Professional Documents
Culture Documents
SSBP Lab Tutorial Supplement 2Q 2023 V2
SSBP Lab Tutorial Supplement 2Q 2023 V2
SSBP Lab Tutorial Supplement 2Q 2023 V2
(SSBP)
Qualys, Inc.
919 E Hillsdale Blvd
4th Floor
Foster City, CA 94404
1 (650) 801 6100
When adding the IP addresses, you will choose the tracking method. This is how the Qualys
Platform tracks vulnerability findings for the host. For example, if the host has multiple IP
addresses, you can use DNS Tracking to consolidate the findings for the host into a single
record in your reports. Another example will be if the IP address changes over time, DNS or
NetBIOS tracking is a better option.
The tracking method for a host should remain consistent over time. If it changes, the best
practice would be to purge the asset data and run new scans for the host.
Agentless Tracking uses the Qualys Host ID to track findings. This is the recommended
practice after you have added the hosts initially. See the later section for a more detailed
discussion on Agentless Tracking.
Navigate to the following URL to view the Adding Scannable Hosts tutorial:
https://ior.ad/93qw
Perimeter Scan
This scan identifies vulnerabilities that an attacker would see from the Public Web.
By default, most account subscriptions will only use one external scanner from the pool.
Large account subscriptions will already include parallelism with multiple external scanners.
You can contact your account representative to enable this feature. If your account has this
enabled, include the additional performance settings.
To run this scan, you will organize your external-facing IP addresses into separate Asset
Groups and use them as targets. It is recommended to treat Qualys as any other potential
Navigate to the following URL to view the Perimeter Scan Option Profile tutorial:
https://ior.ad/93qc
On-prem Scan
This is to identify vulnerabilities as a rogue actor would see from within your company’s
internal infrastructure.
This is an authenticated scan to not only identify vulnerabilities but also to identify and
verify patching. The Standard port list is the best list available. You would add any additional
ports that are specific to your environment.
Navigate to the following URL to view the On-prem Scan Option Profile tutorial:
https://ior.ad/93qd
You can create an EC2 connector within the Qualys Connectors app module. The connector
uses APIs to query metadata from the cloud provider account.
You will have a selection of AWS or Azure for Cloud Perimeter Scanning.
Target Hosts is where the connector is selected. The scan job will only use the connector if
you do not add the platform, region, or tags. All EC2 VPCs in the US West are targeted in the
example above.
You can select specific instance IDs (with or without tags). Qualys will check if the instance
ID is valid when the scan is launched. Any invalid instance IDs will get skipped.
Here you can see that the assets discovered by this connector will be
automatically activated for VM Scanning. The Cloud Perimeter Scan has
also been selected, and these discovered EC2 instances are tagged.
You can launch the Cloud Perimeter scan right from the Quick Actions menu of specific
connectors. It will then use the global scan profile.
Navigate to the following URL to view the Cloud Perimeter Scan tutorial:
https://ior.ad/93q9
Scans can be scheduled daily, weekly, and monthly. The best practice is to schedule
Perimeter scans as close to daily as possible, and On-prem scans as close to weekly as
possible. This has been identified by Qualys SMEs and teams in the field working with
customers.
The Manager primary contact can enable the Relaunch on Finish option. There is a use case
for this option. At first, this might sound highly inefficient as it will create a permanent
Calendar viewing will show completed scans. You will be able to see how long the scan took
to finish. This is an important data point to use when you schedule reports. Reports should
be scheduled to run after the latest scans finish. That way, you are reporting the latest
information Qualys has.
The Add to my Calendar button will display a link to use in a calendar app like Outlook Your
calendar app will need to support the iCal format (Internet Calendaring and Scheduling Core
Object Spec).
https://ior.ad/93qC
Authentication Record
Vulnerability scanning is a privileged operation. Admin privileges are needed to add
absolute certainty to the findings. Authentication also ensures the enumeration of software
applications on the host system.
Within the Option Profile, you will enable Authentication. The scanner will then pull
credentials for the host from the Authentication Records.
Local Windows and Unix Authentication Records will need assets assigned by IP address.
The IP address can be added manually or by selecting an Asset Group or Asset Tag. If you
use Asset Tags, the IP addresses with the assigned tag will be associated with the
Authentication Record, and the Tag-to-IP is resolved at scan launch time. This will lengthen
the scan time. You do not need to select assets for Authentication Records using Windows
Active Directory or NetBIOS Service-Selected IPs.
More information on Tag Support for Authentication Records can be found here:
https://qualysguard.qualys.com/qwebhelp/fo_portal/authentication/tag_support.htm
The scanner must be able to pull information from the Windows registry. If Remote Registry
Service is disabled, you must enable Dissolvable Agent in the Option Profile. QID 90194 in
the scan results will reflect if a target host has Remote Registry Service disabled.
The Dissolvable Agent preceded the Qualys Cloud Agent. They are not the same. The
Dissolvable Agent is very slim and looks explicitly for registry keys that the scanner needs
but are blocked by disabling Remote Registry Service. All agent traces are removed when
the scan on the host is complete.
Be careful with the SMB signing checkbox on the Windows Authentication Record. As you
can see in the picture, it is for legacy Windows versions and is host dependent. The setting
will lower performance and cause bad login messages if using the record with hosts that
don’t support it. It is recommended to keep this off.
Navigate to the following URL to view the Authentication Records with the IP Range Tag
tutorial:
https://ior.ad/93qG
A best practice is to run authenticated scanning for internal assets and monitor if scans are
completed using authentication.
Only authentication testing will be done using an Option Profile with this checkbox enabled.
It is narrowed in scope to only QIDs related to authentication. No vulnerability detection will
be attempted. Some Qualys subscriptions are Pay Per Scan. It can be costly to run a scan to
learn that many target hosts failed authentication. This does not count against Pay Per Scan.
For many scan targets, checking the status of every Authentication Record would require
some effort. A second way would be to run an Authentication Report after your scan
finishes.
The Authentication Report is a best practice because not everyone can view the Qualys UI to
see the dashboard or query data. This type of report can be scheduled to run just after your
regular scan jobs are complete. From this report, you can confirm the Status of each host.
The last way to monitor would be to develop queries for the specific Information Gathered
QIDs related to authentication. These queries can then be turned into widgets for
monitoring on your dashboard.
Here you can see how to turn a query into a widget. This combo query produces a dataset of
all Linux or Unix hosts that failed authentication on the latest scan.
There are many prebuilt dashboards on the Qualys Community that you can import. This
can save you time since editing widget queries would be faster than creating a dashboard
from scratch.
Navigate to the following URL to view the Subscription Health Dashboard tutorial:
https://ior.ad/95va
Deployment of the physical or virtual scanner appliance is similar. The appliance will have a
WAN port that needs IP settings to reach back to the Qualys Cloud Platform.
Communication occurs on TCP 443. There is also a LAN port on the appliance that will need
IP settings to reach scan targets.
The physical scanner hardware will have an LCD panel that displays a personalization code.
When adding a new Scanner Appliance, you will need this code for the physical scanner to
latch to your subscription.
The Platform will generate a personalization code that you will add to the virtual machine’s
console.
Scanners that remain connected to the Qualys Platform will synchronize their code and
signatures automatically. There is a heartbeat check performed on every scanner appliance
every 4 hours. This ensures they are online, ready to process scans, and can obtain software
updates. You can set up email notifications if the scanner misses a specific number of
heartbeat checks. The default polling interval is 180 seconds, which governs how often the
scanner appliance polls the Qualys Platform for new information. It can be set to a value
between 60 to 3600 seconds.
Navigate to the following URL to view the Virtual Scanner Appliance Deployment tutorial:
https://ior.ad/95Dm
Qualys users will have predefined user roles. The Manager user is the most privileged.
Scanner users can launch vulnerability and map scans on assets that they have been
assigned. This will allow you to delegate scan activities to other Qualys users and not rely on
the Manager to do everything. The Qualys external scanners are usable by all user roles that
can run scanning activities; no scoping is required.
IP-based scoping
You can assign the Scanner user to an Asset Group. This is one way to allow them access to
hosts to scan.
Tag-based scoping
Tag-based user scoping allows for assigning visibility to objects via tags. This gives you more
flexibility, like if devices roam or have unpredictable IP addresses. Contact support or your
account representative to request Asset Tag Scoping for a subscription.
This function is evolving. Currently, scannable IP addresses must be available to the Scanner
user via Asset Group or Business Unit assignment. In a future release, only tags will be
needed to assign assets. Any tag can be used and tag inheritance is fully supported. It is
recommended to use a combination of Asset Group, Business Unit, and Agent Activation
Key Tags to grant visibility. An improperly scoped Dynamic Tag could enable users to see
assets beyond their intended scope. If you add the Asset Group Tag, remember to also add
the appropriate scanner appliances to the Asset Group.
Extended Permissions
As a general strategy to keep scan data consistent over time, you can restrict Scanner roles
from creating Option Profiles. Changes to the Option Profiles can impact the consistency of
data you run reports on.
Click the following URL to view the Delegating Scan Activities tutorial:
https://ior.ad/93qo
A baseline using the recommended Perimeter and On-prem Option Profiles should be done
first. With that data, then you can further tune the performance settings here. With optimal
scanner placement and scheduling, tweaking these settings can further speed up scan jobs.
Scan performance refers to the time it takes to complete a scan job. Having a reasonable
expectation of scan time will require benchmarking within your environment. To improve
scan performance, you can reduce the number of targets, reduce the port coverage, reduce
the number of vulnerabilities to scan for, or deploy more scanners.
The lab tutorial will show how to set up a Search List of QIDs to monitor scan performance.
QID 45006, 45038, and 45426 will be added to a static Search List in the lab tutorial. The
slide deck includes even more QIDs that could be useful. Treat this QID list as a starting
point that you add to over time to benchmark scans within your environment.
QID 45038 will show the total time spent scanning that target host.
You can use this information to identify slow hosts or ports. You can also get insight into
whether the scanner needs to be moved closer to the targets or if more scanners are
needed for the scan job. Adding multiple scanners to a job can reduce the time. The Qualys
Platform breaks up the scan job into slices and distributes the slices to scanners based on
available capacity.
Monitoring scan time is a practice you will want to do over time. This is not only to tune
performance settings but also to alert you to issues. This can be done with the API, QQL, or
running a custom report, as seen in the lab tutorial.
The API can capture the “Previous Duration” information of your scheduled scans. This
information can be stored in a spreadsheet to sort/group scan performance over time.
Some examples of using the API to obtain scheduled scan information can be found in the
API User Guide:
https://www.qualys.com/docs/qualys-api-vmpc-user-guide.pdf
Click the following URL to begin the Reporting Scan Time tutorial:
https://ior.ad/93qt
The Qualys Cloud Agent is not meant to be a replacement for scanning. It complements
scanning and provides features like Patch Management and File Integrity Monitoring. It
installs as a thin service on the host’s operating system. It can find almost everything in the
Qualys KnowledgeBase for devices like desktops and endpoint systems.
QIDs with Remote Only Discovery Method in the Qualys KnowledgeBase require a network
connection to detect/confirm the vulnerability. The Cloud Agent cannot create networking
connections back onto the asset to assess every hosted service.
This presents a use case for running a supplemental scan against a Cloud Agent host. It
would be a recommended practice for assets that host networking services. Also, running a
supplemental scan will maximize the KnowledgeBase coverage.
Begin by building a Search List of all QIDs that the Cloud Agent can assess. These can be
defined by creating a dynamic list that selects all the “CA” supported modules.
Cloud Agent host IP addresses need not be added to the subscription. When choosing the
scan target Asset Tag or IP range, use the checkbox to Temporarily add agent addresses. IP
addresses of the agent hosts will be added to the scan job if they are not in the subscription.
You must select internal scanner appliances that can reach the agent IP addresses.
It is recommended to do this type of scan from a Manager account since Cloud Agents
cannot be IP-based scoped to a Scanner user role.
Click the following URL to begin the Scanning Cloud Agents tutorial:
https://ior.ad/93qh
A UUID that sticks to the host will track your scan targets' findings. This UUID is called the
Qualys Host ID.
Accepting the Agent Correlation Identifier will allow the Qualys Platform to
correlate the scan results of Cloud Agent scans (authenticated or
unauthenticated). Your data merging selection determines what happens
with these correlated scan results.
Unified View
Enabling Merge data for a single unified view will result in a single asset
record that includes agent and scan data. By default, the Platform does not
merge scan and agent data; it keeps these separate.
Click the following URL to begin the Agentless Tracking ID and Unified View tutorial:
https://ior.ad/93pH
Most scanning activity will be for vulnerabilities. The use case for this type of scan is
discovery and finding what is alive in the network. Since this is only discovery, the scan itself
will finish quickly. It can be used to identify hosts that have stopped responding so that you
can purge their data or rogue devices that should not be on the target network.
Option Profile
The Map section of the Option Profile is used as the preferences of the map scan.
Map Report
The flags displayed in the Map Report are listed below:
• S – this will be displayed for a host if the IP has already been added to your
subscription
• L – this will be displayed for a host if there was a reply to the discover probes; the
host is ALIVE
• N – this will be displayed for a host if the IP address is in the netblock that you
supplied as the target of the map scan
• A – this is a marker for you to mark devices approved so that on the following map
scan, you will see the A flag for them if they are rediscovered
From the Actions menu, you can add IPs to your subscription, add to Asset Groups, launch
additional scanning, or purge.
The user is accepting the trade-off of less coverage for quicker scanning. By checking the
checkbox, the user permits Qualys to mark previously detected vulnerabilities as closed.
This does not fix the vulnerabilities; the checkbox can only be selected with Light scans.
The previously open findings will be closed if the QID is targeted but not detected or if the
QID cannot be executed because the port is no longer in the list to be scanned. When two
instances of the same vulnerability exist on multiple ports, each is evaluated independently.
If you run Light scans with this option, you should continue to run scans the same way
moving forward. Returning to standard or full port scanning could lead to unexpected
vulnerability statuses or trends. It is not recommended that you run Light scans with this
checkbox selected if you have standardized on full and standard scans in your organization.
This could cause the vulnerability status to change unexpectedly and affect report data.
This feature must be enabled for your subscription. You can contact your account manager
or support to get it.
When enabled, the host will be purged if a change is detected in the host’s operating system
vendor. For example, if the OS changes from Linux to Windows or Debian to Ubuntu. The
host will not be purged for an OS version change from Linux 2.8.13 to Linux 2.9.4.
This feature must be enabled for your subscription. You can contact your account manager
or support to get it.
Common targets of brute force attacks are FTP, SSH, and Windows hosts. The System
checkbox includes levels ranging from Minimal to Exhaustive. Qualys will attempt to guess
the password for each detected login ID on each target host scanned.
Choosing Custom will allow you to configure your own login/password combinations to look
for.
Setting up a specific Option Profile is recommended to check security hardening. This will
make scans longer. Also, this setting will trigger lockout policies, a security best practice on
assets in a production environment.
Lite OS Scan
Authenticated scans are the best practice. This setting is for scans running without
authentication, and QID 45017 is present.
A scan without authentication cannot accurately determine the exact version of the
operating system. It must rely on fingerprinting methods like banner grabbing or probing
telnet during the information-gathering phase.
This can prevent scan traffic from populating application log files or generating alerts.
Host-Alive Testing
This checkbox allows you to run a quick scan to determine if hosts are alive or dead.
No other scan tests will occur. The use case for this setting is for pay-per-scan customers to
avoid paying to find out that scan targets have connectivity issues.
The checkbox will preserve the OS attribute from changing. This is for a specific use case of
switching back and forth between authenticated-unauthenticated scanning.
The use case would be to troubleshoot why a target host takes longer than expected to
finish scanning.
The Manager primary contact will be able to enable Debug Scan for the subscription.
Initiating a Debug Scan when the scanner is fully available is recommended. This will ensure
no overlap with scheduled or on-demand scans. If a scan is scheduled to start while a Debug
Scan is running, it will be queued until the debug finishes. This is so that the appliance’s
operational mode reverts to normal.
A Manager user can enable this feature. Once enabled for the subscription, the duration can
be set in Option Profiles.
You will want first to benchmark your environment and get an expectation on how long
each asset takes to scan. The duration can be between 30 to 2880 minutes.
Hosts that exceed the duration will be aborted, and no scan results will be available for the
skipped host.
Internal Sites
For your internal assets, the On-prem Scan can populate the CertView app with data. If you
recall, the On-Prem Scan is doing Complete Vulnerability Detection on the Standard port list
with Additional Certificate Detection selected. You will not need a separate CertView Scan
for these internal assets.
You do not add internal sites within the CertView app. Instead, when you add IP addresses
to the subscription, make sure the CertView checkbox is selected. Your On-prem Scans will
populate the CertView app with data about SSL/TLS certificates on these internal IPs.
If you have already added IP addresses, then CertView can be added after the fact using the
Actions button.
External Sites
External asset FQDNs and IP addresses are added in the CertView app.
When adding each IP, you will have the option to add to a weekly scan.
SSL/TLS certificate data will be shown in the Certificates section of CertView. The Quick
Actions menu will have the option to send a renewal request to DigiCert.
The picture reflects a scenario where the scanner is not directly connected to the
10.10.80.0/24 network. This network exists beyond a router that is not the normal gateway;
it is not being advertised, and there is only one way in.
When you edit the scanner appliance in the Qualys Platform, there should be a Static Routes
tab. If you do not see this option, contact support or your account representative to turn on
this function.
You can see the target network is added along with the IP address that can reach the stub
network. This will allow the scanner to reach the 10.10.80.0/24 network.
The newest scanner versions can add up to 4094 static routes. If you use qVSA-2.0.13-1 or
later for the scanner appliance, you can add up to 99 static routes.