not shown within the FSP interface for their corresponding application detections, they are present within the output XML for the various SOA-API calls that use it. This allows for a simplified integration with third party products that are also compliant with CPE. In addition, the FSP provides an ability to infer vulnerabilities that may be present on assessed systems using artificial intelligence. This capability, known as Frontline Heuristic Vulnerabilities, uses CPE as well as SCAP data and feeds that related CPE to CVE vulnerabilities as part of its rule-based expert system in determining the vulnerabilities to infer. The inferred vulnerabilities are listed within the Frontline Assessment and Active View screens for every detected host.
CVSS Implementation
The FSP displays the CVSS base scores as well as the temporal scores for vulnerabilities within Frontline that are related to a CVE. These are seen within the vulnerability screens at the Assessment and Active View levels as well as within the FSP Vulnerability Dictionary.
Application Analysis
.................................................................................
The application data displayed on the Application Analysis page is updated daily at 2am CDT from the Veracode API Server. Additionally, the page includes an update button that allows the Administrators and Supervisors to manually update the data. To navigate to this page select Application Analysis on the Assessments menu from the Frontline menu bar. Figure 121 Application Analysis menu
N O T E This page is only visible to clients with Veracode Services enabled.(page 23). The only
users that will see the Update Application Data button are Client, Enterprise, and VAR Supervisors. The button will not display for sub-Enterprise Supervisors, Administrators, or any other types of users.
Compliance Statuses
Pass: the application has passed all aspects of the policy, including rules, required scans, and grace period. Did not Pass: the application has not completed all required scans, has not achieved the target Veracode Level, or has one or more policy relevant flaws that have exceeded the grace period to fix. Conditional Pass: the application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.
To manually update Application Data Select the Update Application Data button located on the Application Analysis business card. Applications in the status of request incomplete are not imported from Veracode. Once the data has been updated an Update Successful message will appear on the business card. If the Veracode API credentials are invalid, they could potentially be locked out. Please verify your submitted API credentials are correct and that they are not locked out on the Veracode account portal.
.................................................................................
The Frontline Per CVC Assessment feature allows users to use IVA and EVA assessments to test for specific vulnerabilities. The assessment wizard prompts the user to specify a scan option indicating whether to test for all vulnerabilities, which is inherently set as the default option, or a single vulnerability selected from a drop down list. The scan test option applies to all sub-assessments within the assessment. Figure 123 Assessment Wizard - Specify scan option
Complete the assessment wizard to configure hosts to include, scan times and recurrence options (Figure 124 on page 93). Figure 124 Assessment Wizard - Confirm scan selections
Service results are available as reports, and can be explored in the assessment view service results pane.
SERVICES AND MANAGEMENT TOOLS Figure 125 Assessment View - Service Results
N O T E Assessments run against a single vulnerability cannot be reconciled into the Active
.................................................................................
The new IVA and IPT Authenticated Scanning feature provides the ability to dig deeper into certain specific Windows and Unix based operating system hosts to detect internal, application-specific vulnerabilities. An authenticated scan includes all non-authenticated scan CVCs and the new authenticated scan CVCs. Authenticated Scanning is available on a per client basis and only applicable to internal services. Operating Systems supported by Auth Scanning: Microsoft Windows domain joined Hosts Redhat 5 and 6, server and client Ubuntu 11 and 12, server and client Solaris 10
Credential Aliases
Client account supervisors must create Credential Aliases within Frontline to use this feature.Clients can enable multiple credential aliases. Credential Alias passwords used for Unix Authenticated Scanning cannot be over 128 characters in length.
Authenticated Scanning. The system encrypts the username and password components of the credentials with the public key of a GPG key-pair. The system does not encrypt the domain name portion of the credentials. Clients provisioned for Auth Scanning will have one CSI GPG key-pair with the public key piece stored in Frontline and the private component stored on the client RNA(s). Figure 127 Credential Alias Management
DDI does not have access to encrypted data, and misplaced credentials cannot be recovered. Disabled Credential Aliases must be updated by an account administrator.
N O T E For VAR clients provisioned with the authenticated scans option, the My Account page
business card will show a new Allow VAR_NAME to provision credential aliases checkbox. VAR_NAME is the short name (Client ID) of the VAR client. VAR clients have the option of allowing their VAR permission to manage their credential aliases.
SERVICES AND MANAGEMENT TOOLS Figure 128 Authenticated Scans in Client Detail Services
SERVICES AND MANAGEMENT TOOLS Figure 130 Credential Alias drop down box
A sub-assessment launches with the authenticated scan option by selecting the appropriate credential alias for the given sub-assessment from the new drop down selection box. An assessment may consist of both authenticated scan sub-assessments and non-authenticated scan subassessments. When a sub-assessment launches, the RNA receives the credentials for the credential alias selected. The RNA decrypts the username and password components of the credentials with the private key of the CSI GPG key-pair.
.
N O T E Remediation of vulnerabilities detected in an Authenticated Scan will only be validated
R EPORTS
...................................
In this chapter:
What Generate and view results reports Export a report for import into a spreadsheet Export a remediation file for use with an automated vulnerability remediation service Generate and view an Active View Executive Summary Report Generate and view a Trending Report Generate and view a Rated Hosts Report Consulting Reports Page
5
Roles Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive
page 99 page 103 page 103 page 104 page 108 page 108 page 117
.....
Results Reports
.................................................................................
It is possible to view several types of results reports for assessments and penetration tests. The Executive Summary and Detailed Network reports are available to all Frontline users. The TippingPoint Filter report is available to select clients who have the TippingPoint IPS system. Consulting Services reports are available to clients in accordance with various DDI services. Executive Summary Report This report provides a high-level summary as well as general and specific recommendations for improving security. The information is intended for executive-level contacts and users. Detailed Network Report This report builds on the high-level detail in the Executive Summary Report, and includes specific host and vulnerability information, as well as recommendations for improving security. The information is intended for technical contacts and users. Detailed Host Report This report builds on the data in the Active View workflow tool, and includes specific host status, services, and vulnerability information. The information is intended for the statistical measurement of network health by the client. TippingPoint Filter Report - This report lists all filters that should be enabled on TippingPoint IPS given the DDI vulnerabilities and operating systems identified in the given assessment. The report is enabled on a per client basis by Digital Defense within the DDI Frontline interface. Consulting Reports - This feature provides service reports through the Frontline interface for clients with contracted consulting services.
To view results reports 1 In the Calendar View or Service Results View, click the name of the assessment or penetration test. The Service Results page opens and the reports are listed in the business card.
Do any of the following depending on the type of report you want to view.
N O T E The reports in PDF format have been optimized for printing. If a report is
printed in HTML format, it will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon of the report you wish to view. The Processing Report page opens in a new browser window. Figure 133 Viewing Report Progress
To print the report, choose File | Print from the menu bar.
To view a PDF report 1 Click the PDF icon of the report you wish to view. The Processing Report page opens in a new browser window (Figure 133). Acrobat Reader is launched and the report is displayed. Figure 135 Viewing a PDF Report
To print the report, click the Print button on the Acrobat tool bar.
To download a PDF report 1 Click the PDF tool bar save icon of the report you want to save. FRONTLINE USER GUIDE 101
Click Save and then choose the location where you want to save the file.
REPORTS
Export Results
.................................................................................
It is possible to export report results into a comma separated values (CSV) format that can subsequently be imported to a spreadsheet or database. Exported results are useful for trend analysis over time. To export a report 1 Click the CSV icon of the report you want to export. The File Download dialog box opens. Figure 137 Downloading an Export File
Click Save and then choose the location where you want to save the file.
.................................................................................
The data gleaned from a vulnerability assessment and collected in Active View is made available in two Remediation Export file types, in OVAL standard and Citadel Hercules formats. These file formats are not made available by default, but can be activated by contacting DDI Client Support. To export a Citadel Hercules file 1 Click the Citadel icon of the report you want to export. The File Download dialog box opens. Figure 138 Downloading an Export File
REPORTS 2 Click Save and then choose the location where you want to save the file.
N O T E The reports in PDF format have been optimized for printing. If a report is
printed in HTML format, it will be subject to individual browser settings. To export an OVAL XML report 1 2 Choose Active View | Vulnerabilities from the menu bar and then click the network you wish to view. The Active Vulnerabilities page opens. Click the OVAL Report icon (Figure 114). The File Download dialog box opens. Choose Save and then the desired location for the file. Figure 139 Downloading an OVAL XML file
.................................................................................
The Active View Executive Summary Report shows a graphical view of vulnerabilities over time. The data in this historical report is most valuable after several assessments have been run and corrective action has been taken on vulnerabilities identified by the assessments.
Detailed Host Information - includes host security rating, host services and their ports, as well as vulnerability counts and ratings for each host in the report. To view an Active View Executive Summary Report 1 Choose Active View | Hosts from the menu bar and click the network you want to view. The Active Hosts page opens.
REPORTS Figure 140 Viewing the Active View Executive Summary Report
Do any of the following depending on the type of report you wish to view.
N O T E The reports in PDF format have been optimized for printing. If a report is
printed in HTML format, the printed report will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window. Figure 141 Viewing Report Progress
The report is displayed. Figure 142 Viewing an HTML Active View Executive Summary Report
To print the report, choose File | Print from the menu bar.
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window (Figure 141). Acrobat Reader is launched and the report is displayed.
REPORTS Figure 143 Viewing a PDF Active View Executive Summary Report
To print the report, click the Print button on the Acrobat tool bar.
.................................................................................
The Active View Detailed Host Report provides host specific information for hosts currently in the Active View workflow tool. The Detailed Host Report can be generated as a Global Host report for every host currently in Active View, or as a Filtered Host report for hosts in the current host filter list. The filter list is located at the left side of the screen. Notes can be added to individual hosts by selecting a host and using the Active Host Note window at the bottom of the page. Notes can be effective in remediation efforts.
To view an Active View Detailed Host Report 1 Choose Active View | Hosts from the menu bar and then select the Detailed Report button located on the third row of the business card. The Detailed Host Report page opens.
REPORTS Figure 144 Viewing the Active View Detailed Host Report
printed in HTML format, the printed report will be subject to individual browser settings.
The Active View Detailed Report can be generated in several formats for a group of hosts identified through search filters. Use the report option buttons on the Summary Card to select the desired report format. The first section of the Summary Card generates full reports for all hosts in the Active View. The second section contains HTML and PDF buttons to generate detailed reports for the hosts identified in the search. The third section provides three different types of CSV reports for the hosts identified in the search. The CSV Host Info report provides host and vulnerability information for the selected hosts.
REPORTS The CSV Vulnerability Dictionary Info report provides the unique vulnerabilities and their corresponding descriptions and solutions. The CSV Reference Info report provides the unique vulnerabilities along with their associated reference information.
Trending Report
.................................................................................
The Trending Report shows a graphical view of vulnerabilities over time. The data in this historical report is most valuable after several assessments have been run and corrective action on vulnerabilities identified by the assessments has been taken. To view a Trending Report 1 Choose Active View| Hosts from the menu bar and then click the network you wish to view. The Active Hosts page opens. Figure 146 Viewing the Trending Report
Do any of the following depending on the type of report you wish to view.
N O T E The reports in PDF format have been optimized for printing. If a report is
printed in HTML format, the printed report will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window.
To print the report, choose File | Print from the menu bar.
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window (Figure 141). Acrobat Reader is launched and the report is displayed. Figure 149 Viewing a PDF Trending Report
To print the report, click the Print button on the Acrobat tool bar.
REPORTS
.................................................................................
The Active View Vulnerability Detail Report provides a summary of current active vulnerabilities on your network as displayed in your Active View, in addition to recently remediated vulnerabilities. To view an Active View Vulnerability Detail Report 1 Choose Active View | Vulnerabilities from the menu bar and then click the network you wish to view. The Active Vulnerabilities page opens. Figure 150 Viewing the Active View Vulnerability Detail Report
To view a report, click the Report Output button. Options include HTML or PDF format, risk level, number of days included, and sort order. Click the Submit button to create the report. The report Table of Contents includes active links to facilitate navigation. Figure 151 Detailed Vulnerability Report TOC
REPORTS Figure 152 Active View Detailed Report Last Identified Chart
To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window. Figure 153 Viewing Report Progress
REPORTS Figure 154 Viewing an HTML Active View Vulnerability Detail Report
To print the report, choose File | Print from the menu bar.
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window (Figure 153). Acrobat Reader is launched and the report is displayed. Figure 155 Viewing a PDF Active View Vulnerability Detail Report
To print the report, click the Print button on the Acrobat tool bar.
REPORTS .
N O T E The reports in PDF format have been optimized for printing. If a report is
printed in HTML format, the printed report will be subject to individual browser settings.
REPORTS
.................................................................................
The Rated Hosts report displays the state of your network prioritized by your organizations view of each device on your network. The data in this historical report is most valuable after node classification and node weighting information has been entered into the Weightings and Valuations screens. To view a Rated Hosts Report 1 Choose Active View| Rating | Rated Hosts from the menu bar and then click the network you wish to view. The Rated Hosts page opens. Figure 156 Viewing the Rated Hosts Page
Do any of the following depending on the type of report you want to view.
N O T E The reports in PDF format have been optimized for printing. If a report is
printed in HTML format, the printed report will be subject to individual browser settings. To view an HTML report 1 Click the HTML icon. The Processing Report page opens in a new browser window.
The report is displayed. Figure 158 Viewing an HTML Rated Hosts Report
To print the report, choose File | Print from the menu bar.
To view a PDF report 1 Click the PDF icon. The Processing Report page opens in a new browser window. Acrobat Reader is launched and the report is displayed.
To print the report, click the Print button on the Acrobat tool bar.
REPORTS
Consulting Reports
.................................................................................
The Consulting Reports page is accessed through the summary card of the Client Detail page, and lists all confirmed Consulting Reports by type, name and date posted Figure 160 Access Consulting Reports
This feature makes Consulting Reports available to clients through the Frontline interface.The Consulting Reports feature will provide the following report types: Password Audit Report PCI Report NetCraft Report Onsite Physical Security Report Social Engineering Report Network Architecture Review Report Policy Documents Enterprise Risk Assessment Report Custom Report Figure 161 Consulting Reports Page
REPORTS The Consulting Reports page shows the Client Name, Report Storage Quota, and Percentage of report storage used (Storage Used). The left hand search pane allows the user to search reports by date posted or report type. A dropdown box allows the user to select valid report types by which to search. Available Consulting Reports can be sorted by Type, Name or Date Posted. Title links are provided to access each report. Users can specify the number of records to be displayed, and can navigate the list using provided prev, next and page number links. All clients are initially provided Consulting Reports storage of 100 MB. Additional storage is available on a per client basis.
A CTIVE V IEW
What
...................................
In this chapter:
Page
6
Roles Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor, Administrator, Executive
.....
Active Views Hosts Management View Host Assessment Mapping Update Host Details Add a Host Note Host Inventory View Vulnerability Management View Assigning Vulnerabilities to Users Change the Status of a Vulnerability Entering Remediation Time Add a Vulnerability Note Attempt a Vulnerability Indicate a Vulnerability is False positive Rated Hosts Review Websites View Penetration Tests and Manually Added Vulnerabilities
page 120 page 120 page 129 page 131 page 132 page 132 page 133 page 135 page 136 page 136 page 137 page 138 page 141 page 142 page 144 page 145
ACTIVE VIEW
Active Views
.................................................................................
An Active View displays all results you have chosen to view and monitor when assessment results are reconciled. It also assists in managing and maintaining the assessment findings on an ongoing basis. There are five Active Views: Active Hosts View This view displays a host-oriented view of the Active View data (page 120). Use this view to filter the list of hosts, assign a host type and responsible administrator, and hide a particular host from view. Active Host Inventory View This view displays the name, IP address, and device type of the hosts found on your network. It also allows you to enter additional information to identify the host for asset management purposes. Active Vulnerabilities View This view displays a vulnerability-oriented view of the Active View data (page 133). Use this view to filter the list of vulnerabilities, assign a vulnerability to a user, and manage a vulnerabilitys status. Active Websites View This view displays a website-oriented view of the Active View data (page 144). Use this view to examine a comprehensive list of websites found on all active view hosts.
This view is used to assign a host type, assign a responsible administrator, or hide a particular host from the Active View.
Navigate to the Active View Host page and select the Advanced Search button.
It is possible to save the search as global or private. Once saved, a global search is accessible to other users in the same account. A private search, however, is only available to the user who saved the search. To conduct an advanced search
Select search terms from drop down menus or enter the desired search terms in designated text
boxes in the left pane.
ACTIVE VIEW Figure 166 Select and save advanced search parameters
Click the add button to add criteria, and click the remove button to remove criteria. Type part of a vulnerability title to select from a suggested list
Figure 167 Vulnerability auto-suggest list
Execute an existing search by selecting from drop down. Edit an existing search by loading the existing search, modifying criteria, then click Save &
Search. The existing search name should display in the Search Name field. To delete a search
Select it from the list and click Delete. A confirm delete will appear in the left navigation pane to
approve the delete. To exit Advanced Search
Select from the left navigation pane All Internal or All External filters, or use the Active View |
Hosts menu option.
To enable and adjust these data management parameters, contact your client support representative.
Host Visibility
Host visibility can be designated as Non-protected, Protected or Hidden from the Active Hosts page.
ACTIVE VIEW Non-protected hosts are visible in the Active View Hosts list, and can be hidden. Protected hosts are visible in the Active View Hosts list, but cannot be hidden. Hidden hosts do not appear in the list, but can be accessed through the search pane visibility drop down menu. When the visibility drop down menu item is selected, the associate and disassociate application buttons are disabled.
When a host is hidden from view, Frontline continues to include its vulnerabilities in the Trending Report. However, after the host has been hidden, its vulnerabilities are set to zero (to indirectly indicate the vulnerabilities have been addressed by removing the given host). Table 9 shows an example of a hidden hosts vulnerabilities over time. The host was hidden from view between the months of December and January and vulnerabilities were set to zero for subsequent months. Table 9 Host Vulnerabilities Trend Example
Month October November December Host Hidden January February Hidden Hidden 0 0 Status Viewable Viewable Viewable Vulnerabilities 55 40 20
The Active View Hosts list shows all hosts that have been reconciled into your Active View. A green check mark designates visible hosts; a red X designates hidden hosts.
Table 10 describes the host posture ratings and recommended action, if any. Table 10 Host Posture Ratings
Rating Critical Color Black Meaning The host has vulnerabilities which indicate the host has been compromised. This system should be immediately disconnected from the network, rebuilt or restored from the ground up, and secured before reconnecting to the network. If a criminal investigation is sought, take appropriate steps to preserve any forensic evidence. This host is easily vulnerable to penetration. It requires minimal or no in-depth skills to gain access. Intruders can easily obtain penetration tools from the Internet or use educated guessing to gain access. This host is vulnerable to skilled penetration attempts. An intruder would require an in-depth understanding of the host, strong programming skills, and/or a great deal of time to gain access to this system. This host is not immediately vulnerable to penetration, but provides an intruder with information and services that could be helpful in future penetration attempts.
Poor
Red
Fair
Orange
Satisfactory Yellow
Good
Lime Green No significant vulnerabilities were noted, but it may still be possible to harden this host against advanced information gathering techniques. Most hosts can attain and maintain a Good rating with consistent vigilance. Green There were no problems found on this host. This rating is the goal for all hosts, even though it may be unattainable for some due to limitations in the operating system or access requirements for proprietary network applications that prohibit secure communications.
Excellent
ACTIVE VIEW
Click on the Host name to go to the Hosts Detail Page. Select the Applications Association button on the host business card.
The Active Hosts Applications Association page opens.
ACTIVE VIEW Figure 173 Applications Association Button on the host detail business card
To update applications associated with a single host The Active Hosts Applications Association page enables the user to associate and disassociate several applications with a single host. Applications currently associated with the host shown on the business card are already checked when the page opens. To disassociate those applications, un-check the box next to the application name. To add new associations, select one or more applications, selection is indicated by the check mark next to the application name. Select the Update button to complete the task. An Update Successful message will appear on the business card. To see application details select Assessment | Applications Analysis(page 91) from the menu bar.
ACTIVE VIEW
The information presented includes: IP Address Assessment name with a link to the given assessment Scan time (completion time of the assessment) Reconcile time
Click Update.
The information in the Computer Asset, IP Address, and MAC Address columns will be populated automatically. The device type will be populated automatically, but it can be changed manually as well.
Check the box beside the host(s) to be updated. Enter the text to be added to these hosts into the white box above the appropriate column. Click Update Selected Hosts to add the entered text to the hosts selected.
This screen shows the list of active vulnerabilities on your network, along with the frequency of occurrences. To view further information about a given vulnerability, or to view a list of the devices on which it occurred, click on the name of the vulnerability.
N O T E If a user has been assigned as a Host Administrator (Update Host Details on page
115), that user will automatically appear as the default Assignee on all new vulnerabilities associated with that host for future assessments. However, vulnerabilities can still be reassigned to a different user. Whenever vulnerabilities are assigned to a user, an alert will be created within the system and an e-mail will be sent to the assigned user if that user has an e-mail address provisioned within the system. To assign a vulnerability to a user 1 2 3 Select a user from the drop down menu located under Assignee. Select the vulnerability to assign to that user by checking the box in the Select column next to the vulnerability. It is possible to assign more than one vulnerability to the same user. Click the Update Selected Vulns button located at the bottom of the list to save your preferences.
To select all of the vulnerabilities on the list, check the top box in the Select column. This box is located in the tan bar immediately underneath the header row. REMINDER: Click the Update Selected Vulns button located at the bottom of the list to save your preferences. The message in the Active Vulnerabilities business card at the top of the page will indicate if the update was successful.
ACTIVE VIEW
REMINDER: Click the Update Selected Vulns button located at the bottom of the list to save your preferences. The message in the Active Vulnerabilities business card at the top of the page will confirm the update was successful.
Select the vulnerability (or vulnerabilities) for which you would like to enter a remediation time, and enter the time in the white box at the base of the column. Note that time values are entered in calendar days. Click Update Selected Vulns to save the data.
2 3
Click the check box of the desired vulnerability or vulnerabilities. Enter the text of the comment and then click Add Note.
N O T E To view, change, or delete a comment, click the link in the Vulnerability
Attempt a Vulnerability
After an assignee resolves a vulnerability for a particular host, the user should change the status to Attempted and explain the steps taken to resolve the issue. Table 11 describes the possible statuses for active vulnerabilities. Table 11 Active Vulnerabilities Statuses
Status new attempted fix failed Meaning The vulnerability was detected by a vulnerability assessment or penetration test and has not been marked attempted since its discovery. An attempt was made to remediate this vulnerability; no new assessments or penetration tests have been reconciled since this designation was entered. This vulnerability was marked as attempted by a Frontline user; however, when a later assessment or penetration test was reconciled, the vulnerability was still present. This vulnerability was marked as attempted by a Frontline user; upon reconciliation of a later assessment or penetration test, the vulnerability was not found.
fix confirmed
recurred
awaiting confirmation
acceptable risk
To attempt a vulnerability 1 On the individual Active View Hosts page (Figure 163 on page 121), click a host name, and then click a vulnerability name. The Vulnerabilities page opens and displays a business card summary, its current status, vulnerability data, and a description of the problem, as well as a recommended solution, external references, vulnerability notes, and actions.
N O T E Selecting the binary encoding method, which allows you to display non-
printable characters, is an option. This is especially useful for the case where binary data has been detected for a given vulnerability.
the description are displayed in the Reference List area. To view reference details, click the link in the Code column of the Reference List. Frontline will inform you that you are viewing a non-DDI page, and will open the reference in a new window. 2 3 From the Action list in the Vulnerability Action area below the business card, choose Attempted. In the Vulnerability Action Notes area, describe what resolved the problem and click Update Action. The notes area maintains a history of all notes added by a user, the Frontline system, or your VAR or DDI Client Support. They are available only in the Active View for the vulnerability. They are not included in a report.
ACTIVE VIEW
2 3 4
Choose the vulnerabilities you would like listed as False Positive. In the Assignee column, choose a person assigned to the vulnerability and in the Status column choose False Positive. Enter a False Positive note describing the reason for changing the status to False Positive.
Click the Update Selected Vulns button. The vulnerabilities will disappear from the screen and a message will appear indicating the update was successful.
The Client Prioritization value is a summarization of the weighted confidentiality, integrity, and availability scores(page 148) using the formula: (where ATW represents Asset Type Weighting)
WeightedHost = CIAxHostRatingScore
ACTIVE VIEW
To view specific information about an individual host, click on the name of that host. This leads to the Active View Host Details page for that host. Figure 186 Navigation within Rated Host View
Use the two navigation arrows on the left side of the screen to move between hosts in the rated order.
N O T E These rankings are based on the most recent assessment reconciled, so
after remediating security issues, its a good idea to run and reconcile a new assessment.
.................................................................................
Penetration tests are performed externally (on Internet-facing devices) as well as internally (on intranet-facing devices), similar to internal and external vulnerability assessments. Where a vulnerability assessment identifies possible security vulnerabilities, a penetration test determines the potential damage of an attack on your network. A DDI Analyst runs a vulnerability assessment and then performs a comprehensive white hat attack on your network, recording the results for each host tested. Results are viewed and reconciled in the same way as for a vulnerability assessment. To schedule a penetration test Contact your VAR or DDI Client Support. Manually added vulnerabilities During a penetration test, the analyst may add vulnerabilities to certain hosts on your network. Once added, these vulnerabilities will be tracked in the Active View just as the vulnerabilities discovered by the assessment engine are. Given that the assessment engine will not be able to validate repairs of these vulnerabilities, an analyst will need to re-examine these nodes to confirm that the fix was successful. These manually added vulnerabilities are represented with an asterisk: On the list of vulnerabilities for a certain host, the asterisk will indicate which vulnerabilities have been added manually.
Remediating manually added vulnerabilities 1 2 Follow the remediation instructions in the vulnerability solution field. Mark the vulnerabilitys status as attempted. Run another assessment on the affected device. Be certain that the assessment is of the same type as the penetration test in which the vulnerability was discovered (i.e., an internal vulnerability assessment for an internal penetration test, an external vulnerability assessment for an external penetration test). Reconcile the new vulnerability assessment. The vulnerability will now be in awaiting confirmation status. Figure 189 Vulnerabilities in Awaiting Confirmation State
If your contract includes follow-up confirmation of fixes on manually added vulnerabilities, a DDI analyst will examine the node and move the vulnerability to a status of either fix confirmed or fix failed.
...................................
Page
7
Roles Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor, Administrator, Executive
page 148 page 149 page 150 page 151 page 151
.....
Rating
.................................................................................
The Rating subsystem allows the different hosts on your network to be rated according to their significance in your business structure. By combining these ratings with the objective vulnerability analysis of each host, Frontline delivers a prioritized view of which devices on the network require remediation most urgently. The Rating system also allows for the tracking of financial valuations for different devices and device types on the network, for the purposes of obtaining e-liability insurance.
N O T E The Rating subsystem only applies to results that have been reconciled into the Active
View. The Rating system has five main components: Classification Weightings: this area is for entering overall weightings that apply across an entire network to classes of hosts. Valuation Weightings: this area is for entering financial weightings that apply across an entire network to classes of hosts. Node Classification: this area is for entering individual weightings for specific hosts. Node Valuation: this area is for entering individual financial value for association with a host. Rating Active View: this area displays a rated security view of your network, integrating objective DDI vulnerability views with client-entered ratings of the importance of each host.
All ratings are based on three main criteria of the data on the host: confidentiality, integrity, and availability.
Classification Weightings
Classification weightings allow a ratio of these three data security criteria to be applied to a type of host. For example, a user might place a high availability rating on all printers, or a high integrity rating to a web server. To open the Classification Weightings screen 1 Choose Administer | Weightings and Valuations | Classification Weightings from the menu bar. The Classification Weightings page opens. This page allows the user to customize the asset type weightings that will be applied to the confidentiality, integrity, and availability values as shown in the Node Classification section. Figure 190 Classification Weighting Screen
Check the box beside the host(s) to be updated. Enter the values to be associated with these hosts into the text entry boxes at the base of the relevant columns. Values will be normalized to equal 100% after editing, so you can see the relative weights associated with each criterion in the percentages beside the numeric value. As you update, feel free to use values that do not add up to 100; the system will recalculate based on the cardinal number values used.
Click Update to add the entered values to the hosts selected. To edit these values at a later point, repeat steps 2 and 3.
Valuation Weightings
When obtaining e-liability insurance, many organizations require a resource that will allow them to track the sensitivity of different hosts on their networks. This is in order to determine the cost to the organization of any given hosts outage. The cost of an outage is measured in three ways: Daily Outage Cost: the cost to the organization of this node being unavailable for one day Data Exposure Cost: the cost to the organization of the data on this node being exposed to unauthorized users Replacement Cost: the cost to the organization of replacing the hardware node itself
RATING, CLASSIFICATION AND VALUATION By balancing these three criteria, the financial value of protecting your network can be described with precision.
N O T E The values entered into this portion of the interface are intended to support financial
activities, and as such are quite separate from the main Frontline functionality. As a result, only users in the Finance Executive role have access to these screens. To enter data into the Valuation Weightings Table 1 Choose Administer | Weightings and Valuations | Node Valuation from the menu bar. Figure 191 Node Valuation Screen
Check the box beside the host type(s) to be updated. Enter the values to be associated with these hosts into the white boxes at the base of the relevant columns. Values will be normalized to equal 100% after editing, so it is possible to see the relative weights associated with each criterion in the percentages beside the numeric value. While updating, it is acceptable to use values that do not add up to 100 as the system will recalculate based on the cardinal number values used.
Click Update Selected Hosts to add the entered text to the hosts selected. To edit these values at a later point, repeat steps 2 and 3.
Node Classification
Node classifications allow association of specific values with individual nodes. These values are multiplied by the asset type weighting entered into the Classification Weighting screen to determine the CIA/Client Prioritization value of each host on your network. This data is then combined with the objective security information from vulnerability assessments to create an integrated, prioritized view of the hosts which need attention most rapidly. To enter data into the Node Classification Table 1 Choose Administer | Weightings and Valuations | Node Classification from the menu bar. The Node Classification screen opens.
Check the box beside the host type(s) to be updated. Select the values to be associated with these hosts from the drop-down menus in the text entry boxes at the base of the relevant columns. These menus offer a range of values (from 1 - not important to 10- extremely important) for each host.
Click Update Selected Assets to associate the selected values with the hosts selected. To edit these values at a later point, repeat steps 2 and 3.
Node Valuation
The Node Valuation screen provides an opportunity to enter dollar values for losses of individual hosts. These values will be weighted according to the values from the Valuation Weighting table before being displayed.
N O T E The values entered into this portion of the interface are intended to support financial
activities, and as such are quite separate from the main Frontline functionality. As a result, only users in the Finance Executive role have access to these screens. To enter data into the Node Valuation Table 1 2 Choose Administer | Weightings and Valuations | Node Valuation from the menu bar. Check the box beside the host(s) to be updated. Enter the dollar values to be associated with these hosts into the white text entry boxes at the base of the relevant columns.
Click Update Selected Assets The valuations of these nodes will be updated.
F EATURES
...................................
In this chapter:
What Preferred Hostname Vulnerability Dictionary Alerts Receiving e-mail Alerts Viewing Current Alerts Viewing Archived Alerts Scan Completion e-mails Page
8
Roles Supervisor, Administrator, Executive Supervisor Supervisor, Administrator, Executive Supervisor Supervisor Supervisor Supervisor
page 154 page 155 page 157 page 157 page 158 page 159 page 159
.....
FEATURES
Preferred Hostname
.................................................................................
The Preferred Hostname feature is included on the Client Detail page (Administer | Accounts). It is possible to prioritize the naming convention utilized by the Frontline system. Changing the hostname priority method affects future assessments and will have no impact on data currently in the system. The hostname priority interface utilizes a drag and drop mechanism to build a visual priority list. The order can be changed by simply dragging the available items into the desired order. The default priority list includes the following items: NetBIOS Name, SNMP sysName, SMTP Banner Hostname, FTP Banner Hostname, POP3 Banner Hostname and Reverse DNS Query. Figure 194 Preferred Hostname
FEATURES
Vulnerability Dictionary
.................................................................................
The dictionary displays a list of all vulnerabilities in the Frontline database, and includes the vulnerabilitys risk level to both internal and external networks. The descriptions and solutions are compiled from several recognized vulnerability tracking sources, such as Nessus, Bugtraq, and CVE, as well as DDIs additional research. The Vulnerability Dictionary list page also provides search capabilities. To view the vulnerability dictionary 1 Choose Administer | Vulnerability Dictionary from the menu bar. The Vulnerability Dictionary page opens. Use the search pane to search by vulnerability title and test method. Click on column headings to sort vulnerabilities by title or risk level. To change the number of vulnerabilities displayed on a single page, enter the number (minimum 5, maximum 100) in the box in the lower right of the list and click Reload. Figure 195 Viewing the Vulnerability Dictionary
A vulnerability detail page opens. The business card for each explicit and heuristic vulnerability in the Vulnerability Dictionary includes Explicit Remote Test, Explicit Authenticated Test, and additional information for the Common Vulnerability Scoring System (CVSS).
FEATURES
Alerts
.................................................................................
An alert icon displayed in the header indicates one of three message types: Reconnaissance Network Appliance (RNA) online / offline notification. An informational alert is sent to the Client Supervisor when an RNA residing on a client network changes from an online state to an offline state or vice versa. A new vulnerability has been detected as the result of a scheduled assessment. A critical alert is sent when a critical level vulnerability is detected, regardless of assessment type, or when a high level vulnerability is detected for an external assessment. An informational alert is sent to the Client Supervisor when a vulnerability assessment reaches the Ready for Reconcile status. A software plug-in has been uploaded to the RNA, which could potentially affect your system. Scheduling a vulnerability assessment to detect any potential new vulnerabilities is advised. Vulnerability scan has completed. An informational alert is sent to any specified users when a vulnerability scan is complete.
Users may opt out of this service by removing their e-mail addresses from their contact data within Frontline. If a user wants to begin receiving alerts again at a later point, the address may be readded, and alerts will begin again. This same process may be used to update the e-mail addresses to which alerts are sent. To change e-mail alerts preferences 1 2 Choose Administer | My Account from the menu bar. Scroll down to the System Users portion of the screen. Click on the name of the user for whom you would like to change the e-mail preferences. Click the Edit button, then click Next twice to reach the Contact Information screen of the wizard.
Add, delete, or modify the e-mail address for the contact. When finished, click Next two more times to complete the wizard, then click Confirm to finalize the changes.
Select an alert and then do one of the following: To save the alert, click Mark Read. The message can be viewed any time in the alert archives. To delete the alert entirely, click Delete. To leave the alert in your current view, do nothing. The alert icon is displayed as long as there are alerts in the current view.
FEATURES
Select an alert and then do any of the following: To move the alert to the current view, click Mark Unread. The alert icon is displayed as long as there are alerts the current view. To delete the alert entirely, click Delete. To leave the alert in the archives, do nothing.
Click Next. Step 5 Confirmation opens. Ensure that the Scan Completion E-mail field is set to yes. Figure 201 Confirmation
G L O S S A R Y O F TE R M S
G LOSSARY OF T ERMS
...................................
A list of all users currently logged into Frontline. A hardware component that sends Internet messages to other hardware components with the goal of determining the services that run on these as well as their vulnerabilities. There are two types of analyzers:
NSAS-100 Analyzer Resides in the SNOC and scans EVAs. RNA device A NSAS-100 Analyzer residing on the clients premises scans IVAs.
.....
ASSESSMENT EPT
See EVA and IVA. External Penetration Test. While the EVA and the IVA identify your network security vulnerabilities, external penetration testing [from the DDI Secure Network Operations Center (SNOC)] goes one step further and allows you to see what the consequences of having these security holes could be. A criminal hacker does not simply find the security holes and then leave; he burrows through your network, finding valuable resources (client credit card and account numbers, for example) and exploits them. External penetration testing is comprehensive, exposing not only the intruders view of the system, but also examining the configuration and management of the systems. Penetration testing is custom-designed to cover the system platforms, network connections, software, and databases that comprise your IT facilities. External Vulnerability Assessment. This service determines the extent to which your network is vulnerable to an external attack. DDI employs a variety of scanning techniques to survey your existing security posture. These scans proactively test for known vulnerabilities and best practices security architecture. The EVA scans all externalfacing assets such as routers, firewalls, web servers, and e-mail servers for potential security weaknesses, checking for any open doors that would allow a hacker to gain unauthorized access to the network and exploit critical assets. External Host Discovery. This service determines the number of hosts that are visible external to the organization. EHDs originate from DDIs Secure Network Operations Center (SNOC). External Host Discovery with Ports. This service determines the number of hosts and ports that are visible external to the organization. EHDPs originate from DDIs Secure Network Operations Center (SNOC). Explicit vulnerabilities are detected with 100% certainty as present on a scanned host. The common web-based graphical user interface (GUI) with which all users interact with the system. Graphical User Interface. A graphical representation of an operating system that uses web pages, screens, windows, menus, buttons, and icons to assist a user in navigating a software application.
FRONTLINE USER GUIDE 161
EVA
EHD
EHDP
G L O S S A R Y O F TE R M S
A heuristic vulnerability is a vulnerability which has a certain probability of being present on a scanned host. Internal Host Assessment. This service determines the number of hosts that are visible to the internal organization. IHDs originate from within your network using one or more of the RNA devices specified in your network profile Internal Host Assessment with Ports. This service determines the number of hosts along with ports that are visible internal to the organization. IHDPs originate from within your network using one or more of the RNA devices specified in your network profile Internal Penetration Test. Similar to an external penetration test (EPT), internal penetration testing is executed remotely through the Reconnaissance Network Appliance (RNA) residing on your network. It exposes what the results of a network attack would be if carried out from inside the network. There are hundreds, if not thousands, of opportunities to open up new paths between the internal network and the Internetall from within the network and most without any malicious intent on the part of the employee. With an IPT, you can see where your most dangerous security weaknesses are and can take immediate action to rectify them. Internal Vulnerability Assessment. Properly implemented network security controls are essential in order to ward off unintentional mistakes from trusted insiders and prevent exposure of your valuable internal assets. The IVA scans all internal-facing assets such as workstations, intranet servers, printers, etc. for trojans, misconfigured workstations, PTP file sharing such as Morpheus, Kazaa, etc., and more. An IVA is executed within the internal network using the Reconnaissance Network Appliance (RNA). A logical name, selected by the user, which refers to an IP address range or list of IP address ranges. Maps the network and is a means of segregating it into logical partitions. It specifies the IP address ranges for the portion of the network for which it encompasses. DDI defines network profiles based on information provided in the pre-assessment questionnaire. Assessments are run in the context of a network profile. When a vulnerability assessment runs, the results (online hosts, open ports, vulnerabilities) are traced back to the network profile with which it is associated. Network Security Awareness System 100. A system developed by DDI to deliver vulnerability assessment and penetration testing services to clients in a secure manner. A hardware node that resides in the SNOC and execute EVAs on a clients network. A hardware node that acts as a security gateway for messages that pass between the NSAS-100 scan controller and the RNA devices. See EPT and IPT.
IHDP
IPT
IVA
NSAS-100
G L O S S A R Y O F TE R M S
RNA
Reconnaissance Network Appliance. A RNA is the only client premise-based node of the NSAS-100. The RNA is installed on your network to perform internal vulnerability assessment (IVA) scans or internal penetration tests (IPTs) and provides a secure communication and management channel between the RNA and the other nodes of the NSAS-100 that reside at DDIs Secure Network Operations Center (SNOC). The act of running a vulnerability assessment in order to detect hosts and their associated vulnerabilities on a computer network. A hardware node that communicates with the NSAS-100 Analyzer and the RNA device to start and stop scans, as well as retrieve scan status and results. Secure Network Operations Center. DDIs brick-and-mortar facility where the NSAS-100 intelligence resides. Specifies IP address ranges and/or a list of single IP addresses that is created either by you, your VAR or DDI Client Support. The profile can be run multiple times without having to specify IP address ranges for each scan run.
INDEX
I NDEX
...................................
A account log out 10 password 8 Active Host Note 106 active sessions 36 Active View about 120 reconcile 69 Active View Detailed Host Report 106 Add a Host Note 132 Add a Vulnerability Note 137, 141 advanced search 121 alert archive 159 current 157 alias adding 39 changing 41 list 38 assessment per CVC 93 assessment services 44 Authenticated Scanning 95 authentication 46 B binary encoding method 65 Bugtraq 155 business card 13 C Calendar View 59 Client Administrator role 26 client details 15, 22 Client Executive role 26 Client Supervisor role 26 contact adding 25 Executive 29
DIGITAL DEFENSE, INC.
primary 29 Technical 29 contract type 45 CVE 155 D Date Limited contract 45 Detailed Network Report 99 Detailed Report - selected hosts 107 digital signature 46 E encryption 46 EPT about 45 scheduling 46, 145 EVA about 45 scheduling 47 Evergreen contract 45 Executive contact 29 Executive Summary Report 99 External Penetration Test. See EPT External Vulnerability Assessment. See EVA F Finance Executive 26 H heuristic vulnerability 76 host active 120 details 61 hiding 120, 131 note 132 notes 63 Trending Report 120 undo reconciliation 74 updating 131 host administrator, assigning 131
.....
host posture rating 128 host type, changing 131 Hosts Management View 120 I Internal Penetration Test. See IPT Internal Vulnerability Assessment. See IVA Internet Service Provider (ISP) 25 IPT about 45 scheduling 46, 145 IS Policy Manager 11 IVA about 45 scheduling 47 L lists 13 N navigation pane 11 Nessus 155 network alias. See alias network profile 17, 18, 19, 20, 36 NSAS-100 6, 46 O One-time contract 45 P Partner Portal 11 password 8 changing 8 expiration 8 resetting 8, 34 rules 9, 30 penetration test 46, 145 Per CVC Assessments 93 R reconcile about 69
FRONTLINE USER GUIDE
INDEX
undoing 74 vulnerability assessment 68, 71 Reconnaissance 46 Reconnaissance Network Appliance. See RNA report contact name 29 Detailed Network 99 Executive Summary 99 exporting 103 HTML 100, 105, 108, 111, 114 optimized for printing 100, 104, 105, 107, 108, 113, 114 PDF 101, 105, 109, 112, 115 PDF, downloading 101 Trending 104, 106, 108, 114, 120 RNA about 46 status alert 157 status icon 37 S SCAP 89 Service Results View 60 single sign-on 7
SNOC 46 software version 10 sub-assessment 53, 55, 57 Systems Menu 11 T Technical contact 29 template. See vulnerability assessment template time zone 31 Trending Report 104, 106, 108, 114, 120 U user active 36 adding 27 changing 32 deleting 33 disabling 31 enabling 34 ID rules 30 roles and privileges 26 status 25, 34 vulnerability assignment 135 user interface 11 V vulnerability assigning to a user 135
attempting 138 note 137, 141 vulnerability assessment changing 50 interrupting 53, 55, 57 reassessing 65 reconciling 69 reoccurrence 49 rescheduling 50 scheduling 47 statuses 59 viewing 59 vulnerability assessment template 46, 47 adding 47 deleting 52 list 42 one-time 50 reoccurring 50 saving 50 vulnerability dictionary 155 Vulnerability Management View 133 W white hat attack 145 wizard 13