Frequently Asked Questions
What are the benefits running your audits?
What are the auditing service options?
What are some of the common vulnerabilities found?
Your service is too expensive!
Can other people see my audit results?
Will this guarantee the security of my network?
I have a firewall. Do I need this service?
I have my own vulnerability scanner. Why would I need yours?
Can I scan anyone's machine?
Can you email me the audit results?
Which platforms do you audit?
Will my network crash as a result of an audit?
How long does it take to run an audit?
What is CVE?
What are channels?
What are the well known services and ports?
Why don't you always scan all TCP and UDP ports?
Why are you using cookies?
Why did you falsely detect application X to be vulnerable
Can you provide some testimonials or references?
Questions and Confidentiality
What are the benefits of running your audits? |
|
Attracting thousands of users all over the world, Security Audits are the
most comprehensive, up-to-date and
cost-effective security
auditing services on the internet. The easy-to-use tool
- provides an external view of your network from the internet,
- scans all 65,535 ports of an IP for potential security holes,
- examines your system with
99761
vulnerability tests
for security weakness,
including Windows based attacks, denial of service attacks, root exploits,
CGI abuses, mail server vulnerabilities, and firewall vulnerabilities,
- provides detailed and comprehensive report on findings, and suggests
potential solutions,
- includes the latest vulnerability tests
on a regular basis.
What are the auditing service options |
|
We provide a number of different service levels and types of subscriptions.
A
price & feature comparison provides a quick
overview of what you get with the different packages.
The 5 different types of audits available:
- Basic Audit: a TCP port scan of over 1500 ports;
- Single Vulnerability Test, a selection of
99761
different vulnerability tests;
- Desktop Audit: a TCP port scan of over 1500 ports, and
runs 6098
vulnerability tests in DoS, Windows, Backdoors, Misc. & Firewalls categories;
- Standard Audit, providing you with a Basic Audit (port scan) and execution of all
99761
available vulnerability tests;
- Advanced Audit, providing you with a 65,535 TCP port scan and execution of all
99761
available vulnerability tests;
Our No Risk audit is equivalent to the Standard Audit in its execution, except
that we don't show you the details of the problems we found. This is useful
as a way of determining whether or not you have any problems before you decide
to buy any of our services.
Your service is too expensive! |
|
Your entitled to your opinion. However, we ask you to consider the following:
- None of our competitors offer services as inexpensive as ours.
- The cost of setting up and maintaining your own scanner can easily
exceed the cost of a subscription to our services.
- The cost of a security breach on your network will almost always
exceed the cost of our services.
Consider the following services:
- $199 for one month of unlimited advanced audits on an unlimited # of IPs
- $249 for a year of recurring monthly advanced audits + network monitoring services. (12 Advanced audits, round the clock monitoring of your servers at 5 minute intervals for 5 devices.)
- $999 for a dedicated server for a full month, capable of running approximately 20,000 standard audits, or about 7,500 advanced audits during a month.
We feel these prices are second to none the industry.
Can other people see my audit reports? |
|
No. Only
you can see the results of your audit. Audit reports
are generated based on scan results in our local databases. The only
way you get to see the audit report is by logging in to your account
on our secure SSL server.
What are some of the common vulnerabilities found? |
|
The problems we routinely find usually fall into one of the following
areas:
- Unpatched/out of date software with known vulnerabilities
- Dangerous or unneeded services available for exploit
- Improperly configured software allowing unwanted access to resources
Will this guarantee the security of my network? |
|
No. The reports give you information as to potential
areas to examine for security concerns, but you must still take the
necessary steps to secure your network.
I have a firewall. Do I need this service? |
|
Firewalls are great for restricting access to your network, but firewalls
cannot prevent all problems. Two of the most common problems with
firewalls are
- misconfiguration allowing unwanted access
- vulnerable services behind the firewall (e.g. web server on port 80)
allowing an attacker to tunnel through
the firewall, through the vulnerable service, onto the machine running
the vulnerable service, from where they can attack the rest of your
network from behind the firewall itself.
For a list of the firewall specific tests available,
click here.
I have my own vulnerability scanner. Why would I need yours? |
|
There are many scanners available, both commercial and open source.
The benefit of using this service, however, is not in the specific
technology being used, but that it provides:
- An external view of your network. Getting an external
view of your network usually involves getting access to a machine on the
outside of your network for the purpose of running your scan. The cost
of setting up and maintaining this type of access can often be more than
the cost of this service alone.
- Reproducible. As an audit mechanism, Security Audits
are a low cost, reproducible audit that can be run whenever
you need.
- Low effort Setting up and configuring a vulnerability
scanner for proper operation can be time-consuming.
- Always up to date
By using a service, you automatically receive the latest vulnerability
tests without having to install them into your own scanner. We ensure
that our test suite is always up to date.
We provide new vulnerability tests on a regular basis as security issues/holes
are found. For example, check out the tests added in the last 30 days. In addition - we tell you via our vulnerability
announcement list the moment any new tests are on-line corresponding to
remotely exploitable vulnerabilities, assisting you in keeping up to date
on problems that may impact your network.
Can I scan anyone's machine? |
|
No. You may only scan the machine which you own.
Normally, that means the machine from which you are browsing.
If you wish us to scan a machine that you cannot surf from (e.g.
a corporate web server), use the IP Permissions form to submit the range
of IPs that you wish to be able to audit. After we confirm that you are
authorized to audit the requested IPs, we'll grant your account
priviledges to audit those IPs regardless of where you are surfing from.
Note: we offer this service only to customers that purchase auditing
services.
Can you email me the audit results? |
|
We will provide you with an email alert indicating that a scan has
been completed. However, for security reasons, we will not email you
the results, since email is an insecure way of sending information.
Even if we launch an audit on your behalf, the audit is run out of
your account on our system, and the report is available for pick up
from the same account.
Which platforms do you audit? |
|
Our service has tests for virtually every platform out there, and is not
limited to one particular operating system or application suite. You will
find tests for Windows, Linux, Unix, Macintosh, Web servers, Database
products, and more. If it can be remotely tested, we try to have the
test for it available.
Will my network/system crash as a result of an audit? |
|
We certainly hope not, but ultimately there are no guarantees. Bear in
mind that an audit is considered to be an intrusive operation.
The different audits have different risk levels associated with them.
Our Basic Audit is a port scan that should not impact anyone's system.
It is relatively low bandwidth (<50K at peak), and if it does crash
your system, you should definitely be looking at doing something about
this, since it is quite likely you will be port scanned by someone
in the future.
A number of the vulnerability tests are denial of service attacks
that are designed to test the integrity of your hardware and software.
These tests focus on known problems on various computer systems,
and may impact equipment it is aimed at, such as routers,
firewalls, etc. For a description of the various DoS attacks included
in the test suite, check
here.
None of the DoS tests involve deliberate attempts to flooding your bandwidth
(a trivial, non-preventable attack).
DoS tests are disabled by default to reduce the likelihood of your system
crashing, but you may enable them at your own discretion.
How long does it take to run an audit? |
|
This depends on the type of audit you launched, the network between us and
you, and how your system is configured. For unprotected (no firewalls
or packet filtering), the times are roughly
- Basic Audit: 30 seconds
- Single Vulnerability Test: 5-60 seconds
- Desktop Audit: 10 minutes
- Standard Audit: 20 minutes
- Advanced Audit: 90 minutes
For systems that are shielded by packet filtering of one form or another,
the times are closer to
- Basic Audit: 10 minutes
- Single Vulnerability Test: 60 seconds
- Desktop Audit: 30 minutes
- Standard Audit: 1.5 hours
- Advanced Audit: 2.5 hours (on rare occasions, up to 8 hours).
Regardless of how long it takes, when an audit is complete, we email
you a notification that you requested an audit, and that the results
are complete and available on-line.
Advanced audit subscribers have a default of 2 channels available, meaning
that they can run 2 audits simultaneously. Both Advanced and standard audit
subscribers may purchase additional channels allowing for conducting audits
of larger networks faster.
What is CVE? |
|
CVE stands for
Common Vulnerabilities and Exposures. It represents a
standard way of numbering and describing known vulnerabilities. The scanning
engine we use includes CVE identifiers where available. Our test
reports include these identifiers linked to the official CVE site located
at
cve.mitre.org.
All our tests now include, when available,
related on-line cross-references, providing additional information
on those vulnerabilities.
Such cross-references include:
- Cert/CC Advisories,
- BugTraq IDs,
- Vendors' product related vulnerabilities/solutions,
- mailing lists, discussions and more.
There are over 10,000 on-line resources available associated with the various
CVE identifiers in our tests. You can search our database for tests by CVE or CVE candidate number.
What are channels? |
|
Channels are how we manage audits. Each channel has the ability to process one audit request at a time, and each audit request will usually take no more than 50Kbit of bandwidth. Advanced monthly/yearly subscribers by default have 2 channels available to them, meaning that they can run two audits at a time. Dedicated server leases include 50 channels per server, while all other customers have one channel by default available to them. All customers may purchase additional channels to allow for auditing larger networks more quickly.
What are well known services and ports? |
|
Well known services are are services known to customarily exist on
specific ports. This is different from the definition of a well known
port, which is the port range 0 through 1023.
From IANA's web pages, the port definitions are as follows:
The port numbers are divided into three ranges: the Well Known Ports, the
Registered Ports, and the Dynamic and/or Private Ports.
-
The Well Known Ports are those from 0 through 1023.
-
The Registered ports are those from 1024 through 49151.
-
The Dynamic and/or Private Ports are those from 49152 through 65535.
The ports we audit are
all well known ports (1-1023), along with about 500 ports
in the 1024-65535 range. These additional ports consist both
of legitimate services as well as commonly known trojans.
To see the IANA well known ports that have been assigned, check
out their site at www.iana.org.
Why don't you always scan all TCP and UDP ports? |
|
To scan all possible ports would involve scanning over 130,000 ports.
While that would be thorough, there are a number of problems associated
with doing this:
- Scanning can take a long time. To scan all 64K TCP ports would
take our scanner several hours. We do offer a full 64K TCP port
scan as part of our advanced audit.
- UDP ports cannot be scanned reliably. The problem with UDP ports
is that they don't respond when the port is open. That would be fine,
except that many firewalls will also not respond when you probe
a UDP port, even if that port isn't open. The result ends up being
a large number of false positives. The vulnerability tests do check
for a number of UDP services, but even here, if your system is firewalled,
false positives can occur.
- Solaris systems cannot be UDP scanned any faster than 2 ports
per second, due to a throttling mechanism applied by Solaris itself.
Thus, a 1500 port UDP scan would take over 10 minutes, and a full
64K port scan would take over 9 hours.
Our methodology is to ensure we provide accurate results, and
because the last two items make it either difficult or impossible
to perform effective full UDP port scans, we have elected to limit UDP
scans to checking for services (e.g. trojans) residing on known UDP ports.
Why are you using cookies? |
|
Cookies are a way that a web server can store, either temporarily
or for longer periods of time, information about you, the user,
on your own browser's computer system. We use cookies to manage
and secure our login and session management process ONLY. The cookies
we generate are never written to your disk cache. They will only ever be
transmitted over secure SSL connections, and we never use them for
any reason other than to do login session management. You will
have to enable cookies, and accept the cookie "asaut" (if your
browser is prompting you for acceptance) in order to be able to
successfully use this service.
Why did you falsely detect application X to be vulnerable |
|
We often get questions such as "You indicate my SMTP server type
<somename> is vulnerable, but I'm not even running that server.
What gives?"
We detect vulnerable applications in one of two ways. The first is banner
checking, where the application in question will tell us that it is version
X. When we know version X is vulnerable, we report that. This is
however susceptible to banner fiddling - if you change the banner string
reported, we might produce an erroneous report. There is also the issue
that many Linux distributions will maintain a version of an application,
introducing security fixes with patch levels that leave the base version
number the same. In these cases, we may erroneously report your server
as vulnerable.
The second method of checking involves actually TESTING an application's
vulnerability by injecting a benign payload of data that is known to
cause the application to crash, produce an error, or some similar,
measuable activity. In these cases, we are checking to see if the
application behaviour is consistent with that of a vulnerable application
(e.g. it closes the socket connection because the instance crashed).
This method can detect vulnerabilities in application OTHER than the
version in which it was originally found. It does, however, suffer
from a key weakness in that some applications (notoriously SMTP and FTP servers)
will rather than return an error message on an invalid data payload, will
instead simply detect the bogus data and close the connection deliberately.
This, from our perspective, is indistinguisable from an application crash,
and can result in false positives being reported.
Can you provide some testimonials or references? |
|
We recommend you visit our
testimonials
page. This documents our position on this subject.
Questions and Confidentiality |
|
We fully understand the importance of
confidentiality and the
privacy of your audit information.
If you have any further questions, please drop us a line at
contact <at> securityspace <dot;> com.