External Scan
External Scan - An external vulnerability scan is a scan that is conducted from outside of the network. These scans target WAN IP addresses, scanning perimeter defences like websites, web applications, and network firewalls for weaknesses. CyberCNS provides external scans with configurable profiles so that you have control over the depth of the scan that needs to be performed.
In order for the external scan to work the IP and hostname will be scanned from the following IP Addresses based on the region. Your region is the suffix on your portal URL. E.g. If your URL is portaluseast2.mycybercns.com then your region is useast2. The IPs are as listed below.
Region | Originating IP Address for External Scan |
|---|---|
USWEST2 | 44.231.123.15 |
EUCENTRAL1 | 35.158.55.215 |
EUWEST2 | 13.41.172.255 |
APSOUTHEAST2 | 54.206.202.191 |
USEAST2 | 3.22.165.174 |
Running External Scans using CyberCNS
Choose a company for which you need to run a scan, and navigate to External Scan to create a profile.
Profiles
Users can create different profiles based on the requirement and attach them to assets to be scanned for external scans.
In the profile sections, you can create your own profiles and can add these profiles in the Configurations section.
There are three Default Profiles, that are
Quick Scan: This covers the top 1000 ports defined by IANA, which covers up to 65% risk profile.
Detailed Scan: This covers the top 3500 ports defined by IANA, which covers up to 94% risk profile.
Deep Scan: This will scan all 65535 ports, this can take 10 minutes to hours.
CyberCNS uses Connect Scan protocol for default profiles.
If you want to create your own Custom Profiles click on +Add.
In the profiles section, enter the Profile Name as required and select the Port Scan Type.
There are two types of Ports, those are Top Ports and Custom Ports.
Top Ports
In Top ports, you can choose the number of ports(100, 500, 1000, 3000, 5000, 10000, and 65535 ports) as required.
Choose the Protocols as required.
Sync
Connect
Xmas Scan
Choose the Service Detections as required and click on Save.
Once the profile is created successfully, you can either Edit or Delete the created profile in case required.
Configurations
When the profile is created, navigate to the Configurations section and click on +Add to add the External Scan Endpoints.
Select the Discovery Type as required.
IP Range: Discovery Type selected as IP Range, then please provide the Start IP and End IP of the range selected.
Static IP: Discovery Type selected as Static IP, then need to provide a single IP address to scan.
Domain Name: Discovery Type, selected as Domain Name, then need to provide a Domain Name.
The created profile can be chosen here if required, if not can select the Scan profile.
Enter the Ignore ports for the required IP address. Once you add the "ignore ports" option, CyberCNS will no longer generate alerts, even if the port is open
To add multiple ports, enter a port and press comma or press enter to add.
Once all the details are provided, click on Save.
Select the checkbox of Exclude from scanning in case an IP exclusion is required.
Select the Scan Later option, to save the credentials and scan later.
Ports that have been added as Ignore ports will not be considered for alerts.
If any ignored port has been added and it contains vulnerabilities, those vulnerabilities will contribute to the calculated risk score and will not be ignored.
If the IP has been discovered with four open ports if we add all four discovered ports as ignored ports added as 20, and 8080 contributes to the calculated risk score will be low.
If four ports are discovered if the two ports are ignored the risk score will remain the same, if we add all the discovered ports contribute to the calculated risk score will be low.
The external scan result will be the same as before.
In general, when you designate a specific port as an ignored port, such as port 443, it means that alerts will not be triggered specifically for that port. Instead, alerts will only be generated for the remaining open port, such as port 80. This allows you to focus on monitoring and receiving alerts for the designated open port while disregarding alerts for the ignored port.
In general, if you designate port 443 as the ignored port in the configuration, the alerts for that port will not be received. However, if you edit the configuration to make port 22 secure and initiate a scan for old results only, the status for that port will show as closed. Conversely, if you remove port 22 from the secure list and initiate the scan again, a new entry will be created in the old alerts list with the status set as open until the port is removed from the ignore ports.
To start the scan, select the checkbox to Scan the added IP and then click on Scan Now under Global Actions, or under the Action select the option Scan Now.
Click on Upload Bulk IP CSV File.
Click on Upload to upload bulk in CSV file format. You can make use of a sample CSV file to upload the correct format data.
There is an option to Edit or Delete the Discovery Type using the Action column. Any Discovery Type can be edited or deleted if needed.
Click on Delete to delete the External Scan Endpoints under configuration, and it will prompt if to delete External Scan History associated with the provided configuration. Please select if the associated data to be deleted.
Jobs
When the scan begins, navigate to the Jobs section to check the Job Completion.
At the company level.
External scan tags fall under the scheduler as well, only the selected tagged assets will trigger scan in the external scan.
Excluded tags will not trigger the scan.
Excluded IPs also will not trigger the scan if we add the tag of the excluded IP.
Multiple tags can be considered while the scan.
At the global level
The selected tag/s will trigger for all the companies where the tag matches the external scan.
Results
Once the scan is completed, navigate to the Results section, to view the details of the added IP.
Click on status here are the tow status Active and Deprecated.
The Asset Active days and Timings in the Updated column in External Scan results
The Asset detection days to deprecate the external scan results. The updated column records will give the day and time when they entered the deprecated state. Once the 'updated' column is subsequently timestamped with the latest scan time, the result moves back to the active state.
Multiple Results can be Deleted and get the Details if chosen using the Actions menu as shown below.
Configuration Deleted information can be easily checked under results using the additional column available. Click on the columns button and select the Configuration Deleted.
Information such as Ports Scan, Protocol Scan, Service Detections, OverAll Grade, Open Ports, Vulnerabilities, and Operating System Details will be displayed.
Custom Ports
For custom ports, enter multiple ports of your own by adding commas. Choose the Protocols as required from below:
Sync
Connect
Xmas Scan
Choose the Service Detections as required and click on Save.
For the added IP can get the details based on the Selected profile.
Overall Grade, Open Ports, Vulnerabilities, Operating System Details, Common SSL Vulnerabilities, and Certificate details will be displayed.
One can download the individual External Scan result by clicking on the download icon( ).
Web Vulnerabilities
Click View Details under the Vulnerabilities section to get more information about the vulnerabilities.
Details such as Category, CVSS, Severity, Remediation, Impact, and Description are captured for Vulnerabilities.
SSL Attacks and Certificates
Common SSL Vulnerabilities like DROWN, POODLE & HEARTBLEED are checked for.
SSL Certificates if any are found on the system, the details as shown below will be available in this section.
This completes the documentation for External Scan.