English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 
Frequently Asked Questions

What are the benefits running your audits?
What are the auditing service options?
What are some of the common vulnerabilities found?
Your service is too expensive!
Can other people see my audit results?
Will this guarantee the security of my network?
I have a firewall. Do I need this service?
I have my own vulnerability scanner. Why would I need yours?
Can I scan anyone's machine?
Can you email me the audit results?
Which platforms do you audit?
Will my network crash as a result of an audit?
How long does it take to run an audit?
What is CVE?
What are channels?
What are the well known services and ports?
Why don't you always scan all TCP and UDP ports?
Why are you using cookies?
Why did you falsely detect application X to be vulnerable
Can you provide some testimonials or references?
Questions and Confidentiality

What are the benefits of running your audits?
Attracting thousands of users all over the world, Security Audits are the most comprehensive, up-to-date and cost-effective security auditing services on the internet. The easy-to-use tool
  • provides an external view of your network from the internet,
  • scans all 65,535 ports of an IP for potential security holes,
  • examines your system with 54701 vulnerability tests for security weakness, including Windows based attacks, denial of service attacks, root exploits, CGI abuses, mail server vulnerabilities, and firewall vulnerabilities,
  • provides detailed and comprehensive report on findings, and suggests potential solutions,
  • includes the latest vulnerability tests on a regular basis.

What are the auditing service options
We provide a number of different service levels and types of subscriptions. A price & feature comparison provides a quick overview of what you get with the different packages. The 5 different types of audits available:
  1. Basic Audit: a TCP port scan of over 1500 ports;
  2. Single Vulnerability Test, a selection of 54701 different vulnerability tests;
  3. Desktop Audit: a TCP port scan of over 1500 ports, and runs 3831 vulnerability tests in DoS, Windows, Backdoors, Misc. & Firewalls categories;
  4. Standard Audit, providing you with a Basic Audit (port scan) and execution of all 54701 available vulnerability tests;
  5. Advanced Audit, providing you with a 65,535 TCP port scan and execution of all 54701 available vulnerability tests;

Our No Risk audit is equivalent to the Standard Audit in its execution, except that we don't show you the details of the problems we found. This is useful as a way of determining whether or not you have any problems before you decide to buy any of our services.

Your service is too expensive!
Your entitled to your opinion. However, we ask you to consider the following:

  • None of our competitors offer services as inexpensive as ours.
  • The cost of setting up and maintaining your own scanner can easily exceed the cost of a subscription to our services.
  • The cost of a security breach on your network will almost always exceed the cost of our services.
Consider the following services:
  • $199 for one month of unlimited advanced audits on an unlimited # of IPs
  • $249 for a year of recurring monthly advanced audits + network monitoring services. (12 Advanced audits, round the clock monitoring of your servers at 5 minute intervals for 5 devices.)
  • $999 for a dedicated server for a full month, capable of running approximately 20,000 standard audits, or about 7,500 advanced audits during a month.
We feel these prices are second to none the industry.

Can other people see my audit reports?
No. Only you can see the results of your audit. Audit reports are generated based on scan results in our local databases. The only way you get to see the audit report is by logging in to your account on our secure SSL server.

What are some of the common vulnerabilities found?
The problems we routinely find usually fall into one of the following areas:

  • Unpatched/out of date software with known vulnerabilities
  • Dangerous or unneeded services available for exploit
  • Improperly configured software allowing unwanted access to resources

Will this guarantee the security of my network?
No. The reports give you information as to potential areas to examine for security concerns, but you must still take the necessary steps to secure your network.

I have a firewall. Do I need this service?
Firewalls are great for restricting access to your network, but firewalls cannot prevent all problems. Two of the most common problems with firewalls are
  • misconfiguration allowing unwanted access
  • vulnerable services behind the firewall (e.g. web server on port 80) allowing an attacker to tunnel through the firewall, through the vulnerable service, onto the machine running the vulnerable service, from where they can attack the rest of your network from behind the firewall itself.
For a list of the firewall specific tests available, click here.

I have my own vulnerability scanner. Why would I need yours?
There are many scanners available, both commercial and open source. The benefit of using this service, however, is not in the specific technology being used, but that it provides:
  • An external view of your network.  Getting an external view of your network usually involves getting access to a machine on the outside of your network for the purpose of running your scan. The cost of setting up and maintaining this type of access can often be more than the cost of this service alone.
  • Reproducible.  As an audit mechanism, Security Audits are a low cost, reproducible audit that can be run whenever you need.
  • Low effort  Setting up and configuring a vulnerability scanner for proper operation can be time-consuming.
  • Always up to date   By using a service, you automatically receive the latest vulnerability tests without having to install them into your own scanner. We ensure that our test suite is always up to date. We provide new vulnerability tests on a regular basis as security issues/holes are found. For example, check out the tests added in the last 30 days. In addition - we tell you via our vulnerability announcement list the moment any new tests are on-line corresponding to remotely exploitable vulnerabilities, assisting you in keeping up to date on problems that may impact your network.

Can I scan anyone's machine?
No. You may only scan the machine which you own. Normally, that means the machine from which you are browsing.

If you wish us to scan a machine that you cannot surf from (e.g. a corporate web server), use the IP Permissions form to submit the range of IPs that you wish to be able to audit. After we confirm that you are authorized to audit the requested IPs, we'll grant your account priviledges to audit those IPs regardless of where you are surfing from. Note: we offer this service only to customers that purchase auditing services.

Can you email me the audit results?
We will provide you with an email alert indicating that a scan has been completed. However, for security reasons, we will not email you the results, since email is an insecure way of sending information.

Even if we launch an audit on your behalf, the audit is run out of your account on our system, and the report is available for pick up from the same account.

Which platforms do you audit?
Our service has tests for virtually every platform out there, and is not limited to one particular operating system or application suite. You will find tests for Windows, Linux, Unix, Macintosh, Web servers, Database products, and more. If it can be remotely tested, we try to have the test for it available.

Will my network/system crash as a result of an audit?
We certainly hope not, but ultimately there are no guarantees. Bear in mind that an audit is considered to be an intrusive operation.

The different audits have different risk levels associated with them. Our Basic Audit is a port scan that should not impact anyone's system. It is relatively low bandwidth (<50K at peak), and if it does crash your system, you should definitely be looking at doing something about this, since it is quite likely you will be port scanned by someone in the future.

A number of the vulnerability tests are denial of service attacks that are designed to test the integrity of your hardware and software. These tests focus on known problems on various computer systems, and may impact equipment it is aimed at, such as routers, firewalls, etc. For a description of the various DoS attacks included in the test suite, check here. None of the DoS tests involve deliberate attempts to flooding your bandwidth (a trivial, non-preventable attack). DoS tests are disabled by default to reduce the likelihood of your system crashing, but you may enable them at your own discretion.

How long does it take to run an audit?
This depends on the type of audit you launched, the network between us and you, and how your system is configured. For unprotected (no firewalls or packet filtering), the times are roughly

  • Basic Audit: 30 seconds
  • Single Vulnerability Test: 5-60 seconds
  • Desktop Audit: 10 minutes
  • Standard Audit: 20 minutes
  • Advanced Audit: 90 minutes
For systems that are shielded by packet filtering of one form or another, the times are closer to
  • Basic Audit: 10 minutes
  • Single Vulnerability Test: 60 seconds
  • Desktop Audit: 30 minutes
  • Standard Audit: 1.5 hours
  • Advanced Audit: 2.5 hours (on rare occasions, up to 8 hours).
Regardless of how long it takes, when an audit is complete, we email you a notification that you requested an audit, and that the results are complete and available on-line.

Advanced audit subscribers have a default of 2 channels available, meaning that they can run 2 audits simultaneously. Both Advanced and standard audit subscribers may purchase additional channels allowing for conducting audits of larger networks faster.

What is CVE?
CVE stands for Common Vulnerabilities and Exposures. It represents a standard way of numbering and describing known vulnerabilities. The scanning engine we use includes CVE identifiers where available. Our test reports include these identifiers linked to the official CVE site located at cve.mitre.org.

All our tests now include, when available, related on-line cross-references, providing additional information on those vulnerabilities. Such cross-references include:

  • Cert/CC Advisories,
  • BugTraq IDs,
  • Vendors' product related vulnerabilities/solutions,
  • mailing lists, discussions and more.

There are over 10,000 on-line resources available associated with the various CVE identifiers in our tests. You can search our database for tests by CVE or CVE candidate number.

What are channels?
Channels are how we manage audits. Each channel has the ability to process one audit request at a time, and each audit request will usually take no more than 50Kbit of bandwidth. Advanced monthly/yearly subscribers by default have 2 channels available to them, meaning that they can run two audits at a time. Dedicated server leases include 50 channels per server, while all other customers have one channel by default available to them. All customers may purchase additional channels to allow for auditing larger networks more quickly.

What are well known services and ports?
Well known services are are services known to customarily exist on specific ports. This is different from the definition of a well known port, which is the port range 0 through 1023. From IANA's web pages, the port definitions are as follows:

The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and the Dynamic and/or Private Ports.
  • The Well Known Ports are those from 0 through 1023.
  • The Registered ports are those from 1024 through 49151.
  • The Dynamic and/or Private Ports are those from 49152 through 65535.

The ports we audit are all well known ports (1-1023), along with about 500 ports in the 1024-65535 range. These additional ports consist both of legitimate services as well as commonly known trojans.

To see the IANA well known ports that have been assigned, check out their site at www.iana.org.

Why don't you always scan all TCP and UDP ports?
To scan all possible ports would involve scanning over 130,000 ports. While that would be thorough, there are a number of problems associated with doing this:

  • Scanning can take a long time. To scan all 64K TCP ports would take our scanner several hours. We do offer a full 64K TCP port scan as part of our advanced audit.
  • UDP ports cannot be scanned reliably. The problem with UDP ports is that they don't respond when the port is open. That would be fine, except that many firewalls will also not respond when you probe a UDP port, even if that port isn't open. The result ends up being a large number of false positives. The vulnerability tests do check for a number of UDP services, but even here, if your system is firewalled, false positives can occur.
  • Solaris systems cannot be UDP scanned any faster than 2 ports per second, due to a throttling mechanism applied by Solaris itself. Thus, a 1500 port UDP scan would take over 10 minutes, and a full 64K port scan would take over 9 hours.

Our methodology is to ensure we provide accurate results, and because the last two items make it either difficult or impossible to perform effective full UDP port scans, we have elected to limit UDP scans to checking for services (e.g. trojans) residing on known UDP ports.

Why are you using cookies?
Cookies are a way that a web server can store, either temporarily or for longer periods of time, information about you, the user, on your own browser's computer system. We use cookies to manage and secure our login and session management process ONLY. The cookies we generate are never written to your disk cache. They will only ever be transmitted over secure SSL connections, and we never use them for any reason other than to do login session management. You will have to enable cookies, and accept the cookie "asaut" (if your browser is prompting you for acceptance) in order to be able to successfully use this service.

Why did you falsely detect application X to be vulnerable
We often get questions such as "You indicate my SMTP server type <somename> is vulnerable, but I'm not even running that server. What gives?"

We detect vulnerable applications in one of two ways. The first is banner checking, where the application in question will tell us that it is version X. When we know version X is vulnerable, we report that. This is however susceptible to banner fiddling - if you change the banner string reported, we might produce an erroneous report. There is also the issue that many Linux distributions will maintain a version of an application, introducing security fixes with patch levels that leave the base version number the same. In these cases, we may erroneously report your server as vulnerable.

The second method of checking involves actually TESTING an application's vulnerability by injecting a benign payload of data that is known to cause the application to crash, produce an error, or some similar, measuable activity. In these cases, we are checking to see if the application behaviour is consistent with that of a vulnerable application (e.g. it closes the socket connection because the instance crashed). This method can detect vulnerabilities in application OTHER than the version in which it was originally found. It does, however, suffer from a key weakness in that some applications (notoriously SMTP and FTP servers) will rather than return an error message on an invalid data payload, will instead simply detect the bogus data and close the connection deliberately. This, from our perspective, is indistinguisable from an application crash, and can result in false positives being reported.

Can you provide some testimonials or references?
We recommend you visit our testimonials page. This documents our position on this subject.

Questions and Confidentiality
We fully understand the importance of confidentiality and the privacy of your audit information. If you have any further questions, please drop us a line at contact <at> securityspace <dot;> com.


Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2017 E-Soft Inc. All rights reserved.