1. How do we score the severity of the AM findings?
The results are grouped in three categories: high, medium and low findings.
The scoring is based to a great extent on the CVSS system (e.g. subdomain takeover) with some modifications that allow us to more accurately reflect the real state of security (we do not score findings higher than they really are - if the exploit is no longer available or the attack is getting harder to perform the score is being downgraded).
High level findings:
sensitive information is exposed to the public
the information can be further exploited, e.g. customer’s credentials, passwords
Additionally, the finding allows the hacker to find more exploits in the code.
Medium level findings:
e.g. a complete path to a PHP script is exposed on the server
while this exposure is not highly harmful alone, it can be coupled with other information to be very valuable to a hacker.
Low level findings:
e.g. Potential Subdomain Takeover discovered on Fastly server - if “naked domain” (detectify-demo.com) is claimed, subdomain cannot be taken over (applies specifically to Fastly)
can be more of an informational character - a good step forward is to check to see if you actually own all that domain.
How to read your AM findings
Findings are aggregated on the root asset level.
An aggregated finding represents the occurrence of a vulnerability over time for the asset, as well as allows you to track any regressions (vulnerabilities that have reappeared over time).
Findings are ordered by name, affected asset, start/end date, severity (high/medium/low/information) and status (new, active, patched, false positive).
Patched status: Asset Monitoring runs ca. every 8 hours. If the vulnerability that has been found during some previous scan is patched now (we have not found it in three consequent reports), you will see the “patched” label next to it.
Start date shows the date we found the vulnerability while the end date shows the last time we found it.
If the vulnerability is still being found, you will see the “active” status by it:
Even though a vulnerability has been patched, it can still be reopened again. When can it happen?:
as a result of a systematic issue of how vulnerabilities are patched within your company
fixing one thing opens up another issue (patching one vulnerability can cause a regression on another)
with the new technology and hacking attacks constantly moving forward, what is a great fix one week may no longer hold in another week