Category Archives: Perimeter Service

Detectify Asset Inventory and Monitoring

Leave a reply

Continuing the topic about perimeter services. As I mentioned earlier, I don’t think that the external perimeter services should be considered as a fully functional replacement for custom Vulnerability Management processes. I would rather see their results as an additional feed showing the problems your current VM process has. Recently I tested the Detectify’s Asset Inventory (Monitoring) solution, which provides such feed by automatically detecting the issues with your second, third (and more) leveled domains and related web services.

Detectify Asset Inventory screenshot from the official blog

Let say your organization has several second level web domains, over9000 third (and more) level domains, and you even don’t know for what services they are used. This is a normal situation for a large organization. So, you simply add yourorganization.com to Detectify, activate Asset Monitoring, and Detectify automatically discovers third (and more) level domains and related technologies: web services, CMS, JavaScript frameworks and libraries. “It provides thousands of fingerprints and hundreds of tests for stateless vulnerabilities such as code repository exposure for SVN or Git.” This is called fingerprinting.

Continue reading

Asset Inventory for Network Perimeter: from Declarations to Active Scanning

7 Replies

In the previous post, I shared some of my thoughts about the good Asset Inventory system. Of course, for me as a Security Specialist, it would be great if IT will provide such magical system. 🙂 But such an ideal situation is rarely possible. So now let’s see how to build an Asset Inventory system using the resources of Information Security team.

There are no special secrets. It’s necessary to get information about the assets from all available IT systems and then get the rest of the data using our own Assessment tools. I would like to start with hosts on Network Perimeter. The Network Perimeter targets are available at any time for hacker attacks, that’s why this part of the network is the most critical.

Asset Inventory for Network Perimeter

Network Perimeter is like the Wall in the Game of Thrones. The same white walkers are hiding behind the wall and our task is to find the breaches in the wall faster than potential intruders. “Night gathers, and now my watch begins”. (c)

Perimeter is changing constantly. And we should understand at any time what hosts are currently exposed in every office and every external hosting platform.

We can get information about external hosts using some Vulnerability Scanner located on external host in the Internet. I have already wrote about it briefly in  Vulnerability Management for Network Perimeter. Here I would like focus on how we can understand which hosts should be scanned and what useful information we can get from the raw scan results.

Continue reading

Free High-Tech Bridge ImmuniWeb Application Discovery service

1 Reply

Today I would like to talk about another service for application security analysis by High-Tech Bridge. It’s called ImmuniWeb Application Discovery.

This service can get information about your web and mobile applications available from the Internet. Believe me, this is not so obvious for a large organization. And, what is especially pleasant, it works automatically and free of charge. 😉

High-Tech Bridge ImmuniWeb Free Application Discovery

ImmuniWeb Application Discovery will also show the basic security problems with SSL connection, web-server headers, potential phishing issues for all founded web services. You can read more about this part in my posts about High-Tech Bridge services and APIs for SSL/TLS server testing and for searching cybersquatting, typosquatting and phishing domains.

From the same interface you can order an advanced audit of your web applications by High-Tech Bridge as well.

Continue reading

Outpost24 OUTSCAN for detecting vulnerabilities on your network perimeter

1 Reply

Today I would like to write  a post about Outpost24. This company was founded in 2001. For comparison, Tenable was founded in 2002 and Qualys in 1999. So, it’s a company with a pretty long history. Outpost24 make Vulnerability Management & Web Application Security products and provide various services in these areas. As far as I can tell, they are known mainly in Central and Northern Europe.

I’ve been testing their cloud-based solution for network perimeter scanning  – OUTSCAN. Here I want to show the main features of the GUI and share my impressions. 

Outpost24 Outscan

Continue reading

My short review of “IDC Worldwide Security and Vulnerability Management Market Shares 2016”

2 Replies

On February 12 IDC published new report about Security and Vulnerability Management market. You can buy it on the official website for $4500. Or you can simply download free extract on Qualys website (Thanks, Qualys!). I’ve read it and now I want to share my impressions.

IDC Worldwide Security and Vulnerability Management Market Shares 2016

I think it’s better start reading this report from the end, from “MARKET DEFINITION” section. First of all, IDC believe that there is a “Security and Vulnerability Management” (SVM) market. It consists of two separate “symbiotic markets”: security management and vulnerability assessment (VA).

Continue reading

Vulnerability Management for Network Perimeter

11 Replies

Network Perimeter is like a door to your organization. It is accessible to everyone and vulnerability exploitation does not require any human interactions, unlike, for example, phishing attacks. Potential attacker can automate most of his actions searching for an easy target. It’s important not to be such of target. 😉

Vulnerability Management for Network Perimeter

What does it mean to control the network perimeter? Well, practically this process consist of two main parts:

  • Assessing network hosts that are facing Internet using some Network Scanner (Nessus, OpenVAS, Qualys, MaxPatrol. F-Secure Radar, etc.)
  • Assessing application servers, e.g. Web Servers, on these hosts using some special tools, e.g. Web Application Scanners (Acunetix, Burp Suite, Qualys WAS, Tenable.io WAS, High-Tech Bridge ImmuniWeb, etc.)

Active scanning is a good method of perimeter assessment. Dynamics of the assets is relatively low, comparing with the Office Network. Perimeter hosts usually stays active all the time, including the time when you are going to scan scanning them. 😉

Most of the dangerous vulnerabilities can be detected without authorization: problems with encryption (OpenSSL Heartbleed, Poodle, etc.). RCE and DoS of web servers and frameworks (Apache Struts and Equifax case)

The best results can be achieved with scanners deployed outside of your network. Thus, you will see your Network Perimeter the same way a potential attacker sees it. But certainly, you will be in a better position:

  • You can ask your IT administrators to add your network and WAS scanners in white list, so they will not be banned.
  • You can check and correlate scan results of remote scanner with (authenticated?) scan results produced by the scanner deployed in your organization’s network and thus filtering false positives.

What about the targets for scanning? How should you get them?

Continue reading

Dealing with cybersquatting, typosquatting and phishing

1 Reply

It won’t be a secret to say that phishing remains one of the most effective attack vectors.

For example, your colleague receives by email a malicious web link that looks like a link to your corporate portal and opens it. If your Vulnerability and Patch Management programs are not good enough (see “WannaCry about Vulnerability Management“) and the software on his desktop has some critical and exploitable vulnerabilities in web browser, PDF reader, Microsoft Office, etc., you will probably get compromised host in your network.

This is also a pain for your customers. If someone will be sending messages on behalf of your organization, this can easily lead to fraud and costs in public image. And it will be even harder to detect. You will know about it only if they tell you. And if the attack was not massive, the probability of this is not very high.

High-Tech Bridge Trademark Abuse Radar summary

What can we do about this?

  • We should definitely raise the awareness among co-workers and clients. They should know that such attacks may occur and carefully check the domain before any click. Especially if the letter seems suspicious.
  • On the other hand, we can also act proactively. Find which domains are similar enough to company brand and can be potentially used for phishing or other types of fraud. Then work with owners or registrars of such domains directly.

However, tracking down potentially malicious domains is not an easy task. Where should we take the lists of  all registered domains? What does “similar enough” really mean? Fortunately, there are services that greatly facilitate this task.

And today I would like to write you about a new free service by High-Tech Bridge – Trademark Abuse Radar. BTW, I already wrote earlier about their cool free service and API for SSL/TLS server testing, you can also check this out 😉

Everything is simple. Just enter the domain name you are interested in and in a few minutes you will receive a full report. No authorization for analysis is required, because the report is built on external and open data.

High-Tech Bridge Trademark Abuse Radar input

I chose the Citibank (citibank.com) as one of the most famous banking brand in the world. Let’s see what Trademark Abuse Radar will find.

Continue reading