https://cdn.rootsoc.com/logos/RootSecure_Blue_Black.png

 

IMPLEMENTATION FAQs

 

Who installs the sensor?
The installation takes just a few minutes and can be completed by a RootSecure security analyst/technician or your dedicated IT staff, depending on whether you choose the VM option or physical sensor. Before the installation takes place, RootSecure personnel will review and complete the on-boarding checklist, and will go over any questions/comments/concerns pertaining to the RootSecure installation.

How long does hardware sensor installation take?
Physical installation requires rack mounting the sensor (if applicable), connection of an Ethernet cable and power cord. The physical process should take only a couple of minutes. The sensor, once powered on, will connect to RootSecure severs within minutes. If you choose to move forward with the virtual machine (VM) option, the installation is just a matter of booting the supplied VM.

Who maintains the sensor?
RootSecure owns the sensor hardware (or VM software instance) provided to enable network discovery of threats and vulnerabilities.  Service (including regular software updates) and warranty of the sensor are maintained by RootSecure. 

Do we need to configure the sensor?
The sensor scans for hosts on its network and begins to scan without configuration. The sensor can easily be configured to scan or ignore any other routable host(s)/network(s), if desired.

What are the physical space and power requirements of the hardware sensor?
​The RootSecure hardware is a 1RU rack-mountable server with the following dimensions: 1.7" H x 16.8" W x 14.0" D.  It is powered with a 200W Low-noise AC power supply with power factor correction (PFC).

Do we need to open a port in the firewall?
No, the RootSecure sensor does not require an open port in the firewall.  All RootSecure sensor connections are outbound to the RootSecure servers.
 
What is a black list?
A blacklist is a list of IP addresses that you explicitly don't want the sensor to scan. Some devices with non-optimally designed/implemented embedded network stacks (such as printers, consumer grade WiFi access points, etc) can be inadvertently triggered to behave in unexpected ways (print unexpected output, rebooting, etc) when the scanner runs against that host. Due to the inconvenience this may cause, the scanner can optionally not scan these devices.  Your RootSecure analyst will work with you to reduce the numbers of devices on the blacklist, as a malicious attacker could use the same vulnerabilities to further compromise your network.

Can I enable or disable a scan and can I manage the blacklist myself?
Scanning can be disabled/re-enabled on the dashboard by going to "Sensor Configuration" on the "Config->Sensor Config" page. There are two checkboxes that can be changed "Host Identification Scans" and "Vulnerability Scanning". Both of these scans need to be enabled for normal operation. If you would like to temporarily disable vulnerability scanning, you can do so, no new scans will be run until re-enabled. If you additionally would like to disable host identification scans, you may also do so, however doing so will result in the dashboard reporting errors after 24 hours.
Additionally, on the "Config->Sensor Config" dashboard page, you can configure what networks to scan, and what IPs/Networks to blacklist. The format of these fields is a comma separated list.

Can I export the underlying raw data as a CSV file?
Yes. All data tables/charts can be  downloaded to CSV file. Click on the button labeled "CSV" beside the chart/table you require.

Can I generate a PDF report of my data?
Yes, there are two reports available:

  1. Executive Summary - Includes all the summary data plus details on any risks 9.0 or higher.
  2. Detailed Vulnerability Risk Assessment - Includes all the summary data plus details on all risks 5.0 or higher.

You can download these reports by clicking on the "Executive Summary" or "Risk Assessment" buttons at the top of each dashboard page.

What format do I use to put into the "Sensor Scanning Schedule" and "Blacklist" entry forms?
Both these fields are a space or comma separated list. You can continue to add as many items as you wish and wrap the configuration line in the input area box if needed. You can specify multiple IPs by using a "-" separator in one of the IP octets. For example 10.0.0.1-3 will expand to 10.0.0.1, 10.0.0.2, 10.0.0.3.

If the "Sensor Scanning Schedule" table is empty, the sensor will scan all hosts on the network it currently has an IP on. If this table is not blank, then the scanner attempts to scan only the networks in this field. Note: All entries in this field must be in the CIDR form X.X.X.X/Y. If only a single host is desired to be added, then ensure that the host is entered as X.X.X.X/32.

The blacklist can accept individual hosts (no /32 required) or networks in the same CIDR format as above.


Can I add another user for my company?
Yes. To add another user, click on "Config"->"User Config". On the dashboard, enter the appropriate data and click on "Create User". You can additionally disable/delete users via this interface. Company Admin or Security Analyst permissions are required to access User Config.

Can I restrict other users to only see certain parts of my data?
There are two user roles that determine level of access: User and Sub-Tenant.  A "user" role is able to see all the data the same as the Company Administrator account, whereas a "Sub-Tenant" role can be restricted to only see the data for the network/hosts in the "Network Restrictions" field. This field is the same comma separated format as the "blacklist" input field.

Can I slice the data up and report on just a sub-set of hosts?
Yes, you can restrict the dashboard's reporting to only a network or a set of hosts by entering a comma or space separated list of hosts and networks (same format as the blacklist field) into the "Netfilter" field in the "Tools" menu and clicking on the "Update" button. This filter will apply to the whole dashboard as well as any PDF generated reports. To clear the filter, remove all entries from the "Netfilter" field and click on the "Update" button.

 

 

SCANNING FAQS

 

When RootSecure is performing scans, what data is being retrieved from the network?
By design, customer identifying information is not sent out of the customer's network. Each sensor is provisioned with a globally unique identifier (GUID).  The customer to GUID mapping is stored within RootSecure's secure network.  

What devices are scanned on the network?
By default, the sensor scans all devices on the same network subnet as the ip/mask which is provisioned.  Additional devices, if reachable via a gateway, can be scanned by the sensor by contacting RootSecure and having your sensor configured to do so remotely.

How frequently are scans completed on the network?
The frequency of scanning for a given host depends on a number of factors including: the uptime of the host, the number of hosts (and their uptime) on the network, and the hardware of the sensor. Each host on the network should be scanned at a minimum once per day. We recommend each host be scanned daily.  Additional sensors may be required dependent on the network size and complexity.

Can I have multiple sensors for different parts of my network?
Yes, you can deploy multiple sensors to scan separate parts of your network (for example a co-lo, or remote office) which do not have direct connectivity, or you otherwise don't want to scan from the main sensor's location. All of your companies' sensors' data is presented as a single unified view when you login to the RootSecure Dashboard. If you would like to create users or ad-hoc views of specific sections of your network, see the implementation FAQs "Can I restrict other users to only see certain parts of my data?" and "Can I slice the data up and report on just a sub-set of hosts?"

What does the "impact" of a risk mean?
The impact field describes the mostly likely impact an attacker can achieve by exploiting the identified vulnerability. The following are the currently defined impacts:


What is the "Risks by Severity" chart?
This chart is intended to convey two key pieces of information: how your risks are most easily mitigated and how severe those risks are. Critical risks (e.g. Active Breach Indicators) are red, High risks (e.g. Risk Score > 7.0) are orange and Medium risks (e.g Risk Score between 4 and 7) are grey. Since they are first presented in order by risk type, your chart may have two items which are the same color side-by-side.

 

 

OPERATIONAL FAQS

 

What role does the Security Analyst perform and how can they help my organization?
The security analyst's role is to triage new vulnerabilities, review unexpected logs from firewalls, review incoming cyber security alerts from US-CERT and the Canadian Government's Cyber Security Bulletins. Detected significant threats will be brought to your attention by RootSecure.

How do we know if we have an intruder or an exploit?
RootSecure is not an intrusion detection system (IDS).  RootSecure is a proactive solution to reduce your risk against intruders and threats.  The Action list is kept up to date with the latest detected risks and the solution will notify you of severe threats.
Unexpected logs from the firewall indicating connections with Tor networks (and upcoming with malware/botnet command and control hosts) indicate a likely exploit occurring.

What kind of alerts are available?
E-mail alerts of new risks are configurable via the dashboard, in addition to security analyst notifications.

Is your solution encrypted?
All data transferred between the sensor and the root secure servers is encrypted, in addition to all data being transferred between the RootSecure servers and your browser when viewing the dashboard.

Do customers require training to use RootSecure?
The solution has been designed to require little to no training.  During the on-boarding process, RootSecure personnel will require an overview for staff members.

How is the company risk score calculated?
Each vulnerability identified is categorized into specific types: Data Leak, Password, or Patch Exploit. Each type of vulnerability can be exploited in various ways by various tools. As each vulnerability is identified, a CVSSv2/v3 score is calculated and added to the risk model.

The individual risk score of each categorization is calculated using a weighted average of the identified vulnerabilities for the hosts within the network. A weighted average is used to ensure many low risk vulnerabilities don't obscure a high risk vulnerability. Similarly, to how the overall risk is calculated, as each node is aggregated in the risk tree the highest of the risk score of the nodes beneath it is used to determine the selected node's overall risk.

What is a CVSSv2 Score?
The Common Vulnerability Scoring System version 2 (CVSSv2) provides an open framework for communicating the impacts of network vulnerabilities. Specifically, the CVSSv2 score provides an objective metric which can be used to prioritize vulnerabilities such that the highest risk vulnerabilities can be remediated first.

The National Institute of Standards and Technology (NIST) provides a National Vulnerability Database (NVD) sponsored by the United States Department of Homeland Security (DHS). The NVD contains and is updated in real-time with Common Vulnerabilities and Exposures (CVEs). Each CVE provides details about a known network vulnerability, including a CVSSv2 score.

Why a Risk Target of 4?
Risk is something that can never be totally eliminated, only reduced. In order to ensure resources are spent effectively, the highest risk vulnerabilities should be mitigated first and the lower risk vulnerabilities mitigated last (or by the law of diminishing returns potentially not at all).

The CVSSv2 specification include a high level categorization into three severities: Low (less than 3.9), Medium (between 4 and 6.9), and High (between 7 and 10). Industry studies show a high correlation between time to exploit and incidents of exploitation with High severity CVEs. Thus, for an effective mitigation and prioritization strategy, all high severity CVEs should be addressed with the highest possible urgency.

What types of threat feeds do you use and how do they increase security?
When the RootSecure sensor is receiving Firewall logs, these logs are analyzed against IP and URL reputational databases to determine if any traffic on your network is communicating with a known malicious host on the internet. The identification of this communication helps to identify any compromised/infected hosts and/or high risk users within your network.

How can I schedule scans?
On the dashboard's Config->Sensor Config page, scroll to the "Sensor Scanning Schedule" section where you can add/delete scheduled targets. To add a new target, enter a comma separated list of IP address or networks in CIDR format. Select from a daily, weekly, or monthly schedule and enter the appropriate day of the week, day of the month and specific time to schedule the scan, then click on "Create Scheduled Scan".

Note: Hosts which match a scheduled target are only run at the scheduled time, the sensor will not scan them as part of its regular scanning queue.


How can I force the sensor to scan a host "Right Now"?
On the Risks page, you can force a scan of a specific host by clicking on the "Rescan" button. This will schedule an immediate scan for all vulnerabilities on that host, not just for the issue identified.

How can I stop all scanning?
On the dashboard's Config->Sensor Config page, in the "Sensor Configuration" section, click the "Stop All Scanning Now" button. This sends a message to the sensor which both disables all future scanning, and terminates all the existing scanning processes.

How can I see what scans are currently occurring and what scans are upcoming?
On the dashboard's Config->Sensor Config page, scroll to the "Sensor Scanning Queue" section where you can view the latest update from the sensor as to what hosts it is currently scanning and what hosts are upcoming.

Why did my vulnerability state change to "Validation Unsuccessful"?
When a user marks an issue as "Fixed, Waiting Validation" if a subsequent scan of that host still detects the same issue, then the system will move the state of that issue to "Validation Unsuccessful". This has been implemented to help users know if their changes were successful in mitigating a specific vulnerability.

How can I dismiss Security Analyst Notifications?
On the Risks page, if you have received any Security Analyst notifications, they will now show up in the "Support Notifications" section. You can click on the notification for more details and choose to dismiss the notification by clicking on the "Dismiss" button.

 

 

VULNERABILITY FAQS

 

What is a vulnerability?
A vulnerability is an 'issue' within the software, operating system, or service that is exploitable.

What is a zero-day vulnerability?
This vulnerability is exploited by hackers or third parties, prior to the vendor determining a solution to the problem.

What is a vulnerability assessment?
A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.

What is a penetration test?
A penetration test (otherwise referred to as a pentest), is a proactive simulated network attack on a networked computer system that specifically looks for security vulnerabilities. Root secure uses the tools used by professional penetration testers to automate penetration tests so vulnerability assessment scans are performed on a continual basis.

If we repair a vulnerability will it reflect in our score? How long will it take to reflect in our score?
Yes, as soon as the sensor next scans that host, and the vulnerability is no longer detected, the reports should clear the device of that vulnerability.