Glossary of different terms important to understanding Cortex Xpanse Expander.
Annotation—Annotation is the addition of text comments to add context to assets. There are three types of asset annotation: tags, points of contact, and notes.
API—Cortex Xpanse provides customers with an API (Application Programming Interface) for retrieving Cortex Xpanse Expander information. For more information, see APIs and Integrations.
API Endpoint—The Cortex Xpanse Expander API exposes several RESTful endpoints to customers. For more information, see APIs and Integrations.
ASN—Autonomous system number (ASNs) are important because the ASN uniquely identifies each network on the Internet. An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain. There can be multiple AS supported by the ISP, and the ISP must have an officially registered autonomous system number (ASN). A unique ASN is allocated to each AS for use in BGP routing.
Asset—An asset is an IP address, certificate, or domain residing on-premise or in the Cloud.
BACnet—BACnet is a building automation and control network protocol generally associated with enterprise heating, air conditioning, and refrigeration systems. Unauthorized access to BACnet systems could allow an attacker to control critical temperature and air flow systems such as data center HVACs and could cause harm to critical infrastructure servers and other network equipment.
Business Unit—A Business Unit is a designation to classify assets. Cortex Xpanse Expander tracks business units as a means to identify owning organizations of these assets. Business unit tagging becomes extremely important when an organization has subsidiaries and groups established through M&A activities. To define business units, work with your TAM.
Certificate—Certificates (also known as digital or public key certificates) are used when establishing encrypted communication channels to identify and authenticate a trusted party. The most common use of certificates is for SSL/TLS, HTTPS, FTPS, SSH, and VPN connections. The most common use of certificates is for HTTPS-based web sites, which allow a web browser to validate that an HTTPS web server is an authentic web site. Cortex Xpanse tracks the following information for each certificate: Issuer, Issuer Country, Issuer Organization, Issuer State, Public key, Public Key Algorithm, Subject, Subject Alternative Names, Subject Organization, Subject Country, Subject State, and several “crypto health” checks.
Common Name —Common Name is a standard field on SSL/TLS certificates. It is typically composed of Host & Domain Name, often looking like yourco.com or “yourco.com.” Cortex Xpanse uses the common name field as one of the means to attribute assets to an organization.
Cloud—From the Cortex Xpanse perspective, the cloud refers to assets that are not running on-prem. This includes Cloud Service Providers, CDNs, consumer dynamic IP space (Comcast, AT&T), and others. According to NIST, cloud computing has five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and metered service. Cloud computing typically encompasses three broad types of services: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Cortex Xpanse tracks all IaaS assets and can identify some assets in PaaS and SaaS.
Cloud IP—Cortex Xpanse Expander displays specific IP addresses attributed to cloud providers either because your organization’s certificate was advertised on a cloud provider IP address or because your organization’s domain resolves to the cloud provider IP address space.
Cloud Domain—Cloud domains are domains attributed to an organization that resolves to cloud provider IP address space.
CMDB—A configuration management database (CMDB) is the central repository of asset information for most organizations. Cortex Xpanse provides multiple means to integrate with CMDBs. For more information, see APIs and Integrations.
Critical—Cortex Xpanse classifies exposures into three categories: critical, warning, and routine. A critical exposure is a responsive protocol that should never connect to the public Internet. Investigate critical exposures ASAP.
Crypto Health—Crypto health is a general term referring to the overall configuration and status of crypto-related factors. Cortex Xpanse automatically tracks several “crypto health” checks for certificates, including self-signed, wildcard, domain control validated, expired when scanned, and public key bits and signature algorithm.
Current—When working with exposures, Cortex Expander provides a time period filter. The Time period selector determines the date range over which exposures are observed. Selecting “Current” displays (in Map or Table view) the currently active exposures at your network edge. Adjusting the time period displays all active exposures over the selected timeframe. "Current" is defined as observed in the last 3 days for customers who are on daily targeted scans, and as last 10 days for customers who are not. See the Data section for more information on scanning cadence.
Development Environment—Development environments are web services that appear to be a testing or staging environment. Cortex Expander infers development servers based on terms in the dev environment's certificate or domain like “test” or “UAT.” Development, staging, and test environments are often not maintained to the same security standards as production infrastructure, yet may still hold sensitive data. These sites may also hold sensitive software code and configurations that could improve an adversary's ability to target the production environment. Such environments generally should not be available from outside the corporate network unless there is a compelling business reason.
Domain—In general, a domain name identifies a network domain following the rules and procedures of the Domain Name System (DNS). Cortex Xpanse gets its domains and DNS data from a combination of active and passive global collection techniques. Operators can find domain information in multiple locations in the Cortex Xpanse Expander user interface. For example, the hostname on the IP modal for many exposures indicates the domain. Also, domains display on the cloud domain assets view.
Ethernet/IP—EtherNet/IP is a protocol used in the configuration and automation of industrial control systems. EtherNet/IP can be used to gather information about critical control systems or to reconfigure control systems, and should never be accessible to the general public.
Exposure—An exposure is a service or configuration of a service that is publicly accessible on a customer’s network edge with an associated severity level—critical, warning, or routine.
Flow—A flow is a directional movement of IP data across the Internet. Cortex Xpanse obtains flow data via multiple relationships with Tier 1 ISPs. Through these relationships, Cortex Xpanse has access to a sample of approximately 80% of global flows.
GeoIP—GeoIP data correlate an IP address with a physical (geographic) location. Cortex Xpanse geolocation data for responsive IPs are collected from the best commercially available geolocation data source and displayed at the highest level of granularity that we receive for a given IP GeoIP data collection lets Cortex Xpanse customers confirm that their representation of their network distribution is consistent with what they believe their global footprint to be. GeoIP data is especially important for security organizations to identify compliance violations (e.g., data residing in restricted locations) and drive efficient remediations: infrastructure location, who owns the asset and where to route notifications.
IP address—An Internet Protocol (IP) address is a numerical label assigned to network-connected devices (physical and virtual). Cortex Xpanse currently tracks IP version 4 (IPv4) addresses.
IP Modal—The IP modal displays detailed information about an exposure. The IP Modal displays timeline changes, exposure details, additional information, and remediation information.
IP Registration—The IP range’s registry information mentions information about your organization. Cortex Xpanse pulls from all regional internet registry databases, including ARIN, RIPE, APNIC, LACNIC, and AFRINIC.
Leaked Internal IP—Internal IPs are for internal routing, and when Cortex Xpanse observes an internal IP address, this is a possible indication that the device is internal and not meant to be public facing. Leaked internal IP addresses also give adversaries targeting information. Cortex Xpanse recommends removing any leaked internal IPs so they are not externally visible.
Memcached–—Memcached is a free and open source distributed memory caching system. Like databases, they potentially contain private information, and therefore should not be externally accessible.
Modbus—Modbus TCP is an industry-standard communication protocol for use with connecting industrial electronic devices over Ethernet. Some industrial devices control critical and valuable assets, yet rarely have much in the way of application-level security. Modbus TCP has no built-in security systems making it extremely vulnerable. Modbus devices should only be accessible by devices on the same local network.
MSSQL—Microsoft SQL (MSSQL) Server is Microsoft’s enterprise relational database management system. MSSQL servers (indeed, SQL servers of any kind) should not be publicly accessible over the internet, as they are vulnerable to a variety of documented exploits.
MySQL—MySQL is an Open Source relational database management system that is maintained by Oracle Corporation. MySQL servers should not be publicly accessible over the internet.
NetBIOS Name—NetBIOS name servers provide name resolution on local networks. Externally-accessible NetBIOS servers pose a significant security risk, as they leak information about users, hostnames, internal ip addresses, services, and operating systems on a local network.
On-premise—On-premise refers to an organization’s assets that reside at organization owned or leased facilities.
Open port—An open port is a responsive port but not one that is necessarily running a service. When Cortex Xpanse scans a device, we validate the protocol response to verify the service running on the device. For example, we do not assume that an open port 23 is running Telnet. We conduct a full protocol handshake to verify that Telnet is running. By verifying service, Cortex Xpanse virtually eliminates false positives for protocols.
Payload—Payload refers to the handshake, and associated data Cortex Xpanse uses when scanning a port. Payloads attempt to establish a full protocol handshake with the destination IP address. This process results in higher confidence findings.
Port—TCP and UDP use port numbers to identify sending and receiving application endpoints on a host. Each side of a TCP connection has an associated 16-bit unsigned port number (0-65535) reserved by the sending or receiving application.
Port-Protocol Pair—Cortex Xpanse’s Internet Sensing platform detects protocol-validated services on the IPv4 space of the Internet through a series of specialized payloads that target specific port-protocol pairs.
Protocol—Protocol refers to transport layer protocols of TCP and IP. The protocol defines the rules of communication and can be either connection-oriented (TCP) or connectionless (UDP). Cortex Xpanse discovers and tracks 30+ protocols. The most common protocols include FTP, HTTP, HTTPS, POP3, IMAP, SSL, Telnet, RDP, SIP, and DNS.
RDP—Remote Desktop Protocol (RDP) servers provide remote access to a computer over a network connection. Externally accessible RDP servers pose a significant security risk as they are frequent targets by attackers and are vulnerable to a variety of documented exploits.
Remediation Status—Users assign remediation status to exposures. Expander provides six levels of remediation status to facilitate remediation workflow: None, Investigating, Investigated, Remediation-in-progress, Remediation check, and Resolved.
Routine—Cortex Xpanse classifies exposures into three categories: critical, warning, and routine. Routine exposures are informational.
Serial Number—Serial numbers are unique identifiers for certificates issued by a Certificate Authority (CA).
SIEM—Security Information and Event Management (SIEM) system. Cortex Xpanse provides multiple options to integrate with on-premise and cloud-based SIEMs. For more information, see APIs and Integrations.
SIP—Session Initiation Protocol (SIP) is a protocol that is generally used in Voice Over IP Systems. Early SIP systems only used 40 bit encryption and was subject to call hijacking and MITM attacks. More recent implementations generally use128 bit by default. A suite of tools from SipVicious makes SIP more prone and easier to attack when found. Best practice is to maintain SIP systems behind a firewall or through VPN, but if it is required that SIP be exposed to the Internet, then the use of high entropy passwords, lockout policy, and traffic inspection is recommended.
SMB—The Server Message Block (SMB) protocol provides remote computers access to local files, printers, and other exposures. Attackers can use SMB access to pivot to other internal systems, and they may maintain silent access for long periods of time.
SNMP—The Simple Network Management Protocol (SNMP) provides software version and configuration information for network devices. The information provided over SNMP can be particularly valuable to attackers, so devices should not respond to SNMP requests from the global Internet.
SSO—Single sign-on (SSO) is the ability to access multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to any of several related systems. Expander supports single sign-on (SSO) to integrate with enterprise identity services. With this feature, users can use their organization’s credentials for sign-on to Cortex Xpanse Expander.
Tag—A tag is an asset annotation. Tags are used to help add context to assets. For example, users can tag an asset as belonging to a specific data center or tagged as “PCI” or “HIPAA” to denote privacy protection requirements.
Telnet—Telnet provides unencrypted remote shell access. The presence of externally-accessible Telnet servers poses significant risk of data and credential loss if they are in use.
Unencrypted FTP—Without adequate encryption, FTP data is at risk of compromise, theft, and more.
UPnP—The Universal Plug and Play protocol allows devices to export services. Certain UPnP libraries are known to be vulnerable to public exploits. UPnP devices should only be accessible by devices on the same local area network, not by hosts on the public internet.
Valid Not Before, Valid Not After—Certificates have a lifespan. The not before date is the earliest time and date the certificate is valid. Typically, this is set a few hours after issuing to avoid any issues with distribution. The not after date is the date on which the certificate is no longer valid. Unlike food expiration dates, one should never use certificates past the no longer valid date.
Version—Version most often applies to a software release. Cortex Xpanse tracks versions for multiple items, including BIND, SIP servers, web server software, and cipher suites.
VNC servers—Virtual Network Computing (VNC) is a graphical remote-access system. In corporate environments, Remote Desktop, SSH, or other solutions should be used instead, so a VNC exposure may be a misconfiguration or an unauthorized installation.
VxWorks—VxWorks is an embedded operating system deployed on a variety of devices. VxWorks devices are rarely intentionally exposed to the public internet.
Warning—Cortex Xpanse classifies exposures into three categories: critical, warning, and routine. A warning exposure is an indication of misconfiguration that could pose a risk. For example, self-signed certificates, unencrypted logins, and leaked internal IP addresses. Internal IPs are for internal routing, and when Cortex Xpanse observes an internal IP address, this is a possible indication that the device is internal and not intended to be public facing. Leaked internal IP addresses also give adversaries targeting information. Cortex Xpanse recommends removing any leaked internal IPs, so they are not externally visible.