Security Vulnerability Scan

Security Features

  • Reports can take up to 2 hours to generate.
  • Non-invasive, non-intrusive. Nessus "Safe Checks" setting is used. This tries to detect dangerous conditions without actually exploiting them.
  • Adding a security device by hostname immediately resolves the hostname to its IP address, which is resolved at the time of each scan. If the IP address changes, the device will reflect it.
  • Hostnames with multiple IP addresses are currently not supported.

Security Reporting

There are four types of security reports which can appear in the Document Manager section of the AlertSite console.

  1. Demand Security Report: A complete detail report which is created after a demand (user-initiated) scan has completed.
  2. Security Scan Summary: A short report listing only the changes of the security status of the device. Appears only when a change in a device's vulnerability status is detected.
  3. Automated Detail Report: A complete detail report, identical to a Demand report, created at the same time as the Summary Report above.
  4. Consolidated Security Report: Automatically generated every morning (~6 AM EST) depending on the security device scan frequency:
    • One week after last automatically generated report for weekly devices.
    • One day after last automatically generated report for daily devices.

For security reasons, these reports cannot be sent via E-mail.

Security Seal

AlertSite provides a Security Seal that can be added to your website, giving your customers added assurance that their sensitive information is protected. The security seal is an image URL wrapped with a link. It can be placed on any page or website. The code looks something like:

<a href="https://www.alertsite.com/security_seal/verify/DOMAIN_NAME_HERE/">
<img src="http://www.alertsite.com/security_seal/get/DOMAIN_NAME_HERE/1.png">
</a>

To add a security seal to your website, select Create a Site Seal from the Account drop-down list on the Control Menu and follow the 3 steps described on the page. The seal will be displayed on your web page. The security seal image will not appear when:

  • The status of the device is not green (status INFO - no vulnerabilities, or all set as false-positive)
  • The hostname of the security device does not exactly match the hostname within the HTML used on the customer site.

Technical Information

Scanners IP Backbone Provider
nessie.sec.alertsite.com 208.115.62.202 Verio (Ft. Lauderdale)
nessie2.sec.alertsite.com 208.115.62.196 Qwest (Ft. Lauderdale)
atlnessie.alertsite.com 209.196.10.76 Sprint (Atlanta)

Make sure your firewall allows incoming packets from these IP addresses.

Scan Procedure

The AlertSite Security Vulnerability Scan is a network scanner based on the Nessus model, not an application scanner. The Nessus security scan runs against the ports. If a port responds, it throws a range of possible vulnerabilities at it to see what could get in and reports on possible culprits, even if the specific program is not actually running on that port.

The report contains the following sections:

  • Synopsis - Short summary of the vulnerability.
  • Description - Complete and thorough description of vulnerability and why it was flagged.
  • See also - Websites that may provide further information to assist with investigation.
  • Solution - Standard recommendations from the Internet security community.
  • Risk factor - Risk calculations based on the type of vulnerability.
  • Plugin output - Actual output from the Nessus scan.

If you are sure that there is nothing making the port vulnerable, mark it as a false positive (see False Positives below).

If the scan returns no results, your firewall may need to allow incoming packets from our security scanners' IP addresses. Please see the AlertSite Monitoring Locations table. Scroll down to the section titled SECURITY SCANNERS LOCATIONS to get the latest IP addresses for the Security Scan servers.

Safe-checks

  • Nessus setting - always enabled.
  • Disables many dangerous operations which may affect availability or stability of target.
  • Disables POSTing to remote CGIs in attempts to identify SQL injections.

Initial Probe (dead host check)

The scan begins with a TCP connect attempt to the following ports, in this order:

22, 80, 139, 443, 445, 21, 23, 25, 53, 79, 110, 113, 135, 143, 264, 389, 993, 1454, 1723, 3389, 8080, 1521, 111, 5432, 1433, 44444

If none of these ports is responsive (full TCP handshake), the host is considered dead and no further tests are performed.

Port Coverage (ports scanned by standard scans)

The AlertSite Standard scan runs checks against the ports defined by IANA. All publicly available services will appear in this list. The list is updated frequently and can be found in the IANA Port Numbers List.

False Positives

False positives occur when the remote server does not return HTTP code 404 for invalid (file-not-found) requests, but instead returns a custom error page with a 200 OK reply. This leads Nessus to believe the page is present, triggering the vulnerability. You can set the current results as false positive by clicking the checkbox in the leftmost column, but to prevent future false-positives, configure the web server to return HTTP 404 result code along with your custom error page.

Website Content Spidering

Scan will spider up to 200 pages found through the web servers default document. This spidering is used to locate and identify popular CGIs to test.

Back to top

© 2016 SmartBear Software --
Syndicate this site RSSATOM