Laboratorios VM Qualys 2

7/17/2019 Laboratorios VM Qualys 2

1/83

Vulnerability Management

Training Labs


2/83

2

All Material contained herein is the Intellectual Property of Qualys and cannot be

reproduced in any way, or stored in a retrieval system, or transmitted in any form or

by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,

without the express written consent of Qualys, Inc.

Please be advised that all labs and tests are to be conducted within

The parameters outlined within the text. The use of other domains or IP addresses is

prohibited.


3/83

3

Contents

Introduction ........................................... ............................................. ............................................ ............................ 4

Prerequisites/System Requirements ...................................................................... ................................... 4

LAB 1 Account Setup (15 min.) ....................................... ............................................. ................................... 5

Add Initial Assets to Your Account .................................................................................. ............................ 8

Personalize Your Account ........................................ ............................................. ......................................... 11

Context Sensitive Help/Online Manual ............................................ ............................................. ........... 13

LAB 2: KnowledgeBase Search List (30 min.) ............................................ ............................................. ... 15

LAB 3: Mapping (30 min.)................................................................................................................................... 19

Mapping Targets ............................................ ............................................. ............................................ ........... 19

Add Mapping Target ........................................................... ............................................ ................................. 20

View and Use Map Results ....................................... ............................................. ......................................... 22

Additional Exercises ............................................ ............................................. ............................................ .... 26

LAB 4: Asset Management (30 min.) ........................ ............................................ ......................................... 29

Asset Group ...................................... .............................................. ............................................ .......................... 30

Asset Tag .................................................................................. ............................................. ................................ 37

Asset Management Application ............................................. ............................................. ......................... 39

LAB 5: Vulnerability Scan (30 min.) ........................................ ............................................. .......................... 46

Trusted Scanning ........................................... ............................................. ............................................ ........... 47


LAB 6: Reporting (30 min.) ........................................... ............................................. ........................................ 55


LAB 7: User Management (10 min.) ........................................ ............................................. .......................... 69

Create User Account ............................................ ............................................. ............................................ .... 69

LAB 8: Remediation (15 min.) .................................................... ............................................ .......................... 71

A Final Note Account Setup ............................................................................ ............................................. ... 73

Contacting Support ...................................... .............................................. ............................................ ........... 79


4/83

4

IntroductionThe Vulnerability Management application will provide you and your organization with the tools and

features needed to successfully manage and mitigate vulnerabilities. When you complete all of the

exercises in this lab document you will be able to:

1. Map the Network

2.

Manage Host Assets

3. Scan the Network

4. Report on Scans

5.

Manage User Accounts

6. Remediate Risk

Please do not skip any of the required lab exercise steps, as they will be needed to complete other lab

exercises later. Some labs contain a section called Additional Exercises that can be performed any

time, at your own convenience.

Prerequisites/System Requirements

To perform the exercises in this lab, you will need:

1. Qualys Account

2. Web Browser

Internet Explorer 9, 10, 11, or greater

Mozilla Firefox (latest version from stable release channel)

Google Chrome (latest version from stable release channel)

Safari (latest version)3. Java Browser Plug-in

4. Adobe Acrobat Reader or comparable

Tip: Your browsers Pop-up Blocking configuration can interfere with the proper functioning of the Qualys

User Interface. Please modify the settings of your Web browser to:

1. Allow all pop-ups (less secure), or

2. allow pop-ups from qualys.com (more secure)


5/83

5

LAB 1AccountSetup(15 min.)This lab will address a few steps needed to setup your Qualys user account and the Vulnerability

Management application. These steps will make it possible to complete the remaining lab exercises in

this document.

Login to Qualys

Your Qualys instructor will provide you with a URL to download your demo account credentials.

1. Download and then open the demo account file provided to you by your Qualys instructor.

2. Record the USERNAME from this document (ex. Quays2qq32) and save it in a safe place (e.g., text

document or password manager). Notice that the period at the end of the sentence is NOT

actually a part of the USERNAME.

3. Click the ONE TIME link to collect your password and complete the login process.


6/83

6

4. Record the PASSWORD from this document (ex. GL81uSwYGe) and save it in a safe place (e.g., text

document or password manager).

5. Use the link provided in the password document to login and activate your Qualys demo

account.

The First Login window displays your default user information.

6. Leave the Country field set to Antarctica (this will facilitate access to the targets used in this

lab.)

7. Select the check box to accept the Service User Agreement and click the I Agree button.


7/83

7

A pop-up window will list the features and benefits provided by the New Data Security Model:

The New Data Security Model (NDSM) combines high performance disk encryption with Virtual Private

Database (VPD) technology to ensure that your data is only visible and accessible to authorized users

(i.e., users within your account subscription) that have valid authentication credentials.

The NDSM also provides advanced productivity and detection features:

8. Click the Enable Now button.

Quick Start Guide

A successful login will display the Qualys Welcome screen and Quick Start Guide.

Although the Quick Start steps will not be used in this lab, you can always display these steps again by

clicking on your Qualys User ID (to the right of the Help button) and selecting the Quick Start Guide

option.


8/83

8

Add Initial Assets to Your AccountThe next few steps will add some initial host assets to your account

Host Tracking

Three basic methods are available for tracking the vulnerability history of each host within your

subscription:

Host IP Address Host DNS Name

Host NetBIOS Name

The objective is to choose the tracking method for each host that provides the greatest consistency over

time (i.e., the tracking method that does not change).

DNS Tracked Hosts

1.

Use your mouse to navigate to 1) the Assets section, and then click on 2) the Host Assets tab.

2. Click the New button, and select the option to track each host by its DNS name. Tracking by DNS

name will maintain host history data even if the IP address changes.


9/83

9

3. Click the Host IPs section (left navigation pane) and type the following IP address range into the

IPs: field: 64.39.106.244-64.39.106.247(DO NOT USE COPY AND PASTE).

4. Click the Add button, to add all four IP addresses to your account.

Important Notice about your student account

Using your student account, you have permission to scan only the demo IP addresses (up to ten)

identified in this lab document. You do not have permission to scan any other IP addresses and/orweb applications using your student account.

5. Click the OK button to acknowledge your scanning permission.

Best Practice - Before you start scanning with Qualys, always be sure to get approval to scan IP

addresses and/or web applications. It is your responsibility to obtain this approval.


10/83

10

NetBIOS Tracked Hosts

6. Use your mouse to navigate to 1) the Assets section, 2) the Host Assets tab, click the New

button and select 3) NetBIOS Tracked Hosts. Tracking by NetBIOS name will maintain host history

data even if the IP address changes.

7. Click the Host IPs section and type the following IP address ranges into the IPs: field:

64.39.106.242, 64.39.106.243, 64.39.106.248, 64.39.106.249(DO NOT USE

COPY AND PASTE).

8. Click the Add button, to add all four IP addresses to your account.

9.

Click the OK button to acknowledge your scanning permission.


11/83

11

Personalize Your AccountThe steps that follow will help to personalize your student user account, and make other adjustments

that will provide a more effective training environment.

1. Click on your Qualys User ID (located just to the right of the Help button) and select User Profile.

General Information

2.

Change the First Name field and Last Name field to reflect your own name.

3. Update the E-mail Address field with your current e-mail address (all notifications and password

reset information will be sent to the address you provide).

4.

Leave the Country field set to Antarctica (this is a requirement for student accounts).


12/83

12

Notification Options

All notification options will be sent to the e-mail address specified in the General Information section.

5. Use the navigation pane (left) to select Options, and leave all Scan and Map options turned on.

6. Click the My reports radio button to activate notification for reports that you create.

Session Timeout

Although this next adjustment is not typically recommended in a production environment, it will allow

you to maintain an ACTIVE session throughout this training class.

1. Navigate to 1) Users, 2) Setup, and 3) open the Security dialog.


13/83


14/83

14

The Search option will help you to find specific topics, and provide links to helpful Qualys videos.

The Contents option will provide you with a start-to-finish explanation of Vulnerability Application

tasks and features.


15/83

15

LAB 2: KnowledgeBase Search List

(30min.)A Search List is an extension of the Qualys KnowledgeBase, and is one of the most powerful

customization tools within the Vulnerability Management application. The name Search List is derived

from the KnowledgeBase Search tool that is used to create a list of vulnerabilities.

Add a Search List to an Option Profile, to perform a very accurate and precise vulnerability scan.

Add a Search List to a Report Template to create a Patch Report for High Risk vulnerabilities.

Create a Remediation Policy that automatically ignores Low Risk vulnerabilities, or assign

Windows OS vulnerabilities to the Windows team lead, and set a deadline for timely patching.

Search List Library

Qualys has created a library of some very useful vulnerability Search Lists.

1. Use your mouse to navigate to 1) the Search Lists tab, click 2) the New button, and 3) select the

Import from Library option.


16/83

16

2. Click the top level check box to select all lists in the library.

3. Click the Import button.

4. Click the Dont Make Global button.

Custom Search ListCreate your own custom vulnerability list to perform a special or unique scanning, reporting, or

remediation task. A Dynamic Search list is automatically updated by the Qualys service. Vulnerabilitiesthat match the lists criteria are added, at the same time they are added to the Qualys KnowledgeBase.

A static search list does not receive automatic updates. Typically, static lists are used to collect

vulnerabilities that do not have a common criteria.

Create Dynamic Search List

Objective: create a list of all potential severity 1 and 2 vulnerabilities, those that DO NOT have a patch

solution. Later, during the Remediation lab exercises, you will use this list to create a Policy that ignores

Low Risk vulnerabilities that come with a high mitigation cost.

1. Navigate to any of the three Search Lists tabs (you will find one within the Scans, Reports,

and KnowledgeBase sections. All three tabs perform the same function.

2. Click the New button and select the Dynamic List option.


17/83

17

3. In the Title section, choose the name Low Severity Vulns (Sev. 1 and 2) no patch.

4. Select List Criteria in the navigation pane. Scroll down and select the No Patch Solution check

box. Vulnerabilities that do not have a patch solution typically take more time to mitigate, and

therefore cost more to resolve than vulnerabilities that already have a patch.

5. Scroll down and choose Levels 1 and 2 for Potential Severities. Remember: while these

vulnerabilities have a low impact, individually; collectively they can lead to a potential compromise.


18/83

18

6. Save the List.

This list of Low Impact vulnerabilities will provide a good resource later, when you build a Remediation

Policy that demonstrates the steps for ignoring a list of vulnerabilities.

Personalize the KnowledgeBase

The Qualys KnowledgeBase provides the most current and comprehensive vulnerability and threat

intelligence information. The next few steps will help you to personalize the KnowledgeBase settings.

1. Go to the KnowledgeBase tab. Click on the icon, and change the amount of rows you

are viewing in the KnowledgeBase to 500.

2. Now, add the Severity column to your default view.


19/83

19

LAB3: Mapping(30 min.)

Map reports are very useful tools when managing all host assets within your company or enterprise

architecture. Only mapping provides discovery data that will allow you to distinguish between

authorized and unauthorized hosts. When used properly, mapping will give you the ability to add a new

hosts to your Vulnerability Management subscription, approve other hosts that will not be added to

your subscription, and even find rogue devices within your network.

Mapping TargetsUnless you manage a limited number of hosts, it is considered a best practice to map you network or

enterprise architecture in small segments. You can accomplish this task using any of the basic mapping

targets:

Asset Group

Domain

Netblock

Understanding the proper use of mapping targets will lead to the creation of successful map reports.

Asset GroupAlthough Asset Groups will be defined in detail later, within the Asset Management lab, a couple of key

points are required here in the discussion of mapping:

Asset Groups only contain hosts that have already been added to your Vulnerability

Management subscription.

The Domains and IPs checkboxes are used only when an Asset Group has been selected as a

target.

DomainAnother target option for mapping involves using a domain name. A domain name must be added to

the Domains tab, before it can be used as a target for mapping. Basic DNS reconnaissance is used to

collect information from a domain target. Additionally, TCP, UDP, and ICMP probes are used to validate

the DNS reconnaissance findings.


20/83

20

Netblock

A netblock must also be added to the Domains tab, before it can be used as a mapping target. The

none Domain is a special domain, used to add netblocks to the Domains tab. Various probes such as

TCP, UDP, and ICMP are used to locate LIVE hosts within the targeted netblock.

Add Mapping TargetIn order to use any of the target types listed above, it must first be added to your account. The

Domains tab is used for the purpose of adding mapping targets to the Vulnerability Management

application (Asset Groups are the exception).

1. Use your mouse to navigate to the 1) Assets section, 2) Domains tab, click on the 3) New

button and select the Domain option.

2. Add the following netblock to the Domains field:

none:[64.39.106.240-64.39.106.249]

DO NOT USE COPY AND PASTE(there is no blank space in the none domain).

The none domain can be used to target any netblock within your organization. Notice that the

netblock listed above contains two more IP addresses than the number of IPs already within your

subscription. It is a Best Practice recommendation to add all reserved IP address netblocks (RFC 1918)

to the none domain.


21/83

21

Launch Map

In the next few exercise steps, you will use the none domain target to create a Map Report of the

hosts within the Qualys Training Network.

1.

Use your mouse to navigate to the 1) Scans section, 2) Maps tab, click on the 3) New button

and select the Map option.

2.

In the Title field type: Qualys Training Network.

3. Leave the Option Profile set to: Initial Options (default).

4. Under Target Domains click the Select link just to the right of the Domains/Netblocks field.

5. Check the none Domain and click the Add button.


22/83

22

6. Click the Launch button to begin mapping. It is normal for your map task to display the

Queued status, before changing to the Running status.

View and Use Map ResultsWhen a map reaches the Finished status, you may view its results. Do not attempt to view map

results while the Status column displays the Queued or Running status.

1.

To view your finished map results, open the Quick Action menu and select the View Report

option.

2. Scroll down to the Results to view the hosts that were discovered.

Each host is identified by its IP address and name (DNS or NetBIOS). If Basic Information

Gathering is enabled the map will also provide Router and OS information.


23/83

23

The columns that appear on the right side of the report are used to identify authorized hosts (A),

scannable hosts (S), live hosts (L), and netblock hosts (N). A host is considered scannable if it has

already been added to your Vulnerability Management subscription. The netblock symbol is only

relevant when a netblock is selected as the mapping target.

3. Click the arrow icon to the left of a host to view its discovery method.

Notice host 63.229.56.186is not a member of the target netblock, but was discovered via

traceroute. Host demo10 (64.39.106.240) is Unix-based, and was discovered using multiple

techniques (probes).

Actions MenuThe Actions drop-down menu is provided to perform various actions on any host that appears in the

Map Results.

The key to using a map report is: 1) use a checkbox to select a host, 2) choose an action from the

Actions menu, and 3) click the Apply button.

The next set of exercises will walk you through the steps of adding new hosts to your Vulnerability

Management subscription, adding several hosts to a new Asset Group, and launching an initial

vulnerability scan.


24/83

24

Add Hosts to Subscription

Hosts demo10 and demo11 cannot be scanned for vulnerabilities, until they are added to your

Vulnerability Management subscription.

4. Place a check next to host demo10 (64.39.106.240) and host demo11 (64.39.106.241).

5. Use the Actions menu to select the Add to Subscription action, and click the Apply button.

6.

Click the Add button to confirm your IP address selection.7.

Click the OK button to confirm your permission to scan.

Create New Asset Group

Although Asset Groups can be created and managed from the Assets section (Asset Groups tab), it is

relatively easy to create and manage Asset Groups from a Map Report.

Looking at the DNS column, it is easy to see that many hosts are located in Seattle (SEA).

8. Place a check next to all hosts located in the sea.qualys.com domain.

9. Use the Actions menu to select the Add to new Asset Group action, and click the Apply

button.

10. In the Asset Group Title field type: Seattle, and click the Save button.


25/83

25

Launch Initial Scan

To collect some initial scan data that will be used in the Asset Management lab, the Map Report will be

used to complete one final task; launch a vulnerability scan.

11.Place a check next to all ten hosts that are now in your Vulnerability Management subscription

(64.39.106.240 64.39.106.249).

12.Use the Actions menu to select the Launch Vulnerability Scan action, and click the Apply

button.

13. In the scan Title field type: Initial Vulnerability Scan.

14.Leave the Option Profile field and IPs/Ranges field set to their default values, and click the

Launch button.

15.When the Scan Status window appears, click the Close button.

16.Close the Map Results (File > Close).


26/83

26

Additional ExercisesYou may perform all Additional Exercises at your own convenience. Other lab exercises in this

document are not dependent on the outcome of these exercises.

Scheduled Maps

You can use differential reporting to compare two maps to identify new hosts introduced into the

network, as well as retired hosts that have been removed.

Reporting like this relies on having regular snapshots of the network from which to make a comparison.

The next lab steps are designed to schedule a Map Report to run every day.

1. Use your mouse to navigate to the 1) Scans section, 2) Maps tab, click the 3) New button

and select the Schedule Map option.

2. Configure the schedule with the following details:

Title: Daily Map

Option Profile: Initial Options (default)

Target Domains: qualys-test.com


27/83

27

Scheduling: Start the scheduled task at a future date and time (time zone is required)

Occurs: Daily

3. Click Save.

Export and View Map Results

Any Map Report can be downloaded using multiple file format options. Additionally, all maps can be

viewed in a Graphic mode.

1. Navigate to the Maps tab within the Scans section.

2. Use the Quick Actions menu to open up and view a Map that you have already created.

3. While viewing the map results, click the File menu and select the Download option.

Experiment with different file formats. A CSV file can be easily imported into a spreadsheet.


28/83

28

4. While viewing the same map results, click the View menu and then select the Graphic Mode

option.

5.

Use the filters on the left to locate the Windows assets in the map results (right). Experiment withdifferent OS options.

6.

Click the icon over any host to view its information in the preview pane.

You can also toggle the Summary and Results tabs at the top of the window to view a list of

assets discovered in the map.


29/83

29

LAB

4: Asset Management

(30 min.)There are an infinite number of ways to organize the host assets within the Vulnerability Management

application. Here are just a few examples:

Geographical location

Service provided

Device type or operating system

Responsible operational team

Asset owner

IP address

Business impact

Although the methods listed above are commonly used, it is important to recognize that every company

is unique, and your company may choose to organize and manage its host assets using methods or

techniques that others do not even consider.

The proper use of Asset Groups and Asset Tags will allow you to effectively organize and manage host

assets within the Vulnerability Management application.

Both Asset Groups and Asset Tags can be combined to accomplish numerous objectives, such as:

Creating targets for mapping, scanning, reporting, and remediation.

Assigning access privileges to individual user accounts.

Host identification and inventory management.

This Asset Management lab will begin with a discussion of Asset Groups, and then finish with a

discussion of the Asset Tag features and characteristics that extend the capabilities of traditional Asset

Groups.


30/83

30

Asset GroupAsset Groups are the original mechanism for managing assets within the Vulnerability Management

application. Asset Groups provide containers for collecting host assets. Simply create an Asset Group,

give it a name that reflects its host members, and add the appropriate host IP addresses. Here are some

important characteristics of an Asset Group:

Used to assign access privileges (IPs, scanners, and domains) to individual user accounts.

Contain a Business Impact attribute that is used to calculate Business Risk.

Can be used as a target for mapping, scanning, reporting, and remediation.

A single host IP address can be a member of multiple Asset Groups.

Nesting one Asset Group inside another is not supported.*

Created and updated manually.*

* The last two items in this list, will be addressed through the use of Asset Tags. Asset Tags are updated automatically and dynamicallywith every vulnerability scan. Asset Tag nesting is the recommended approach for designing functional Asset Tag hierarchies

(parent/child relationships).

Edit Asset GroupThe Mapping lab demonstrated that Asset Groups can be created and updated from within an Asset

Map Report. In this lab, Asset Groups will be managed from within the Asset Groups tab (found within

the Assets section).

1.

Use your mouse to navigate to the 1) Assets section, and click on the 2) Asset Groups tab.

2. Use the Quick Actions menu to Edit the Seattle Asset Group.


31/83

31

To assign a domain to an individual user, the domain must first be associated with an Asset Group,

and then the Asset Group must be assigned to the target user.

3. From the navigation pane click the Domains option and use the Available domains drop-down

menu to associate the none domain with the Seattle Asset Group.

With the domain association complete, any user that receives access to the Seattle Asset Group,

will also receive access to the none domain (for mapping purposes).

Business Impact

Some hosts are more important than others. While both printers and database servers representlegitimate attack vectors within you network, your time is typically best spent fixing a critical

vulnerability on your DBMS one that could be used to steal critical data rather than a

vulnerability that can take a networked printer off-line.

With this in mind, Asset Groups contain a Business Impact setting. Set it up now, and itll pay

dividends later under Reporting where well use it to identify real Business Risk.

4. From the navigation pane, select the Business Info option.


32/83

32

5.

Use the Business Impact drop-down menu to change the Seattle Asset Group to Medium.

6.

Click the View Link (just right of Business Impact).

Business Risk is the product of the Average Security Risk (represented by the various severity

levels associated with each vulnerability) and the Asset Groups Business Impact setting.

Notice that the vulnerabilities discovered on host assets that belong to an Asset Group with aCritical or High Business Impact setting, will carry a higher Business Risk Score than hosts in the

Seattle Asset Group (Business Impact = MEDIUM), while vulnerabilities discovered on host assets

that belong to Asset Groups with a Minor or Low Business Impact setting will carry a lower

Business Risk Score.

7. Click the Close button.

8.

Click the Save button to save your changes to the Seattle Asset Group.


33/83

33

New Asset Group

To expand the illustration of Business Impact and Business Risk, the next set of exercises will create two

new Asset Groups with different Business Impact Settings.

The first Asset Group will contain production servers that have a critical impact.

1. From the Asset Groups tab click the New button and select the Asset Group option.

2. In the Asset Group Title field type: Server.


34/83

34

3. From the navigation pane select the IPs option, and click the Select IPs/Ranges link.

4. Click the Expand Range icon to view all IPs in your subscription.

5. Check the following IP addresses (6):

64.39.106.240

64.39.106.241

64.39.106.243

64.39.106.244

64.39.106.246

64.39.106.247

6.

Click the Add button

7.

From the navigation pane select the Business Info option, and change the Business Impact

field of the Server Asset Group to Critical

8. Click the Save button to save the Server Asset Group.


35/83

35

The next new Asset Group will contain desktop computers that have a low impact.

1. From the Assets Group tab click the New button and select the Asset Group option.

2.

In the Asset Group Title field type: Desktop.

3. From the navigation pane select the IPs option, and click the Select IPs/Ranges link.

4. Click the Expand Range icon to view all IPs in your subscription.

5. Check the following IP addresses (4):

64.39.106.242

64.39.106.245


36/83

36

64.39.106.248

64.39.106.249

6.

Click the Add button

7. From the navigation pane select the Business Info option, and change the Business Impact

field of the Desktop Asset Group to Low.

8.

Click the Save button to save the Desktop Asset Group.

Three Asset Groups have been created: Seattle, Desktop, and Server. All three asset groups will

automatically be converted into Asset Tags by the Qualys service (see Asset Tag section).


37/83

37

Asset TagWith IT and systems environments that are constantly fluctuating (e.g., mobile devices, virtualization,

cloud-based services, remote employees, etc) its imperative to have a sound method to track host

assets. Knowing what assets exist, improves the chances of securing them.

Asset Tags were designed to provide a flexible, scalable, and dynamic solution to manage assets, based

on scan results obtained using the Vulnerability Management application. As the Vulnerability

Management application processes data from each scan, it will also automatically and dynamically add

tags to various assets, and update or remove tags that already exist.

Asset Tags are organized into hierarchical structures, also known as parent/child relationships. A single

host asset can simultaneously have multiple tags. For example, a host can have a tag because its

located in Chicago, it belongs to the 10.1.2.0/24 net block, and has SSH running on it.

Asset SearchDuring a scan, the Qualys scanning engine gathers information from targeted hosts, including each

hosts operating system, open ports, and active services. The Asset Search feature provides you with the

ability to search through scan results and find hosts based on this type of information. This same

feature can also be used to create tags.

1. Use your mouse to navigate to the 1) Assets section, and then click on the 2) Asset Search tab.

2. In the Search for section, type All in the Asset Groups field. The All Asset Group is built-in

to the Qualys platform, and contains all host assets that have been added to your Vulnerability

Management subscription.


38/83

38

3. In the attributes section, select the Running Services checkbox and then select the smtp

option to find all host running the Simple Mail Transfer Protocol; mail servers.

4. Click the Create Tag button.

5. Type Mail Server, when prompted to Enter a name for your Asset Tag and click the OK

button.

Watch for the following pop-up message:


39/83

39

Asset Management ApplicationAlthough the Asset Search feature provides a simple way to create Asset Tags from within the

Vulnerability Management application, the real power and benefit of creating custom Assets Tags is

found within the Asset Management Application.

As you complete the exercises that follow, please note that some lag time may occur between the point

where an Asset Tag is initially created and the point where it is eventually applied to its respective

asset(s). The same lag time may exist between the point where a host is added to the VulnerabilityManagement application, and the point where it appears in the Asset Management application.

1. From the Vulnerability Management application, use the application drop-down menu to switch

to the Asset Management application.

The opening page (i.e., Assets tab) of the Asset Management application provides many useful

pieces of information:

The Qualys service creates a matching Asset Tag for every Asset Group.

Hosts running SMTP are tagged with the Mail Server tag (created using Asset Search).

Operating system information is identified for each host.


40/83

40

You can use the Quick Action menu for any host to View host details (e.g., demo11).

2.

Click the Show Filters link in the upper right corner of the Assets Tab.

3. Use the tags already created to quickly locate all Mail Servers.

4. Remove your filtering options, then click the Hide Filters link to close the filter window.

5.

Near the upper left corner of the Assets tab, click the expand icon to view the Tag Tree

alongside the list of assets.

6.

Click the arrow to the left of the Assets Groups tag to expand this hierarchy. The name of the

parent tag is Asset Groups. Presently it has three children (Seattle, Desktop, and Server).

7. Click the arrow to the left of Asset Search Tags to expand this hierarchy.

8. Right-click the Mail Server tag to view its editing options. Experiment by changing its color.


41/83

41

The same Tag Tree information can be accessed from the Tags tab.

Create Custom Tag

The previous set of exercise steps illustrated some examples of Asset Tags created by the Vulnerability

Management application:

Asset Tags matching Asset Groups

Asset Tags created with Asset Search

To take full advantage of the power and benefit of the Asset Tagging feature, custom Asset Tags will

now be created within the Asset Management application.

Static Tag: Operating System

Many Tag hierarchies begin with some type of static parent that serves as a placeholder for its

dynamic children tags. This principle will be demonstrated with a static, parent called: Operating

System.

1.

From the Assets tab, expand the Tag Tree, and click on the link.


42/83

42

2. Name this tag: Operating System.

3. Select the color of your choice.

4.

In the Description field type: Parent tag (operating system hierarchy).

5. Click the Continue button.

6. Leave the Rule Engine field set to No Dynamic Rule. This is typical for top level tags that form

the parent tag of a new hierarchy.

7.

Click the Continue button, followed by the Finish button.

The Operating System tag should now be viewable in the Tag Tree.

The steps that follow will add two children to the Operating System hierarchy. Both children will be

nested under the Operating System parent, and both will use dynamic rules.


43/83

43

Dynamic Tag: Windows

1.

From the top of the Tag Tree, click on the link.

2.

Name this tag: Windows.

3. Use the Select parent tag drop-down menu to select the Operating System tag, and click the

Close button to close the menu.


5.

Select the Operating System Regular Expression Rule Engine.

6. In the Regular Expression field, type windows and then select the Ignore Case check box.

7.

Try testing this rule against host assets in your account. Hosts running the Windows OS should

receive a positive result (green ball w/ check). All others should receive a negative result (red X).

8. Select the Re-evaluate rule on save check box.

9.

Click the Continue button, followed by the Finish button.


44/83

44

Dynamic Tag: Linux

1.

From the top of the Tag Tree, click on the link.

2.

Give this tag a name of Linux.

3. In the Tag Properties section, select a color.

4.

Use the Parent Tag dropdown menu to select the Operating System parent tag.


6.

Select the Operating System Regular Expression Rule Engine.

7. In the Regular Expression field, type linux and then select the Ignore Case check box.

8. Try testing this rule against host assets in your account. Hosts running a Linux-based OS should

receive a positive result (green ball w/ check). All others should receive a negative result (red X).

9. Select the Re-evaluate rule on save check box.

10.Click the Continue button, followed by the Finish button.


45/83

45

Any of the dynamic tagging rule engines can be used to automatically assign tags to host assets. While

our demo lab has a limited number of hosts, imagine the benefit of using Asset Tags to manage

hundreds, thousands, and even millions of dynamically changing host assets!

How would you take advantage of the Asset Name Contains, ruledoes your company use

standard naming conventions that identify host location, host owner, or other host attributes?

How would you take advantage of the Software Installed rulewould it be useful to know

when new applications or services are added to an existing host?

How would you take advantage of the Vuln (QID) Exists rulecould you use this tag rule to

quickly identify hosts that have the Heartbleed or Shellshock vulnerabilities?

Once Asset Tags have been applied to host assets, the filtering tool within the Asset Management

application, can be used to navigate through an ocean of host data, to locate a specific type of host.

The steps covered in this lab provide many different examples for managing and tracking host assets

within your Qualys subscription. You now have many different choices, when choosing targets for

vulnerability scanning, reporting, and remediation tasks.


46/83

46

LAB5: Vulnerability Scan(30 min.)

Once you have successfully added hosts to your subscription, they can be scanned for vulnerabilities. As

Qualys learns about each hosts that it scans, it can categorically eliminate different vulnerability tests,

dramatically reducing scan time in the process.

To identify the host IPs that can be scanned:

1.

Click back to the Vulnerability Management Application.

2. Navigate to the Host Assets tab (within the Assets Section).

3.

Click the Expand Range icon to view individual IP addresses in your subscription

Alternatively, you can create a Map Report and look for the hosts with the S symbol.


47/83

47

Trusted ScanningIt is a Best Practice to perform vulnerability scans with administrator or root level privileges. Qualys

refers to these as Trusted Scans. Qualys can authenticate to numerous technology platforms.

In this exercise, well create a Windows authentication record, a UNIX authentication record, and an

Option Profile that uses them.

Windows Authentication Record1. Under the Scans section, click the Authentication tab.

2. Click the New button and select Windows Record

3.

Enter Local Windows Authentication as the Title for the Authentication Record.

4. Click the Login Credentials tab on the left hand side, and then select the radio button for Local

authentication.

5.

In the Login section, leave the radio button for Basic authentication selected.

6. Enter Administrator (omit quotes) in the User Name field and abc123 (omit quotes) in the

Password and Confirm Password fields.

7. Click the IPs tab, and assign the IPs for your Windows-based host devices (64.39.106.242,

64.39.106.243, 64.39.106.248, 64.39.106.249).

8.

Click the Save button to complete the creation of your new Authentication Record.

Unix Authentication Record1.

Under the Scans section, click the Authentication tab.

2. Click the New button and select Unix Record

3. Enter Root Authentication as the Title for the Authentication Record.


48/83

48

4. Click the Login Credentials tab on the left hand side, and ensure the Basic authentication radio

button is selected.

5.

In the Login section, leave the radio button for Basic authentication selected.

6. Enter root (omit quotes) in the User Name field and abc123 (omit quotes) in the Password and

Confirm Password fields.

7. Click the IPs tab, and assign the IPs for your Unix-based host devices (64.39.106.240,

64.39.106.241, and 64.39.106.244 - 64.39.106.247).

8. Click the Save button to complete the creation of your new Authentication Record.

Authentication isnt enabled by default, and must be selected within an Option Profile.

9.

Navigate to 1) the Option Profiles tab, click 2) the New button and select 3) Option Profile.

10. Enter Custom Authentication in the Title field.

11.Click Scan in the left navigation panel.


49/83

49

12.

Locate the Authentication section and enable the Windows and Unix/Cisco authentication

methods.

13.Click the Save button.

Launch Scan

1. Use your mouse to navigate to the 1) Scans section, 2) Scans tab, click the 3) New button

and select the Scan option.

2. Enter the Title: Custom Auth Scan.

3. Select the Option Profile you just created (Custom Authentication).


50/83

50

4.

Under Targets select the Assets radio button.

5. Use the Select link to add both Desktop and Server Asset Groups as scanning targets.

6. Click the Launch button to launch the scan.

7.

Click the Close button to close the Scan Progress window, when it is displayed.

The Scans tab lists running scans and stored scans. You can use the Quick Actions menu to cancel or

pause running scans. To delete a scan, simply place a check in the box next to the Title, and choose theDelete option from the Actions button.


51/83

51

Processed vs. Unprocessed Scans

When a Scanner Appliance has finished performing a vulnerability scan, the scan results are sent to the

Qualys Secure Operations Center (SOC). The raw scan data is then processed and integrated with the

Host Based Findings within your subscription.

Although the Status column may display the Finished status, your scan results will not be available

for use until the green circle icon turns into a green ball ( ) icon.

Storage

By default, the Qualys service deletes individual scan results from the Scans tab and Maps tab every

six months. You may extend this up to a year, or reduce it to one month (Scans > Setup > Storage).

To disable the auto delete feature, clear (remove) the appropriate checkbox.


52/83

52

Vulnerability Ratings

Scanning analyzes the security of your network devices using an Inference-Based Scanning Engine, an

adaptive process that intelligently runs only tests applicable to the host being scanned.

Vulnerabilities (red) Security weaknesses verified by an active test

Potential

vulnerabilities (yellow)

Security weaknesses that need manual verification

Information (blue) Configuration data

Potential Vulnerabilities

Two common classes of potential vulnerabilities include Denial of Service (DoS) and buffer overflow

attacks. Qualys wont try an active test if that active test might deny service or introduce instability, so

we cant actively test these. That said

Many potential vulnerabilities can be promoted to straight-up vulnerabilities using authentication.

These are labeled (red/yellow) in the Vulnerability Knowledgebase.

When a normal (untrusted) scan includes a (red/yellow) vulnerability, Qualys can find

conditions that flag the risk (e.g. SMB is enabled). When a trusted scan is performed (Qualys

authenticates to the device), the registry is analyzed and other tests are performed. And in the scan

results, Qualys identifies the issue as a confirmed vulnerability or a potential vulnerability

.

Severity levels

Level 5 Remote root/administrator Remote control over system with Admin privileges

Level 4 Remote user Remote control over system with user privileges

Level 3 Leaks critical sensitive data Remote access to services or applications

Level 2 Leaks sensitive data Determine precise system/service versions

Level 1 Basic information Open ports and other easily deduced data


53/83

53



Custom Vulnerability Detection

Goal:Choose the vulnerabilities that will be tested in a vulnerability scan.

Normally, scans are configured to detect allvulnerabilities. That said, there are times when you may

want to scan for a single type of vulnerability.

The steps that follow, will use the Heartbleed Detection Search Lists, to perform a custom

vulnerability detection scan:

1. Under the Scans section, click the Option Profiles tab.

2. Click the New button and select Option Profile.

3. Enter the title Heartbleed Detection.

4. Click the Make this a globally available option profile checkbox (so other Qualys users can use

this profile).

5. In the left navigation pane, click the Scan tab.

6.

Scroll down to the Vulnerability Detection section and select the Custom radio button. The

Search List dialog box will appear.

7. Click the Add Lists button. The search lists in your account will appear.

8. Select Search List Library in the navigation pane.

9. Select the check box next to the Heartbleed Detection list, and then click the Import button.

10.

Click the Make Global button to make this Option Profile visible to other Qualys user accounts.

11.

Scroll to the end of the Option Profile and click Save.

You may now use this Option Profile to perform a vulnerability scan. The resulting scan report will only

reflect the vulnerabilities identified in the Custom Search List attached to this profile.


54/83

54

Low Bandwidth Scan

Use Case:Scan a remote office over a low bandwidth link.

Qualys has three performance options pre-sets and a custom option. The Low option is ideal for

ISDN and DSL connected offices. Normal is a good general setting for Ethernet environments. High is

best for minimally utilized 100Mbit links and 1Gbit networks.

The number of hosts to scan/map concurrently affects scanning speed and network bandwidth. Qualys

adjusts its packet rate based on detected network load; your configuration choices dictate howaggressive it should be in throttling back when it detects that the network is under load. In this exercise,

you will select different presets to see how each is configured; later, you can use what you learn here

when creating Custom performance options.

1.

Create a new Option Profile titled Low Bandwidth Scan - Option Profile.

2. In the navigation pane on the left, choose the Scan tab. Under Performance click the

Configure button.

The Configure Scan Performance window will open.

3. Choose Low from the Overall Performance drop menu.

4. Close the performance window by clicking OK.

5.

Save the Option Profile.


55/83

55

LAB6:Reporting(30 min.)

Qualys stores your generated reports for a week. This is handy when you generate a large report that

you want to share with your colleagues. Qualys only needs to process the data when you create the

report; your colleagues can simply click to view the generated report.

High Severity ReportAs weve seen, using raw scan data can be overwhelming. Its better to generate a report to

consolidate, organize, filter and generally make scan and map data usable for reviewing. Lets begin by

creating a High Severity Report.

The High Severity report is useful for showing only the most severe vulnerabilities, levels 4 and 5 (red). It

also introduces actions when created using the HTML format. Complete the following steps to create a

High Severity Report:

1. From the Reports section, click the Reports tab. Choose New > Scan Report > Template

Based

2.

Input the following details:Title: Only The Worst Vulnerabilities

Report Template: High Severity Report

Report Format: HTML

3.

Delete the word All from the Asset Groups field. Then, click on the Add Tags link and

using the search box, type in Desktop. Select the tag when it appears in the window.

4. Click the Run button to view the report, and scroll down to the Detailed Results section.

Integrated Workflow Actions

Workflow actions are integrated into the High Severity and Technical Reports using the icon (tothe right of a vulnerability). Using workflow actions you can ignore vulnerabilities, create remediation

tickets, or view remediation tickets that already exists.

Notice the vulnerability status next to the action icon. The first time a vulnerability is found with the

latest scan, the word New will appear in the report. Once a vulnerability has been discovered, its


56/83

56

status will change to Active with each successive vulnerability scan. If the vulnerability has been fixed,

the word Fixed appears.

Also notice our tags appear within the report.

In the next steps, we will perform the actions to ignore a specific vulnerability for a single host device.

5. Click the icon for host 64.39.106.242(NetBIOS Name: XP-SP2) to display its

vulnerability details.

6. Locate the severity 5 vulnerability called Microsoft SMB Remote Code Execution

Vulnerability (MS09-001) and expand it.

7. Mouse-over the menu for this vulnerability, and choose the option to Ignore

vulnerability.

8. Enter an appropriate reason, such as This host will be decommissioned next week and thus

will not be patched and click the OK button.

It is important to note that steps 4 through 6 above will ignore the Microsoft SMB Remote Code

Execution Vulnerability specifically for host IP address64.39.106.242. Other host devices that have

this same vulnerability (64.39.106.243

and64.39.106.249

) will not be affected by theseactions.


57/83

57

Selective Vulnerability ReportingGoal:Use the vulnerability data that you have successfully collected to create a vulnerability report that

selectively includes and excludes vulnerabilities that you specify.

Earlier in this lab you saw how an Option Profile could be customized to target a specific list of

vulnerabilities, and how other vulnerabilities could be simultaneously excluded from a scan. This next

exercise will demonstrate these very same principles, only using the Selective Vulnerability Reporting

section within a Report Template.

Best Practice: Scan for everything, and then be selective (customize) in your reporting.

1. Navigate to the Templates tab within the Reports section, and click the New button. Choose the

Scan Template option.

2. Title the report Critical Vulnerabilities With Patches.

3.

From the left navigation tab click on the Findings, and use the Desktop Asset Tag as the target

for this report.

4. From the left navigation pane, click the Display tab. In the Detailed Results section, choose the

option to sort by vulnerability, and select the check box to include the Vulnerability Details.

5. From the left navigation pane, click the Filter tab. In the Selective Vulnerability Reporting

section, click the Custom radio button, and then click the Add List button.

6. Select the Critical Vulnerabilities with Vendor Patches v.1 Search List.

7. Click the Exclude QIDs check box, and then click the Add Lists button.


58/83

58

8. Select the Adobe Vulnerabilities v.1 Search List.

We will make the assumption here that a different administrator will handle the Adobe-related

vulnerabilities.

9. Use the Test button again to test your new exclusion option.

10.Close the report and Save the report template.


59/83

59

Patch ReportThe Qualys Patch Report identifies patches that fix detected vulnerabilities. The detailed results in the

report include a table of QIDs that will be fixed by applying a missing patch, and links for patches are

displayed if available.

The most relevant patches are recommended for installation. The recommended patch may be broader

in scope and it may fix more vulnerabilities than the QID associated with the vulnerability detection.

How Patch Analysis Works

The patch report identifies the patches available for vulnerabilities detected by the most recent scan of

each selected host.

The service identifies patches using this staged approach:

a) Collects information for detected vulnerabilities. The service first collects information about

vulnerability QIDs detected on the target hosts, and applies QID filtering based on user-selected

settings in the "Selective Vulnerability Reporting" and "Timeframe Selection" sections on the

Filter tab in the patch report template.

b)

Identifies which vulnerabilities have patches. The service uses the KnowledgeBase to

determine which detected vulnerabilities have patches available. Only QIDs with known patches

are considered, and the rest are discarded.

c) Determines recommended patches for each vulnerability. The service uses the KnowledgeBase

to determine the relationship between the patchable QIDs (vulnerabilities with available

patches). The relationship is very simple: either the QID is associated with the latest patch

available for that issue, or a newer patch associated with a separate QID is available for that

issue.

d) Applies patch QID filtering, if any. The service applies patch QID filtering based on user-selected

settings in the "Selective Patch Reporting" section on the Filter tab in the patch report template.

Only the newest patch that is not filtered out is listed as a patch in the report.

e)

Assigns a severity to each patch. The service assigns a severity to each patch in the report. Theseverity may be based on the recommended patch to fix the vulnerability (the default) or the

highest severity across all detected vulnerabilities that may be fixed by the patch. Users

determine which patch severity to display on the Display tab in the patch report template.


60/83

60

Create a Patch Report:

1. From the Reports section, navigate to the Reports tab

2.

Choose New > Patch Report

3.

Under report title type Online Patch Report.

4. Click the Select link next to the Report Template selection box.

5. Click on the Template Library tab and then select Critical Patches Required v.1 for the report

template. Click the Import button.

6. Click the Make Global button to share this template with others.

This enables other users in Qualys to use this template to report against the assets that have been

assigned to them.

7. Select Online Report for the Report Format.

8. In the Asset Groups section type All and click Run.


61/83

61

9.

When the report opens, click on the Sev column in the left pane (and sort most severe to leastsevere).

10.

In the left pane, use the Title column, to click on the top patch in the list. Notice that the same

patch might affect multiple hosts.

11.Click on the Title of other patches to see what hosts are impacted.

12.From the right pane, try clicking on the number of vulnerabilities (Vulns column) to display the

vulnerabilities impacted by a patch.

13.To distribute this report to your system administrators, click File> Download (select PDF or CSV

format).


62/83

62

Scorecard ReportScorecard reports are part of the robust reporting mechanism within the Qualys environment. These

reports provide the state of security within the enterprise. They are designed to assist IT line

managers, Auditors, or the Board of Directors.

Using the Vulnerability Scorecard, users can evaluate Business Risk by asset group or tag and establish

acceptable Business Risk levels for the organization. Also, the same scorecard can be used to identify

vulnerabilities by type, status and age.

1. Navigate to 1) the Reports section and 2) Reports tab. Click the New button and select 3)

Scorecard Report option.

2. From the New Scorecard Report window, highlight Vulnerability Scorecard Report, and click

the Edit link just below the Scorecard report list.


63/83

63

3.

Click Report Source in the left navigation pane.

4. Select the Asset Tags radio button and add both Windows and Linux hosts.

5. Select the Any operator to target host that have any of the Asset Tags listed.

All: target only hosts that have all of the tags listed (AND equivalent).

Any: target hosts that have any of the tags listed (OR equivalent).

6. Click Filter in the left navigation pane.

7.

Remove the default check mark from the Confirmed (Severity 5,4,3) option.

8. Click the Add List button (Included Search Lists:) and add Critical Vulnerabilities with Vendor

Patches v.1 (these are the vulnerabilities that will be targeted in this report).


64/83

64

9.

Click Display in the navigation pane, and change the Business Risk Goal to 20.

The Business Risk Goal reflects your aversion or appetite for risk (based on a percentage of hosts

that are vulnerable with the targeted QIDs (those in the Critical Vulnerabilities with Vendor

Patches v.1) search list.

10.Click Save As and title the report Adjusted Business Risk.

11.Select the Scorecard you just created (Adjusted Business Risk) and run the report with HTML as a

format.

The report will show the percentage of Critical Vulnerabilities with Vendor Patches for each

targeted Asset Tag. Passing values will display in green, failing values will display in red. You can

continue to adjust the risk goal as you create different types of scorecard reports that target varioushosts and different types of vulnerabilities.


65/83

65



Executive Report

The Executive Report is a high-level trend report. It identifies changes to the vulnerability exposure of

your network over time.

Presently, you do not have an adequate amount of scan history in your demo account to produce an

effective trend report. For this reason, an illustrated description of the Executive Report will be

provided.

When you have generated more scan data (after several days), feel free to return to this section to

create an Executive Report. You can create an Executive Report by selecting the Executive Report

Template.

Vulnerability Status

The Filter tab of the Executive Report Template contains Vulnerability Status. With all Vulnerability

Status filters selected, we can produce the graphic seen above. Most of these are obvious, but theres

one hidden gem: Re-Opened. A re-opened vulnerability is a vulnerability that you previously fixed but

has returned.

Re-opened vulnerabilities are typically the result of re-imaging a host from an un-patched image, or

using compensating controls (e.g., a firewall rule that blocks access to a vulnerable service) in the

absence of patches. Also, it could represent a service that was recently enabled on a host device (like a

web server).

Vulnerabilities Over Time

Showing vulnerabilities over time is, of course, the whole point of the Executive Report. The following

chart visually illustrates both the number and the severity of vulnerabilities over time:


66/83

66

Top Vulnerability Categories

The Top Vulnerability Categories table is handy come hiring time: it illustrates the areas that need the

most work, and how much the exposure has changed, so you can hire people to cover your most critical

needs.


67/83

67

Scheduled Reporting

Like with mapping and scanning, users have the ability to schedule reports to run automatically at a

scheduled time, on a recurring basis. Users can also set options to notify select distribution groups when

a report is complete and ready for viewing.

There are several report types that can be scheduled. You can schedule template-based scan reports

(set to Host Based Findings source selection), scorecard reports, patch reports, template-based

compliance reports and remediation reports.

To create a new report schedule, go to Reports > Schedules and select the type of report youre

interested in from the New menu. In the steps that follow, a new template-based scan report will be

scheduled.

1. Within the Reports section, navigate to the Schedules tab.

2.

If prompted, click the I Accept button to enable scheduled reporting.

3. Click the New button and select Scan Report > Template Based.

4. From the Report Details section, give your report a title, such as Demo Scheduled Report.

5. For Report Template, click the Select link and select the Executive Report template.

6. For Report Format keep the selection for Portable Document Format (PDF).

7. In the Report Source section, leave the Asset Groups set to All.


68/83

68

8. Click the checkbox for Scheduling and Report Notification.

9. Leave today as your start date, and midnight (00:00) as your starting time.

10.Select (GMT-0800) United States (California): Los Angeles, San Francisco, San Diego, Sacramento

as you time zone.

11.Set this scheduled report to occur every week (Weekly) on Friday.

12. In the Schedule Status section, please choose the check box to Deactivate this report.

13.

Click the Schedule button to finish.


69/83

69

LAB 7: User Management

(10 min.)User accounts form the basis for privileges and access control within Qualys. This section will explore

creating users and the various levels of user privileges.

Create User Account

Well start by creating a user and assigning some Asset Groups. Over several steps, in this section andthe next, well expand our new users capabilities.

User RolesUser privileges are assigned and identified using various User Roles. Your Qualys student account has

the role of Manager.

The Scanner role carries the primary responsibility of mapping and scanning network resources.

The Reader role carries the least privileges. They can create custom reports from existing scan and

map data, but cannot launch scans or maps.

Privileges SummaryManager Scanner Reader

Create Reports

Scan/Map: All Assets

Scan/Map: Assigned Assets

Create Option Profiles Optionally

Create User Accounts

Under the Users section, click the Users tab.

1. Choose New > User....

2. Fill in the blank fields in the General Information section with your info. Use a valid email

address that you can get to from the computer you are seated at.

3. Under the User Roles tab, choose Reader as your User Role.


70/83

70

4. Click Asset Groups in the navigation pane, and add the Seattle Asset Group to this account.

Presently, access permissions are provided to user accounts, using Asset Groups. This includesscanning, reporting and remediation access privileges.

5. Click the Options tab and view the Notification Options.

6. Save the user; close the window.

Activate this account by looking at the email sent by Qualys, clicking on the link, and viewing the

credentials. The link can only be clicked once, so make sure you save the credentials.


71/83

71

LAB8: Remediation(15 min.)

Qualys includes Remediation Policies that can be used to assign vulnerabilities to specific users or ignore

vulnerabilities that you do not plan to address.

Assign Vulnerability to User

This first policy will be used to assign High Risk Windows Vulnerabilities.

1. Under the Remediation section, click the Policies tab.

2. Click the New button and select the Rule option.

3.

Enter High Risk Vulnerabilities for the title.

4. Under the Conditions tab, notice the Asset Groups field. All is a keyword that includes all

hosts in your account.

5.

Under the Vulnerability Section, to the right, click on .

6. Select the checkbox next to title, Confirmed Severity 4 + 5 and press the Ok button.

7. Assign these vulnerabilities to the user account you created in LAB 7, and enforce a 7-day deadline

for patching and mitigation.


72/83

72

8. Save the rule by clicking the Save button.

Ignore Low Risk Vulnerabilities

The task of ignoring a specific vulnerability for a specific host, was performed earlier in the Reporting

Lab; however, using a manual process. Remediation Policies can automate the process of ignoring

vulnerabilities.

1.

From the Remediation section, click on the Policies tab and create a new Remediation Rule

titled Ignore Low Risk Vulnerabilities.

2. Add the Low Severity Vulns search list under the Conditions tab.

3. Under the Actions tab, select the Create Tickets set to Closed/Ignored radio button.

4. Save the rule, close the window, and return the Remediation Policies List.

5.

Now that you have created a Remediation Policies, you will need to launch another vulnerability

scan to allow Qualys to automatically create remediation tickets.

6. Go ahead and launch a scan.


73/83

73

A Final NoteAccount SetupBefore ending the training, its important that we cover some less conspicuous setup configurations of

Qualys. These are items that arent essential, but may be needed here and there.

Dashboard

Because weve mapped and scanned, some information will be populated in our Dashboard.

1. Navigate to the Dashboard section.

2. Customize some items on the Dashboard by clicking on the Configure link.

Qualys Home Page

What do you want to see when you login?

1.

Click on your Qualys User ID (located just to the right of the Help button) and select Home Page.


74/83

74

2. Select the home page that best suits your needs, and click the Save button.

Excluding Hosts from Scans

In some cases, you may have IP addresses within a segment that do not need to be scanned, and they

will never need to be scanned. In this case, the Excluded Hosts section of the Setup menu comes inhandy.

1. Navigate to the Setup tab in the Scans section, and click on Excluded Hosts section.

2. A new screen will appear.

3. Click the Edit button.

4. Add the IP 64.39.106.246 to the list. Click Add.

5. Add a comment (the Comment field is required).

6. Click Close.

Tip: its a good practice to add comments about why this is excluded in the event of an audit.

7.

Rerun a light scan over the IP Segment containing the IP address you just excluded. You

should not see the .246 address.

Keep in mind, once you exclude a host, its a global setting for your subscription, the IPs will be excluded

from ALL activity, even though its still listed in your subscription.

Remember in Remediation how we talk about automatically closing tickets once the scan shows the

vulnerability is no longer available? Well, under the Setup tab in the Remediation section, you will

find:


75/83

75

You may also need to determine if the lower privileged groups will be able to Close and Ignore tickets or

allow them to Delete tickets both can be allowed here.

The Security function under the Setup tab in the Users section allows for the more critical security

settings for users and the service:


76/83

76

You may want to restrict which IPs have the ability to connect to your QG UI. For this reason, you can

restrict access. You can also set password security, even allowing users to set their own passwords.

Finally, lets take a look at the Report Share section.

8.

Navigate to the Setup tab in the Reports section, and click on Report Share.


77/83

77

9. Choose to Enable Secure PDF Distribution.

10.Click Save.

11.Now navigate to Reports and choose a new Technical Report.

12.Click Add Secure Distribution and choose an email to send your report to.

13.Run the Report.


78/83

78

Now when you generate a PDF report you'll have the chance to enter a list of email addresses that you'd

like the report distributed to securely. As long as you have Adobe on your computer and you know the

report password, you'll be able to pull up the report...OUTSIDE of Qualys.

Configuring Business Risk

The Executive Report (and templates you might create) have a metric called Business Risk.

Business Risk is the product of the Average Security Risk and the rating set by the Asset Groups

Business Impact. Lets take a look at how the weights are calculated.

Choose Business Risk from the Setup tab under the Reports section.

These are the default values for Business Risk. As you can see, a level 5 vulnerability on a host whose

Asset Group is of Critical importance is weighted 100 times greater than that of a level 1 vulnerability

on a host whose asset group is of Low importance.


79/83

79

Contacting Support

Overview

Try as we may, inevitably you will need to contact support. In order for us to properly and efficiently

troubleshoot issues, we will need information from you.

There are 3 ways to contact support:

o The Qualys Interface

o Email to [email protected]

o For Critical issues call us:

U.S. and Canada: +1.866.801.6161 24x7

Europe, the Middle East and Africa: +33.1.41.97.35.81 24x7

UK: +44 1753 872102 24x7

With the Qualys interface, you will have all the necessary information at your fingertips. From theQualys User Interface, click on Help and then Contact Support

A popup screen will appear for the email.


80/83

80

So then, the question becomes what information do you need to send to Qualys? Well, that can

depend on the type of problems you are seeing.

False Positive

If you believe that you have identified a false positive, please provide us with additional information so

that we can resolve the issue as quickly as possible.

Please provide the following in this message:

Reasons you believe you have a false positive. Include steps you've taken to patch the system.

Was the issue reported during an authenticated scan? If yes, was the authentication

successful? There are several appendices in your scan results that provide information related

to authentication.

When was the vulnerability first detected? Have there been changes to the host since then?

For publicly-facing IPs, we can greatly expedite the investigation if we can perform a light scan

on the host. Do you grant permission for us to scan the host?

After receiving a ticket number from Support, send a follow-up email referencing the ticket number and

attach the following items:

A scan report with the vulnerability reported.

A packet capture of traffic to/from the affected service/port for its typical communications.

(only if requested by DEV)

System configuration information. For Windows, this is provided by systeminfo.exe and

MSinfo32.exe.


81/83

81

Additional information, such as a registry dump or a screenshot of the system showing that it

is patched and not vulnerable.

False Negative

On very rare occasions we may produce a False Negative. If you believe this to be the case, please

provide the following in your message:

IP address, DNS hostname or NetBIOS hostname for the host.

QID, if available, for the potential false negative.

Reasons you believe you have a false negative. Include steps taken to troubleshoot the issue.

When was the vulnerability last detected? Have there been changes to the host since then?





A scan report of the scan that did not identify the vulnerability.

Additional information, such as a registry dump or screenshot of your system.

Service Stopped RespondingThis type of issue can have several causes, and rarely is caused by a test we have sent. Nevertheless, we

need to determine what has happened and help expedite resolution. Quite often, resolution does

require the vendor of the service to be involved in our troubleshooting effort.


A description of the symptoms. When did the issue first appear? If the issue is reproducible,

please provide steps to reproduce the issue.

Detailed information for each affected system, including: operating system version and patch

level, IP address, the system's primary function and the location of the system on the network

(i.e. behind a firewall, in DMZ or behind a load balancer.)

Detailed information for each affected service, including: software name, exact version and

build or patch level, the port number that the affected service is running on and whether the

port is static or dynamic.

For publicly-facing IPs, we can greatly expedite the investigation if we can perform a light scanon the host. Do you grant permission for us to scan the host?



A scan report of the scan that caused the service to stop responding.



82/83

82

A list of open ports and services running on those ports.

o # On a Windows system, you can run the free tcpview.exe and save the output. This

program is available at:http://www.sysinternals.com/ntw2k/source/tcpview.shtml

o # On a Linux system, you can run netstat -ntulp and save the output.

An image of the box is useful to help us reproduce the issue. For Windows machines, images

may be created using MS Virtual PC (free). For *nix, VMWare may be used. If the host has

custom software on it, then please also provide us with a copy of the software.

Additional information, such as screenshots and log files.

Scanner Appliance Issues

Before submitting a request to Support, please see the Qualys Scanner Appliance User Guide for

troubleshooting information. The user guide describes troubleshooting techniques you can use to

respond to errors and performance conditions when using the Scanner Appliance.

If you have followed the troubleshooting techniques and are still experiencing difficulty, please provide

us with additional information so that we can resolve the issue as quickly as possible.


The error message on the LCD display of the Scanner Appliance.

The IP configuration for the LAN interface (static or DHCP). For static configurations, include

the IP address, netmask, gw, dns1, dns2, wins and domain.

If WAN is enabled, provide the IP configuration for the WAN interface. For static

configurations, include the IP address, netmask, gw, dns1, dns2, wins and domain.

If proxy is enabled, identify the proxy software and list the proxy configuration. Indicate

whether a username and password is used but do not send us the password.

How long is the timeout from when you hit Enter on "Really enable.." to when the "Network

Error" message appears?

When you use a laptop with the same network configuration on the same network port, are

you able to connect to the Qualys service at https://qualysguard.qualys.com?

Host Crash

Qualys scans are generally non-intrusive. If a scan has caused a host to crash then we will make resolving

this issue a top priority. We are eager to work with you and any third-party vendors to quickly isolate

and resolve the problem.


A description of the symptoms. When did the issue first appear? If the issue is reproducible,

please provide steps to reproduce the issue.

Detailed information for each affected system, including: operating system version and patch

level, IP address, the system's primary function and the location of the system on the network

(i.e. behind a firewall, in DMZ or behind a load balancer.)


83/83





A scan report of the scan that resulted in the host crash.


A list of open ports and services running on those ports.

o On a Windows system, you can run the free tcpview.exe and save the output.

o On a Linux system, you can run netstat -ntulp and save the output.

An image of the box is useful to help us reproduce the issue. For Windows machines, images

may be created using MS Virtual PC (free). For *nix, VMWare may be used. If the host has

custom software on it, then please also provide us with a copy of the software.

Additional information, such as screenshots and log files.

Documents

Laboratorios VM Qualys 2