Reporting Toolbox - Focused Search Lists

Document created by DMFezzaReed Employee on May 11, 2018Last modified by DMFezzaReed Employee on May 11, 2018
Version 6Show Document
  • View in full screen mode

Information Sec

 

Trust, but Verify: Authentication Without Validation Is Naïve

 

Administrator Account Reporting - Dynamic - Title:  Administrator Account

Trust, but Verify: Authentication Without Validation Is Naïve

  • Administrator Account's Password Does Not Expire (Q90080)
  • Default Windows Administrator Account Name Present (Q90081)
  • Unix Users With root UserID (Q105139)
  • Unix Users With root GroupID (Q105140)
  • UNIX Daemon/Services Listed Under Root User (Q45241)

Guest Account Reporting - Dynamic - Title:  Guest

  • Enabled Guest Access to Security Log (Q90017)
  • Enabled Guest Access to System Log (Q90018)
  • Enabled Guest Access to Application Log (Q90016)
  • Apple Filing Protocol Guest Access Enabled (Q38037)
  • Built-in Guest Account Not Renamed at Windows Target System (Q105228)
  • Guest Account Accessible to FTP Server (Q27161)
  • Real Name of Built-in Guest Account Enumerated (Q90266)
  • Guest Account Not Disabled (Q105232)

 

Default Credential Reporting - Dynamic - Title:  Default Credentials

  • Open Source Point of Sale (OSPOS) Using Default Credentials (Q11633)
  • Juniper EX Series Switch J-Web Accessible Using Default Credentials (Q11847)
  • pfSense Admin Console Accessible Using Default Credentials (Q11821)
  • IBM Integrated Management Module (IMM) Interface Accessible via Default Credentials (Q12706)
  • VMware ESXi Server Accessible Using Default Credentials (Q11507)
  • Seagate Central Accessible Via Default Credentials (Q43029)
  • Citrix Netscaler Web Management Interface Accessible Using Default Credentials (Q12929)
  • Apache Tomcat Web Application Manager Accessible Using Default Credentials (Q86857)
  • American Power Conversion (APC) Web/SNMP Management SmartSlot Card Accessible via Default Credentials (Q43431)
  • Web Server / Web Application Accessible Via Default Credentials (Q10693)
  • Silver Peak VX Accessible Using Default Credentials (Q13053)
  • Solus Virtual Manager Accessible Using Default Credentials (Q12702)
  • McAfee Asset Manager Accessible Using Default Credentials (Q12907)
  • F5 BIG-IP Management Interface Accessible Via Default Credentials (Q42417)
  • Nokia Firewall Web interface Accessible Using Default Credentials (Q43246)
  • Apache Sling Admin Page Accessible via Default Credentials (Q12587)
  • Schweitzer Engineering Laboratories (SEL) Controller Accessible Using Default Credentials (Q43225)
  • Rockwell Automation / Allen-Bradley MicroLogix PLC Web Server Accessible Using Default Credentials (Q43223)
  • Schneider Modicon Quantum Telnet Server Accessible Using Default Credentials (Q43221)
  • Schneider Modicon Quantum Web Server Accessible Using Default Credentials (Q43220)
  • Schneider Modicon Quantum FTP Server Accessible Using Default Credentials (Q43222)
  • Yak! Chat Client FTP Server Default Credentials Vulnerability (Q27202)
  • Apache ActiveMQ Admin Console Accessible Using Default Credentials (Q11804)
  • Unitrends Enterprise Backup Accessible Using Default Credentials (Q12928)
  • Oracle Enterprise Manager Accessible Using Default Credentials (Q12705)
  • Scrutinizer Accessible Using Default Credentials (Q12590)
  • XAMPP FTP Server Accessible Using Default Credentials (Q27358)
  • Pandora FMS Accessible Using Default Credentials (Q12565)
  • Oracle GlassFish Server Accessible Using Default Credentials (Q87106)
  • Apache OFBiz Accessible Using Default Credentials (Q12563)
  • Oracle WebLogic Accessible Using Default Credentials (Q12562)
  • Google Urchin Accessible Using Default Credentials (Q12560)
  • Adobe Document Server Accessible Using Default Credentials (Q12558)
  • AmpJuke Accessible Using Default Credentials (Q12559)
  • JBoss Administration Console Accessible Using Default Credentials (Q87098)
  • Geronimo Console Default Credentials Access (Q12541)
  • Trend Micro InterScan Web Security Suite Accessible Using Default Credentials (Q12599)
  • Recipe Accessible Using Default Credentials (Q11867)

 

Authentication Information - Dynamic - Multiple Fields (See Image)

If your vulnerability management program includes the authentication tracking, I recommend creating custom authentication reports that are scheduled to run before and after your routine scan schedules.  Before and After executions can be helpful when your team is working to improve authentication success results.

 

  • This search list can be customized and/or broken into smaller groups such as:
    • By Authentication Type
    • Successful vs. Failed vs. Not Attempted
    • By Vendor
  • Oracle Authentication Method (Q19129)
  • Oracle Listener Authentication Method (Q19233)
  • DB2 Authentication Method (Q19648)
  • Unix Authentication Method (Q38307)
  • Detected NTLMv2 Authentication method (Q45279)
  • Windows Authentication Method (Q70028)
  • Windows Authentication Method for User-Provided Credentials (Q70053)
  • SMB Shares Readable Without Authentication (Q70062)
  • SNMP Authentication Method (Q78049)
  • Microsoft Windows Network Level Authentication Disabled (Q90788)
  • Windows Authentication Failed (Q105015)
  • Unix Authentication Failed (Q105053)
  • SNMP Authentication Failed (Q105192)
  • Oracle Authentication Failed (Q105193)
  • Windows Authentication Not Attempted (Q105296)
  • Unix Authentication Not Attempted (Q105297)
  • SNMP Authentication Not Attempted (Q105298)
  • Oracle Authentication Not Attempted (Q105299)
  • Oracle Listener Authentication Failed (Q105329)
  • Oracle Listener Authentication Not Attempted (Q105330)
  • DB2 Authentication Not Attempted (Q105420)
  • DB2 Authentication Failed (Q105421)
  • VMware Authentication Failed (Q105441)
  • VMware Authentication Not Attempted (Q105443)
  • Unix Authentication Timeout Occurred (Q115263)
  • VMware Authentication Successful (Q216008)

Audit Preparedness

Network Time Protocol (NTP) Reporting - Dynamic - Title:  Network Time Protocol

This report has proven useful for PCI DSS Requirement 10.4: Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.

  • Network Time Protocol Daemon ntpd Multiple Vulnerabilities (Q38665)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p7) (Q38681)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p6) (Q38682)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p5) (Q38683)
  • Network Time Protocol Multiple Security Vulnerabilities (ntp-4.2.8p4) (Q38684)
  • Network Time Protocol Denial of Service Vulnerablity (ntp-4.2.8p3) (Q38686)
  • Cisco NX-OS Network Time Protocol Distributed Reflective Denial of Service Vulnerability (Q43033)
  • Cisco IOS Software Network Time Protocol Packet Vulnerability (cisco-sa-20090923-ntp) (Q43166)
  • Cisco IOS Software Multicast Network Time Protocol Denial of Service Vulnerability (cisco-sa-20130925-ntp) (Q43320)
  • Cisco NX-OS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160127-ntpd) (Q43479)
  • Cisco IOS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160127-ntpd) (Q43480)
  • HPE ArubaOS Network Time Protocol Daemon (NTPD) Multiple Vulnerabilities (ARUBA-PSA-2015-010) (Q43515)
  • Solaris Network Time Protocol (NTP) Service Denial of Service Vulnerability (1021781.1) (Q118182)
  • IBM AIX Network Time Protocol (NTP) Vulnerability (Q122133)
  • IBM AIX Network Time Protocol (NTP) Vulnerability (Q123287)
  • IBM AIX Network Time Protocol (NTPv4) Vulnerability (Q124749)
  • Cisco IOS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160603-ntpd) (Q316002)
  • Cisco IOS Software Crafted Network Time Protocol Packets Denial of Service Vulnerability (cisco-sa-20160804-wedge) (Q316021)
  • Cisco Nexus Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20161123-ntpd) (Q316066)
  • Cisco NX-OS Network Time Protocol Daemon Multiple Vulnerabilities (cisco-sa-20160603-ntpd) (Q316122)

 

Knowledge Base Edit Tracking - Dynamic - Search List Option Box (See Image)

If your vulnerability management program includes the editing or disabling of vulnerabilities within the knowledge base (KB), it's a good idea to run routine reports on the KB to track this activity.  This type of a report can come in extremely useful for audit tracking. I recommend running two (2) seperate reports, one for disabled, one for edited, and scheduling the report to run weekly. 

Trust, but Verify: We Reboot Our Assets on a Routine Interval

Uptime Reporting - Static

  • Microsoft Windows Last Reboot Date and Time (Q90924)

  • Host Uptime Based on TCP TimeStamp Report (Q82063)

  • Unix Last Reboot Date and Time (Q124145)

 

Microsoft Pending Reboot - Static

  • Pending Reboot Detected (Q90126)

 

Trust, but Verify: Our Release Management Program is Maintained at N-1

EOL/Obsolete Software - Dynamic - Title: EOL/Obsolete Software

I have often found routine generation and sharing of this information with your client endpoint and systems teams, so they may leverage the results during routine release management, maintenance and deployment planning can be a relationship building between security and IT teams. This also help identify anomolies in an imaged environment.

  • +/- 276 entries in the Qualys Vulnerability Knowledge Base

 

EOL/Obsolete Hardware - Dynamic - Title: EOL/Obsolete Hardware

  • +/- 5 entries in the Qualys Vulnerability Knowledge Base

 

EOL/Obsolete Operating System - Dynamic - Title: EOL/Obsolete Operating System

I have often found routine generation and sharing this information with your infrastructure teams, so they may leverage the results during routine release management and maintenance planning can be a relationship building between security and infrastructure teams. This also help identify anomolies in an imaged environment.

  • +/- 137 entries in the Qualys Vulnerability Knowledge Base

 

1 person found this helpful

Attachments

    Outcomes