Navigating SecureSite™ Reports
This article describes the reports delivered as part of the Alertra SecureSite™ service. The service provides three main delivered products each day, week, or on-demand:
If you haven't signed up for our SecureSite™ product yet, you can do so now by submitting this order form.
SecureSite™ reports are delivered by e-mail as soon as the vulnerability scan has been completed. The e-mail for your very first can will contain a brief summary of the scan results and the full report as an attachment. In subsequent e-mails, the brief summary will show just the differences between the last scan and this scan:
Vulnerability Summary (since last assessment) IP Ports Holes Warnings Notes 192.168.30.30 2 0 1 5
In the above example, this latest vulnerability scan has determined that there is 1 warning and 5 informational messages that should be considered. If the brief summary indicates no new issues, you can ignore the message completely. This is a tremendous timesaver because there is no need to review the entire report every day. Even if there were new issues, you can review just the differences report (securesite-diff-report.html) instead of the full report.
Full Report
The full report (securesite-report.html) is attached to the scan e-mail. The report contains extensive information not just on security vulnerabilities found, but also information of general interest about the scan (traceroutes, version numbers, etc..). The report is divided into 3 sections.
Scan Summary
The Scan Summary section gives a high level view of the scan results for each host scanned. Totals are given for each type of information returned by the scanner:
Name Description Ports In general this is the count of the open ports found on this host. There are a few special entries such as "tcp", "udp" and "icmp" that get counted as ports but aren't really open ports. Holes Exploitable vulnerabilites have been found and they pose a great risk. These issues should be dealt with first since they will be the easiest for an attacker to exploit and can cause the most damage. Some holes are remotely exploitable which means they can be access through the Internet. Other holes are locally exploitable which means an attacker first has to gain some other foothold on your system. Warnings Exploitable vulnerabilities have been found but they don't pose a great risk. It may be that the exploit is difficult or that the results of the exploit do not provide a significant level of access. Keep in mind though that multiple exploits can be combined by an attacker to lead to a compromise of a host. Notes Informational messages regarding the host. These may or may not have security implications but typically highlight information about the host that you may not know and might be important.
Host Summary
The Host Summary section breaks down the hosts that were scanned and the ports where holes or warnings were found. Only those ports that generated a hole or warning will be shown here; typically only a subset of the actual ports open on the host.
You click any port shown here to jump immediately to the description of the hole or warning for that port. Or you can click the IP address of the host to jump to the vulnerability assessment for that host showing all the open ports, holes, warnings, and notes.
Vulnerability Assessment
There will be a Vulnerability Assessment section for each host scanned. This section lists in every open port that was found. For each port any holes, warnings, and informational notes are listed. Next to each issue found is an icon to indicate what sort of issue it is. The next column contains a description of the problem, like this:
Hole
The structure is generally the same with all of the reported issues: Description, Solution, Risk factor, links.
The description in the example above says "Note that Nessus did not try to exploit the flaw..." This indicates that the scan was done in safe mode. See the section titled "False Positives" in this article for more information on safe mode scans.
There is not always a solution provided when a vulnerability is found. If the vulnerability is new, there may be no solution or workaround available. Where possible, links are provided to the Common Vulnerabilities and Exposures (CVE) and BugTraq databases. They may provide more information about the problem as well as possible solutions and workarounds. You can use the Nessus link provided to not only look at a description of the vulnerability in the Nessus database, but also see the source code for the vulnerability check. Sometimes the source code can provide additional information about the nature of the vulnerability.
The Risk factor provides further clarification on the seriousness of the detected vulnerability1:
Factor Description Critical The report host has already been compromised. Serious The vulnerability leaks information that can be extremely useful to the cracker (ie. read any file as "nobody" on the remote host, get the source of a .asp script, and so on...). High An attacker can gain a shell on the remote host (or execute arbitrary commands). Medium There is a security hole that can lead to priviledge escalation, but an attacker needs something to exploit it (ie. the ability to upload files, an acount on the remote host, ...). Low The information found is useful to a cracker, but is not a threat in itself (ie. a banner with a version number). None No inherant risk.
Differences Report
The differences report (securesite-diff-report.html) is attached to the scan e-mail on your second and subsequent scans. This report is the same in format as the full report, but contains only the new items found since the last scan. The differences report is provided as a convenience so you can quickly review the new issues and then get on with your day. However, the full report is also sent with the e-mail so you can review your complete vulnerability risk exposure at any time.
1 From Nessus Plugin Statistics
Not logged in.
