Network Detective 2015 RapidFire Tools, Inc. All rights reserved 20151013 Ver 3D
Contents Overview... 3 Components of the Inspector... 3 Inspector Appliance... 3 Inspector Diagnostic Tool... 3 Network Detective Application... 3 Inspector Features... 4 IT and Compliance Assessment Data Collection and Scans... 4 Automated Assessment Reporting... 5 Tech Alerts... 5 Security Bulletins... 6 Remote Updating of the Appliance... 6 Automated Scanning and Scheduling Best Practices... 7 Getting Started... 8 Connecting the Inspector... 8 Associating the Appliance to a Site... 9 Step 1 - Creating a New Site... 9 Step 2 - Adding an Inspector to a Site... 10 Creating New Scans... 11 Selecting and Configuring Data Collection Scans Using Inspector... 14 Network Scan... 14 Network Scan with Layer 2/3 Discovery... 20 Internal Vulnerability Scan... 21 SQL Server Data Collection... 27 Local Data Scans... 28 HIPAA Compliance Scans... 29 PCI Compliance Scans... 29 External Vulnerability Scan... 30 Managing the Scan Queue... 31 Scheduling a Scan... 33 Scan Library versus Scan Queue... 34 1
Cancelling a Scan... 34 Downloading Scans... 35 Preferences Menu Options... 37 Setting the Master Inspector Alerting Preferences... 37 Steps to Set Master Inspector Alerting Preferences... 39 Using the Manage Inspector Feature to Configure Automatic Report Generation... 41 Setting Up Automatic Reports for Network Assessments... 41 Setting Up Automatic Reports for Security Assessments... 44 Setting Up Automatic Reports for HIPAA Compliance Assessments... 47 Setting Up Automatic Reports for PCI Compliance Assessments... 50 Setting Up Tech Alerts and Security Bulletins... 53 Setting Up Tech Alerts... 53 Suppressing No Issues Tech Alerts... 57 Setting-up Security Bulletins... 63 Suppressing No Issues Security Bulletins... 68 Configuring the Local Data Scan Merges... 70 Updating the Inspector Appliance... 74 Appendices... 75 Appendix I... 75 Diagnostic Tool... 75 2
Overview The is an appliance-based system used for performing scheduled IT and Compliance assessment scans, automatic assessment reporting, IT infrastructure change alerts, security bulletins, and deeper dive diagnostics. This guide is designed to provide an overview and specific steps required to install and configure the Inspector appliance and schedule the collection of data remotely, schedule automated assessment reports, issue network change related Tech Alerts, and brandable Security Bulletins. Components of the Inspector Inspector Appliance This is the hardware component of the Inspector. It is a small, portable appliance which plugs into the target network through an Ethernet connection. Inspector Diagnostic Tool This tool is used for configuring and troubleshooting the Inspector. The Diagnostic Tool should be run on the same network as the Inspector appliance to perform diagnostics checks such as for Inspector connectivity or for available updates. Network Detective Application This is the same Network Detective desktop application and report generator that is used with any other Network Detective modules. This application contains additional features to manage the Inspector remotely. 3
Inspector Features IT and Compliance Assessment Data Collection and Scans One key purpose of the is to perform scans from the point-of-view of the client s internal network. Below is an overview of the scans that can be performed by the Inspector Appliance. Network Assessment Network Scan Note that this feature requires the Network Assessment Module. The full Network Assessment Scan from the point-of-view of the Inspector Appliance. The resulting scan can be used to generate reports from the Network Assessment module. Layer 2/3 Discovery of Network Devices (Exclusive to the Inspector) Run when the Network Assessment Network Scan is executed. Scans network devices for Layer 2 and Layer 3 connectivity information. Used to generate Layer 2/3 diagram and detail reports. Internal Vulnerability Scan (Exclusive to the Inspector) This scan takes advantage of the point-of-view provided by being connected to the client s internal network. Data is collected about Open Ports and Protocol Vulnerability that would be exploited once a hacker is in the network. The Internal Vulnerability Scan focuses on INSIDE attacking INSIDE whereas the External Vulnerability scan checks for OUTSIDE attacking EDGE (INSIDE). Internal vulnerability scans are similar to external scans; however, are performed from inside the target network. They look for vulnerabilities that are normally blocked externally by firewalls. Within a network, un-patched or vulnerable systems may exist that an external scan may not capture. This scan option performs a vulnerability scans with additional options which may be more intensive than the external equivalent. Please be aware that the scans may be resource intensive and should be run during non-business hours if possible. HIPAA Compliance and Risk Assessment Scans Note that this feature requires the HIPAA Assessment Module. 4
These network and local scans can be scheduled and executed by Inspector in order to identify ephi, network vulnerabilities, security vulnerabilities, and local computer vulnerabilities necessary to perform a HIPAA IT Risk Assessment. PCI Compliance and Risk Assessment Scans Note that this feature requires the PCI Assessment Module. These network and local scans can be scheduled and executed by Inspector in order to identify credit/debit card Primary Account Number (PAN) data, network vulnerabilities, security vulnerabilities, and local computer vulnerabilities necessary to perform a PCI Data Security Standard (DSS) Compliance and IT Risk Assessment. External Vulnerability External Vulnerability scans are performed at the external Network Edge to check for security holes and weakness that can help you help make better network security decisions. The External Vulnerability Scan performed by Inspector includes a full NMap Scan which checks all 65,535 ports and reports which are open. This is an essential scan and is a standard security check to ensure a viable security policy has been defined, implemented and maintained to protect the network from outside attacks Automated Assessment Reporting Automatic Report Generation enables you to use the Inspector to schedule and generate of a number of assessment reports associated with the following: Network Assessments Security Assessments HIPAA Compliance Assessments PCI Compliance Assessments Tech Alerts Inspector Tech Alerts is an Inspector feature whereby you and other designated recipients within your company can be sent Alerts via email based on automated Inspector scans being performed. These Alerts serve the purpose of notifying you of changes identified within your customer s IT infrastructure after pre-scheduled scans/assessments have been performed. 5
Security Bulletins Security Bulletins are designed to provide high value alerts designed for end-users. Security Bulletins are sent as HTML emails and are personalized based on the Security Bulletins configuration information. Remote Updating of the Appliance The Inspector Appliance is easy to update remotely. Updates include bug fixes, new features, and additional scans types. 6
Automated Scanning and Scheduling Best Practices It is recommended that Network, Local Computer, and External Vulnerability scans are scheduled to be performed on a weekly basis. It is recommended that Internal Vulnerability scans are scheduled to be performed on a monthly basis or after any significant IT infrastructure change has taken place. 7
Getting Started Connecting the Inspector To set up the, first go to the physical location of the target network. After finding a secure location for the device, connecting it to the network can be accomplished in two easy steps: 8
Associating the Appliance to a Site Before using the Inspector, the Appliance must be associated with a Site in the Network Detective Application. Step 1 - Creating a New Site If you have not yet added any Sites, open the Network Detective Application and navigate to New Site from the Home screen. Define a name for the Site. This should be unique and easily identifiable, such as the customer name or physical location. 9
Step 2 - Adding an Inspector to a Site From the Site s dashboard, select Add from the Inspectors bar. Select the Inspector ID of the Inspector from the drop down menu. Note that the Inspector ID can be found on a printed label on the Inspector Appliance. After successfully adding an Inspector it will appear under the Inspectors bar in the Site s dashboard. 10
To view a list of all Inspectors and their associated Sites, navigate to the Inspectors tab from the top bar of the Home screen. This will show a summary of all Inspectors, their activity status, and other useful information. Creating New Scans After associating the Inspector Appliance with a customer specific Site used for performing assessments, it is very simple to configure an Internal Vulnerability Scan, Network Scans, Push Local Scans, and External Vulnerability Scan using the Inspector appliance remotely from within the Network Detective desktop application. With the Inspector, it is only necessary to go through the configuration and setup of a Network Scan one time. After completing the setup, the Scan configurations will be stored and associated with the Inspector Appliance to be run either on-demand or on a set schedule. 11
To set up a scan, first, go to the target Site s dashboard and verify that an Inspector has been successfully associated with the Site. The Inspector(s) will appear under the Inspectors bar. If the Site does not already have an active Assessment, start a new Assessment by clicking Start and following the prompts to choose the desired type of Assessment. If an active Assessment is available, click Go to Active Assessment from the Active Assessment bar in the Site s dashboard. Upon selecting the Active Assessment, you will be directed to the assessment s Assessment Window. 12
From the Site s active Assessment, select Initiate Inspector Collection from the Import Scans bar. The Create Task window will be displayed enabling you to select the IT or Compliance Assessment Scan you want to perform, configure the scan task, and to store the scan task in the Inspector Task Library for either manual or scheduled execution. If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network Detective Data Collector prompts to configure the Scan. 13
Selecting and Configuring Data Collection Scans Using Inspector Below is an overview of the scans that can be set-up and performed using the Inspector and the steps to set-up the scans to be performed automatically or manually. Network Scan Note that the Network Assessment Reports are only available as part of the Network Assessment module. Data Collector Task Configuration Wizard If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network Detective Data Collector prompts to configure the Scan. Step 1: Select Scan Type Choose Network Scan from the wizard and click the Next button. 14
Step 2: Input Credentials Input administrative credentials to access the Domain Controller or indicate that the target network does not contain a Domain Controller. Step 3: Select Local Domains 15
Choose either to scan all Domains detected on the target network or to restrict the Scan to selected Organizational Units (OUs) and Domains. Step 4: Input External Domains External Domain names allow others to visit the target site and facilitate services, such as email. Input External Domains here to include them as part of the data collection. Examples of External Domains include: example.com mycompany.biz 16
Step 5: Specify IP Ranges The IP ranges from the target network will be auto-detected and included in the scan. To include additional subnets input them here. Step 6: Add SNMP Information By default, the software will retrieve data from devices with the community string public. If desired, define an additional community string (such as private ) and enter it here. 17
Step 7: Use MBSA If the Microsoft Baseline Security Analyzer (MBSA) is installed on the target computer or domain controller, the Data Collector can use it as part of the detection process to perform vulnerability assessment checks. Check Run MBSA to perform a weak password check. Check Include Patch Analysis to gather information on missing patches (this second option will increase the time required to perform the scan). 18
Step 8: Verify and Schedule Check Send an email notification when schedule completes to notify a desire address upon completion of the scan. This option is recommended as the time a scan takes to complete varies depending on the target network. 19
Network Scan with Layer 2/3 Discovery To create this scan task, perform the following steps: 1. Select the Scan Type Network Scan with Layer 2/3 Discovery. 2. Follow the prompts to set-up the Credentials, Local Domains, External Domains, IP Ranges, SNMP Information, Microsoft Base Security Analyzer (MBSA) parameters. 3. Verify the settings and Schedule the Scan. 20
Internal Vulnerability Scan The Internal Vulnerability Scan is an exclusive feature available through the. Data Collector Task Configuration Wizard If this is the first time a Scan has been initiated from the Inspector appliance, follow the Network Detective Data Collector prompts to configure the Scan. Step 1: Select Scan Type Choose Internal Vulnerability Scan from the wizard and click Next. The Ports to Scan window will be displayed. 21
Step 2: Specify Ports to Scan When the Ports to Scan window is displayed. The Ports to Scan setup option allows you to select one of two available scanning options. One option, referenced as the Standard Scan, is used to scan Standard TCP ports and Top 1000 UDP ports. The second option, referenced as the Comprehensive Scan, is used to execute a comprehensive scan of all TCP ports and Top 1000 UDP ports. To proceed, select the appropriate number of ports to scan for your assessment s purposes. Then select the Next button. The IP Ranges screen will be displayed. Step 3: Specify IP Ranges At this point the Inspector appliance will perform Auto-Detect to identify an IP address range that can be scanned. Alternatively, you can manually set the IP address range that you would like to scan during the scheduled internal vulnerability scan. IMPORTANT: THE AUTO-DETECT FEATURE WILL IDENTIFY THE IP RANGE OF THE INTERNAL SUBNET THAT IS FROM THE INSPECTOR. THIS COULD RESULT IN A SUBSTANTIALLY LARGER NUMBER OF IP ADDRESSES THAT WILL BE SCANNED VERSES THE ACTUAL NUMBER OF WORKSTATIONS, SERVERS, AND OTHER IP-BASED NETWORK COMPONENTS WHICH COULD BE A FAR SMALLER NUMBER. 22
IF THIS INTERNAL VULNERABILTIY SCAN IS CONFIGUED TO INTERROGATE A LARGE NUMBER OF IP ADDRESSES THAT ARE NOT USED BY ANY DEVICE, THE VULNERABILITY SCAN MAY RESULT IN TAKING AN EXPONENTIALLY LONGER TIME THAN NECESSARY. Define the IP Range that you would like to scan and select Next button. The Create Task - Verify and Schedule window will be displayed. 23
Step 4: Verify and Schedule Scan Task After the Create Task - Verify and Schedule window is displayed you can finalize the creation of the scan task. To have an Email Notification sent to you when the scan task completes, select the Send email notification when schedule completes option, and type in the email address where the notification should be sent. Click on the Finish button to complete the scheduling of the internal vulnerability scan task which will display the Appliance Tasks and Queue window. The scheduled internal vulnerability scan can be confirmed in the Appliance Tasks and Queue window is that displayed in the Task Library list referenced below. 24
Upon viewing the scan task, you can select the run now option link under the Queue column to initiate the scan which will place the scan into the Queued Tasks list. Or, you can click on schedule link to execute the scan sometime in the future by selecting the interval (daily, weekly, monthly, annually, or just once) option and the time that the scan should be scheduled to run. When you click the schedule link, The CRON Builder scheduler window is displayed and is used to set the schedule action s execution time. Please note that the time zone used for the CRON Builder time is Eastern Standard Time (EST). Note the Pending task present in the Queued Task list after the Run Now option has been selected for the Vulnerability Scan in the window below. 25
26
SQL Server Data Collection To create this scan task, perform the following steps: 1. Select the Scan Type SQL Server Collection. 2. Follow the prompts to set-up the Credentials for the SQL Servers being assessed. 3. Verify the settings and Schedule the Scan. Note that the SQL Server Module s Assessment Reports are only available as part of the SQL Server Module subscription. 27
Local Data Scans Configuring Network Local Collection Push Scan 1. Select the Local Push Network Local Collector to scan remote computers. 2. Follow the prompts to set-up the Credentials and Remote Computer IP Addresses for the equipment being scanned. 3. Verify the settings and Schedule the Scan. Configuring Security Local Collection Push Scan 1. Select the Local Push Security Local Collector to scan remote computers. 28
2. Follow the prompts to set-up the Credentials and Remote Computer IP Addresses for the equipment being scanned. 3. Verify the settings and Schedule the Scan. HIPAA Compliance Scans To learn more about how to configure the scans related to a HIPAA Compliance Assessment, please refer to the HIPAA Module with Inspector User Guide. Note that the HIPAA Module s Assessment Reports are only available as part of the HIPAA Module subscription. PCI Compliance Scans To learn more about how to configure the scans related to a PCI Compliance Assessment, please refer to the PCI Module with Inspector User Guide. Note that the PCI Module s Assessment Reports are only available as part of the PCI Module subscription. 29
External Vulnerability Scan To create this scan task, perform the following steps: 1. Select the Scan Type External Vulnerability Scan. 2. Follow the prompts to set-up the IP Addresses of the equipment/network being scanned. 3. Verify the settings and Schedule the Scan. 30
Managing the Scan Queue After going through the steps to Associate the Inspector Appliance with a Site and configuring Network Scans and storing them in the Task Library, it is a simple process to run either an immediate or scheduled Data Collection on the target network. Note that the Scan configuration process must only be completed one time and the resulting configuration will be stored for future use. This simplifies both automation and remote execution of Data Collections. To view the Scan Queue, first associate the Inspector Appliance with a Site. Then navigate to the target Site s dashboard. Under the Inspectors bar in the Active Assessment window select the manage link. This will bring up the Scan Queue and the Scan Library in another window. Running a Scan On-Demand Scans can be executed immediately through the use of the Run Now feature. 31
To run a Scan configuration, locate the task in the Task Library and select run now. After the task has been queued, it will run as soon as resources are available. A Scan that is run ondemand (i.e. instead of on a schedule) will have no value in the table under the Next Run column. 32
Scheduling a Scan To schedule a scan, select the Schedule option available within a Scan Task listed within the Task Library. To run a Scan configuration on a regular basis or at a future date, locate the Scan in the Task Library and select schedule. This will bring up the CRON Builder. Choose a date, time, or other periodic range from the drop-downs in the CRON Builder. Please note that the time zone used for the CRON Builder time is Eastern Standard Time (EST). After selecting a time frame, the scans will be executed according to the given schedule. Please be aware that only one scan of a particular type can execute on the Inspector appliance at a time. 33
After the schedule is set, the table entry for the Scan in Queued Tasks will display the next run time and whether or not the scan will repeat the schedule. Please be aware that the scans may be intensive and should be run during non-business hours if possible. Scan Library versus Scan Queue The Scan Library contains saved Scan configurations which can be run on demand or on a schedule to conduct Network Scans. The advantage of the Scan Library is that the Network Scan configurations can be reused and run on-demand or on a schedule. There is no need to repeatedly enter the same information (such as the domain controller password or the IP Range) each time a data collection is performed using this model. Cancelling a Scan To cancel a queued Scan, click the manage link under the Inspectors bar of the Site s dashboard. From Queued Tasks, click the Delete button for the Scan. This will only delete the Scan from the Queue so it will not be run until it has been re-scheduled. The Scan configuration will still be stored in the Task Library. 34
Downloading Scans Successfully completed Network Scans are immediately available to download through the Network Detective Application. After downloading these Scan files, they can be used to explore data or generate reports as needed. First, go to the Active Assessment of the Site associated with the Inspector Appliance. From the Assessment s dashboard, select Download Scans from the Imported Scans bar. All available Scans which have not yet been downloaded will be shown in a list. Check the desired Scans and choose Download Selected or select Download All to receive all Scans. 35
After being successfully downloaded, Scans will immediately be displayed under the Imported Scans bar and available for data exploration or report generation. 36
Preferences Menu Options The Network Detective Preferences menu presents two sets of options that can be configured as defaults for Network Detective use. Report Defaults Inspector Alerting Settings Impacting Tech Alerts Setting the Master Inspector Alerting Preferences There are a series of master Inspector Alerting preferences that must be configured to ensure that the Inspector that you are using to send Tech Alerts. Tech Alerts are automatic alerts sent to notify you of changes to your customers network. These alerts are sent via email to the individuals you have configured to receive the alerts in the Tech Alert settings on the actual Inspector that us being used to perform automated scans and automatically generate assessment reports. Each Tech Alert preference configuration assigned at the assessment level relies on one or more of these Master Inspector Alerting preferences enabling the availability of the assessment level Tech Alert preferences available for use. Below is a summary of the Inspector Alerting settings that can be set at the Master Level: 37
There are four primary Inspector Alert settings. Some of these settings can be overridden by similar settings available in the Inspector specific Tech Alerts configuration window. These settings are: Inspector Alerting ON/OFF - This is the Master switch that can be used to turn OFF all Inspector Alerting ON ALL OF THE INSPECTORS that are licensed to operate with your Network Detective subscriptions. The OFF selected cannot be overridden by the Tech Alert settings available on each individual Inspector. The Inspector Alerting ON global setting can be overridden by turning OFF Tech Alerts within the Tech Alert settings for each individual Inspector. Alert Time This is a Global time setting where all of the Inspectors will be configured to send their respective Tech Alerts based on the local Tech Alert settings within each Inspector appliance. NOTE: The Alert Time clock is based on Greenwich Mean Time (GMT), therefore set the time for the Alerts to be sent to a GMT time that best suites the sending of alerts in a time window that is after the completion of the scans configured on all of the Inspectors you manage. Alerts (type) There are two categories of alerts that can be turned ON and OFF at the global level. These are the types of Network and Security alerts. These settings can be overridden at the Inspector level on an Inspector by Inspector basis through the use of the Inspector s Tech Alert settings. The Network Alerts consist of alerts regarding changes to the Domain Users, Computers, Printers, non- AD Devices, DNS, and Layer 2/3 network configurations. The Security Alert specifically controls the sending of alerts when changes to Internal Vulnerabilities are detected. IMPORTANT: One setting that cannot be set at the assessment level is the Alert Time. When using multiple Inspectors, take into consideration the Scan Schedule and the time necessary to complete the scans for each Inspector appliance versus the time when reports relying on these scheduled scans are to be performed. Being aware of length of time necessary to perform a scan versus a particular reporting task s start time is so that you can select a time that ensure that the most recent scan data will be used. Using the latest scan data will ensure that the most up to date network change information will be sent to you in the form of a Tech Alert. Please note the reference to Greenwich Mean Time (GMT). Take this time zone into consideration when selecting the default time to issue Inspector Alerts. 38
Steps to Set Master Inspector Alerting Preferences Step 1 Select Preferences At the top of the Network Detective window select the Preferences option. The Preferences window will be displayed. Step 2 Select Inspector Alerting Select the Inspector Alerting tab to access the global settings for Inspector Alerting. This action will present the setting selections for Inspector Alerting. 39
Step 3- Setting Inspector Alerting Preferences (Important) Set the global Inspector Alerting settings as summarized below. Inspector Alerting Setting This setting allows you to turn ON or OFF the Inspector Alerting at the global level. Turning OFF this setting will result in NO Tech Alert bulletins being sent to you after automatic scans have been performed by an Inspector that installed at a client site. This OFF setting CANNOT be overridden by a Tech Alert ON setting set on any or all of the Inspectors licensed to operate with your Network Detective subscriptions. Alerts Setting This setting allows you to turn On or Off the types of alerts that will be send based on changes in (additions or removals) Domain Users, Computers, Printers, Non-Active Directory Devices, DNS, and Layer 2/3 network level device analysis of your client s network. Security New Internal Vulnerability This setting allows you to activate or deactivate Alerts associated with any new Internal Vulnerabilities that have been identified as a result of a scheduled Internal Vulnerability Scan s comparison to a previous scan performed by Inspector. Set the Inspector Alerting On/Off, the Alert Time, and select the Default Alerts that should be sent by all Inspectors and select the OK button. Your Inspector Alerting Preferences will be saved and the Preferences window will close. 40
Using the Manage Inspector Feature to Configure Automatic Report Generation Below is an overview of the steps required to setup Automatic Report Generation for the following Assessment reporting: Network Assessments Security Assessments HIPAA Compliance Assessments PCI Compliance Assessments Setting Up Automatic Reports for Network Assessments Automatic report generation for the Network Assessment Module requires that the scans be run on an Inspector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the Network Assessment Module: 1. Create a new assessment that is of the type Network Assessment. (In Network Detective?) 2. Associate your Inspector with the Site that this new Assessment is created. 3. Manage the Inspector and create a new Scan Task that collects the Network Assessment data. 41
4. After the scan task is created, Schedule the scan task for the times that are appropriate for this Assessment. 5. Using the Manage Inspector feature and the Task Library Window, create a Report Task that specifies desired reports from the Network Assessment Module. 42
6. Schedule the created Report Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the inspector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan s data either. 7. If the user has specified that reports be delivered by email, the specified email should receive an email with a.zip file of the reports attached as long as the zip file is less than 5 MB in size. 8. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. The Download Inspector Reports option will appear at the top of the Network Detective window. Then press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 9. Select and right click on a report to download the report. 43
Setting Up Automatic Reports for Security Assessments Automatic report generation for the Security Assessment Module requires that the scans be run on an Inspector before a report can be generated. Following are the steps necessary to set up automatically generated reports for the Security Assessment Module: 1. Create a new assessment that is of the type Security Assessment. 2. Associate your Inspector with the Site that this new Assessment is created. 3. Manage the Inspector and create a new Scan Task that collects the Security Assessment data. 4. Schedule the Scan Task for the times that are appropriate for this Assessment. 5. Using the Manage Inspector feature and the Task Library Window, create a Report Task that specifies desired reports from the Security Assessment Module. 44
6. Schedule the created Report Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the inspector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan s data either. 7. If the user has specified that reports be delivered by email, the specified email should receive an email with a.zip file of the reports attached as long as the zip file is less than 5 MB in size. 8. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule time, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. The Download Inspector Reports option will appear at the top of the Network Detective window. Then press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 45
9. Select and right click on a report to download the report. 46
Setting Up Automatic Reports for HIPAA Compliance Assessments Automatic report generation for the HIPAA Compliance Module requires that a full assessment that includes scans, worksheets and surveys be completed and synced with the Inspector before reports can be generated. This is the only way for user completed forms to be transferred to the Inspector. Once the assessment is complete and synced, new scans can be run on an Inspector and new reports be generated with the previously specified Inform-based Survey and Worksheet data. Following are the steps necessary to set up automatically generated reports for the HIPAA Compliance Module: 1. Using Network Detective, create a new assessment that is of the type HIPAA Risk Assessment. 2. Associate your Inspector with the Site that this new HIPAA Assessment is created within. 3. Complete all the requirements for a successful HIPAA Risk Assessment within this new assessment. This includes external scans, network scans, local scans, and all appropriate inform-based Surveys and Worksheets. When this step is complete the user should be able to generate all HIPAA reports. The user is free to use the inspector during this initiate HIPAA Assessment to gather the scan information as appropriate. 4. Once satisfied with a complete HIPAA assessment, press the Finish button. Confirm that you wish to upload the data to the inspector to be used with automatic report generation. 5. Start a new Assessment that is of the type HIPAA Risk Assessment 6. On the Create New Assessment Wizard Screen, select the checkbox to sync the assessment to the inspector. 47
7. Manage the Inspector and set up a task schedule or schedules for collecting data as desired. 8. Schedule the created Report Task for a time which is certain to be after the scan is complete. Reports will use whatever data is on the inspector based on the most recent scan that has been completed, so if the scan is not complete then the reports will not have the most recent scan s data either. 9. If the user has specified that reports be delivered by email, the specified email should receive an email with a.zip file of the reports attached as long as the zip file is less than 5 MB in size. 10. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule, view the generated reports by navigating to the Download Reports item on the left hand side of the Network Detective application. The Download Inspector Reports option will appear at the top of the Network Detective window. Then press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 11. Select and right click on a report to download the report. 12. If an Exception Report is present in the available reports, or was contained in the.zip file sent in the notification email OR if you feel that data in the generated report is using data from an inform-based worksheet or survey that is outdated: a. Note any missing elements present in the Exception report (if present) 48
b. Update Inform forms in currently active Assessment to reflect that data desired. c. If current Informs do not contain the topics that are noted as missing: i. Press the Finish button for the currently active Assessment. ii. DO NOT agree to the question which asks if you would like to sync the data to the inspector. iii. Start a new active Assessment. Check the checkbox which says Sync with latest inspector scan iv. New assessment with latest data from inspector will be created. Update Inform as appropriate. d. Press Finish button for currently active Assessment e. DO agree to sync the data to the inspector. f. Then return to step 5 above. 49
Setting Up Automatic Reports for PCI Compliance Assessments Automatic report generation for the PCI Compliance Module requires that a full assessment that includes scans, worksheets and surveys be completed and synced with the Inspector before reports can be generated. This is the only way for user completed forms to be transferred to the Inspector. Once the assessment is complete and synced, new scans can be run on an Inspector and new reports be generated with the previously specified Inform-based Survey and Worksheet data. Following are the steps necessary to set up automatically generated reports for the PCI Compliance Module: 1. Using Network Detective, create a new assessment that is of the type PCI Risk Assessment. 2. Associate your Inspector with the Site that this new PCI Assessment is created. 3. Complete all the requirements for a successful PCI Risk Assessment within this new assessment. This includes, external scans, network scans, local scans, and all appropriate inform-based surveys and worksheets. When this step is complete the user should be able to generate all PCI reports. The user is free to use the inspector during this initial PCI Assessment to gather the scan information as appropriate. 4. Once satisfied with a complete assessment, press the Finish button. Confirm that you wish to upload the data to the inspector to be used with automatic report generation. 5. Start a new Assessment that is of the type PCI Risk Assessment. 6. On the Create New Assessment Wizard Screen, select the checkbox to sync the assessment to the inspector. 50
7. Manage the Inspector and set up a task schedule or schedules for collecting data as desired. 8. Manage the inspector and set up reporting tasks for times that are certain to be not when the data collection tasks are running. 9. If the user has specified that reports be delivered by mail, the specified email should receive an email with a zip of the reports attached as long as the zip file is less than 5 MB in size. 10. Report generation can take several minutes. After sufficient time has passed after the report generation task schedule, view the generated reports by navigating to the Download Reports item on the left hand side, and press the Download Inspector Reports button at the top. A dialog will appear with reports generated by the Inspector. 11. Select and right click on a report to download the report. 12. If an Exception Report is present in the available reports, or was contained in the zip sent in the notification email OR if you feel that data in the generated report is using data from an inform-based worksheet or survey that is outdated: a. Note any missing elements present in the Exception report (if present) b. Update Inform forms in currently active Assessment to reflect that data desired. c. If current Informs do not contain the topics that are noted as missing: i. Press the Finish button for the currently active Assessment. 51
ii. DO NOT agree to the question which asks if you would like to sync the data to the inspector. iii. Start a new active Assessment. Check the checkbox which says Sync with latest inspector scan iv. New assessment with latest data from inspector will be created. Update Inform as appropriate. d. Press Finish button for currently active Assessment e. DO agree to sync the data to the inspector. f. Then return to step 5 above. 52
Setting Up Tech Alerts and Security Bulletins Setting Up Tech Alerts The use of the Inspector Tech Alerts feature presumes that you have set up one (1) or more automated scans for one (1) or more of the Assessments types available on the Inspector Appliance. Inspector Tech Alerts is an Inspector feature whereby you and other designated recipients within your company can be sent Alerts via email. These Alert serve the purpose of notifying you of changes identified within your customer s IT infrastructure after pre-scheduled scans/assessments have been performed. The changes contained within a Tech Alert email will be a result of a comparison of the most current and previous scans being performed by Inspector. To setup Inspector Tech Alerts perform the following steps. Step 1 Select the Site Double click your mouse pointer on the Site that you are configuring automated scan and reports to be performed upon in order to view and access the Site. 53
Step 2 Select Manage Inspector After the Site has been opened, selected the Manage option present under the Inspectors bar. The Manage Inspector window will be displayed. 54
Step 3 Configure Tech Alerts Select the Tech Alerts tab to view and configure the settings for the alerts. Select the Tech Alerts tab to access the Tech Alerts setting Window. 55
Step 4 Turn on Tech Alerts 56
Select ON to turn on Tech Alerts. Note: Tech Alerts can be only turned ON if the Inspector Alerts setting in the Preference Option is turned ON. When Inspector Alerts are turned ON, then you can turn the Tech Alerts feature ON and OFF as required. Please note that the default setting for alert distribution frequency of Tech Alerts is for alerts to be sent daily at the Alert Time specified within Preferences. Alerts will be sent alert recipients to notify them of network and/or security issues related to internal vulnerabilities that are detected as changes to the network or its security status. Also, alerts may be sent with a No Alerts status as presented in the example below. Suppressing No Issues Tech Alerts To prevent Tech Alerts from being sent to recipients with no alert information, you can select the Suppress no issues alerts option in the Manage Inspector Tech Alerts settings window as displayed below. 57
Step 5 Configure Alert Selection Settings To specify which network and security change events should trigger Tech Alerts to be sent to one or more alert recipients, the Alert Selection settings must be defined. You can either select the Use Default Alert Settings option or use Specify Alerts to select which Network and/or Security change events will trigger an alert. Note that the Use Default Alert Settings option relies on the global Inspector Alert settings that are available under Preferences. To specify which Network and Security change events should trigger an alert, select which events contained within the Specify Alerts section of the Tech Alerts settings window as listed below. After specifying the Network and Security change events that trigger Tech Alerts, continue to the next step. 58
Step 6 Configure the Send To settings for Tech Alerts. Configuring the Send To settings allows you to select which of your company s Network Detective users should receive Tech Alerts. Also, the Subject for Tech Alert email message that is sent to recipients of a Tech Alert can be defined. When configuring the Send To options, It is recommended that you create a Subject that: identifies your customer s company name and the name of the Site that the Tech Alerts pertain. Creating an informative Subject like will help avoid confusion of what alert is coming from which customer site when your company uses multiple Inspectors at multiple customer sites. the name of the Network Detective Site that is being used with the Inspector sending the alerts. This information might be of value in case there is a need for one of the Tech Alert recipients to quickly access or manage the Inspector sending the alerts. 59
To configure the send to settings perform the following steps: 1. Widen the column of the Subject field. 2. Type in text for the Subject to be contained within the Tech Alert as illustrated below. 3. Define the recipient(s) of the Tech Alerts by selecting the recipient from the available Network Detective users. The available Network Detective Users list is displayed as illustrated in the next step. 60
4. Select Recipients of Tech Alerts Select the Network Detective user from the list presented in the Select Users window that is to be a recipient of the Tech Alerts and select the OK button. If you do not see an email address for an individual that you want to be assigned as a Tech Alert recipient, then add the desired individual as a user of the Network Detective using the Manage Users option. Then repeat this process. After the completion of Step 5, the Subject text to be present within each Tech Alert message along with the email recipients that will receive Tech Alerts will have been defined. Step 7 Save Tech Alert Settings to Complete the Tech Alert Configuration Process After completing the definition of the settings for Tech Alerts, select the Save and Close button to save the settings and close the Manage Inspector window. 61
Example of a Tech Alert Below is an example of a Tech Alert message sent by Inspector. 62
Setting-up Security Bulletins The use of the Security Bulletins feature presumes that you have set up one (1) or more automated scans for one (1) or more of the Assessments types available on the Inspector Appliance. Security Bulletins will be sent to your customers when a number of changes to their IT infrastructure have been identified as a result of automated scans being performed by Inspector. The changes detected and reported upon include: changes to network users, computers, and the network itself. Please note: Security Bulletins (i.e. alerts) will be sent at the global Alert Time set in the Inspector Alerting Preferences. The time zone for the Alert Time setting is based on GMT. To send branded Security Bulletins containing important information to contacts at your client s company, setup Inspector Security Bulletins to be sent to designated recipients by performing the following steps. Step 1 Select the Site Double click your mouse pointer on the Site that you are configuring automated scan and reports to be performed upon in order to view and access the Site. 63
Step 2 Select Manage Inspector After the Site has been opened, selected the Manage option present under the Inspectors bar. The Manage Inspector window will be displayed. 64
Step 3 Configure the Security Bulletins Select the Security Bulletins tab in the Manage Inspector window to configure the settings for the bulletins. The Security Bulletins window will be displayed. 65
Step 4 Configure Settings for Security Bulletins There are four primary settings options that can be configured to set-up Security Bulletins. These options are: Security Bulletins On-Off This settings option enables you to turn Security Bulletins ON or OFF. Security Bulletins can only be turned ON when the Global Inspector Alerts setting is set to ON. Security Bulletin Configuration This settings option enables you to configure Customized and Branded Security Bulletin message format to be used when bulletins are email to your customers. This feature includes the ability to personalize the Security Bulletin message. Send To This settings option enables you to define the Subject text that is to be presented in the Security Bulletin email message itself and to enable you to assign the email addresses for recipients that are to receive the Security Bulletin email messages. Alert Level This setting enables you to control what priority/type of Security Bulletins that are to be automatically sent to your customers. There are 3 levels: o o o 3 All Bulletins 2 - Medium and High Priority Bulletins 1 High Priority Bulletins. 66
Email Domain Used by Inspector for Sending Security Bulletins The email domain used by all Inspectors to send Security Bulletins is: security-bulletins.com. Be sure to notify your customers of this fact so that they can configure their email Spam filters to all email messages from this domain to be delivered to their Inbox. Please perform the following steps to configure the settings for Security Bulletins: 1. Turn Security Bulletins On. 2. Enter the Greeting that you want to use in the Security Bulletin email text. 3. Complete the email From field. For example, enter first name.jastname, firstinitiallastname, yourcompanynamewithnospaces, or any other text string that is meets STMP email address standards. Whatever you text you place into this field, this setting will create a From email address of yourrtext@security-bulletins.com. 4. Complete the Prepared By field. 5. Complete the Service Provider field 6. Add your Personalized Message that will be placed into the bulletin 7. Add email Signature information to tell your client how to reach you 8. Type in the Security Bulletin s Subject text in the Send To section. 9. Add email address to the To field of the Send To section. 10. Set the High, Medium, or All Alert Level to determine the priority level of events that will cause the recipients to receive a Security Bulletin. Upon completion of these steps, the Security Bulletin settings should look similar to the Security Bulletin settings below. 67
Click on Save and Close to save Security Bulletin settings. Suppressing No Issues Security Bulletins To prevent Security Bulletins from being sent to recipients with no alert bulletin information, you can select the Suppress no issues bulletins option in the Manage Inspector Security Bulletins settings window as displayed below. 68
Example of a Security Bulletin Below is an example of a MSP branded Security Bulletin message sent by Inspector. 69
Configuring the Local Data Scan Merges When local scans are performed by Inspector, they can be merged into a particular domain data set. The Configuration of Local Scan Merges feature allows you to select which method you prefer to use when merging local scans. This setting will impact Alerts, Bulletins, and Automated Report Generation. To select the process to be used by Inspector to Merge any Local Scan Data into domain, perform the following steps. Step 1 Select the Site Double click your mouse pointer on the Site that you are configuring automated scan and reports to be performed upon in order to view and access the Site. 70
Step 2 Select Manage Inspector After the Site has been opened, selected the Manage option present under the Inspectors bar. The Manage Inspector window will be displayed. 71
Step 3 Set Scan Data Merge Configuration Select the Configuration tab in the Manage Inspector Window to view the Local Scan Merge settings. 72
Step 4 Set the Local Scan Merge Settings Select the preferred Local Scan Merge method, or select, Do Not Merge Local Scans. Then select the Save and Close button to store the data merge settings. 73
Updating the Inspector Appliance After installing the Inspector Appliance at the Site s physical location and associating the Inspector with a Site in the Network Detective Application, it s important to regularly update the Appliance to get the most out of Data Collections, Automated Reports, Tech-Alerts, and Security Bulletins. In the Network Detective Application, navigate to the Site s dashboard and select update now from under the Inspectors bar. Note that the link will only be visible if software updates are available. IMPORTANT: The Inspector Update Now feature, when activated to update the Inspector, will shut down any tasks that are currently running on the Inspector appliance. Before updating the Inspector, either stop a currently running task listed in the Task Library window Queued Tasks list, or perform the update after running tasks are completed. A dialog will appear confirming the request for a software update. 74
Appendices Appendix I Diagnostic Tool The Diagnostic Tool is used to gather relevant diagnostic information, test connectivity, manage updates, and allow remote support to the Inspector appliance. 75
Available Commands There are a number of commands available within the Appliance Manager. Location and Information Locate Network Detective Appliance Re-initialize the Inspector discovery process and attempts to retrieve the Device ID number and other diagnostic information. Get Appliance Device ID Display the Inspector Appliance s Device ID, used when associating the Inspector Appliance with a Site in the Network Detective Application. Diagnostics and Troubleshooting Appliance Diagnostics Queries the Inspector for diagnostic information used to verify running status, software, connectivity, and NIC Information. Ping Test from Appliance Performs a ping test directed at a specified host or IP address from the point of view of the Inspector itself. Note: network connectivity is required for the Inspector to operate properly. Get Log Files Retrieves diagnostics logs from the Inspector. Returns a link to download a.zip file containing run log information which may be used for further troubleshooting. Service Control Appliance Service Status Queries the Inspector to return its current status. The possible statuses are as follows: Idle: The device is online, but performing no action. Queued: The device is online and performing no action. A schedule is active and queued to run. Running: The device is online and currently running a schedule. Appliance Service Restart Requests a Service Restart from the Inspector. Exercise caution when using this command because it may interrupt any running Scan. Updating via USB Update Appliance via USB Requests the Inspector to update via USB. Attempts to detect a USB device. If a USB device is detected containing the necessary files is found to be connected to the Inspector an update will be performed. 76
Please ensure that a USB stick containing the update is plugged into the USB port of the Inspector appliance. Check USB Update Status Returns the current status of a running update. Also attempts to detect any USB device with available updates. Remote Assistance Toggle Remote Assistance Status Instructs the Inspector to make itself available for Remote Assistance and to allow a technician to access the device for support. Check Remote Assistance Status Return the current status of Remote Assistance. Shutdown and Restart Restarts the Inspector Appliance. Shutdown Appliance Shuts down the Inspector Appliance. 77