The feature of asset exposure analysis automatically analyzes the exposures of your Elastic Compute Service (ECS) instances on the Internet and visualizes the communication links between your ECS instances and the Internet. The feature also displays details about the vulnerabilities in the exposed ECS instances in a centralized manner. This way, you can identify the exposures of your assets on the Internet and fix the vulnerabilities based on the suggestions provided by the feature. This topic describes how to use asset exposure analysis of Security Center.

Background information

Asset exposure analysis depends on the middleware information that is collected in asset fingerprints. To collect the middleware information, perform the following operations: In the upper-right corner of the Asset Fingerprints page, click Settings. In the Settings dialog box, set Middleware to Collected once an hour, Collected once 3 hours, Collected once 12 hours, or Collected once a day. If you set Middleware to Disable or a value that indicates a long collection cycle such as Collected once every 7 days, asset exposure analysis does not refresh the analysis results on a daily basis. For more information, see Automate periodic collection tasks.

The analysis results of asset exposures are automatically refreshed on a daily basis. You do not need to refresh the results.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Limits

The analysis results of asset exposures involve only the exposures of your ECS instances on the Internet. The results do not contain the exposures of servers that are not deployed on Alibaba Cloud on the Internet.

Statistics

The Asset Exposure Analysis page displays the exposure statistics of the assets on the Internet and the details of the exposures. The following table describes the details of the exposures.

Item Description
Exposed Assets/Public IP The total numbers of servers and IP addresses that are exposed on the Internet.
Gateways The total number of gateway assets that are exposed on the Internet. The gateway assets include Network Address Translation (NAT) gateways and Server Load Balancer (SLB) instances. You can click the number below Gateways to go to the Gateways panel. In the panel, you can view the gateway assets that are exposed on the Internet. You can also click the name of an exposed gateway asset to go to the details page of the asset.
Exposed Ports The total number of ports that are exposed on the Internet. You can click the number below Exposed Ports to go to the Exposed Ports panel. In the panel, you can view the ports that are exposed on the Internet. You can also click the name of an exposed port to view the assets that use this port.
Exposed Components The total number of server components that are exposed on the Internet. The components include OpenSSL and OpenSSH. You can click the number below Exposed Components to go to the Exposed Components panel. In the panel, you can view the components that are exposed on the Internet. You can also click the name of an exposed component to view the assets that use this component.
Exploitable Vul The total number of vulnerabilities that can be exploited by attackers and the numbers of high-risk, medium-risk, and low-risk vulnerabilities. You can click the number of high-risk, medium-risk, or low-risk vulnerabilities to go to the Vulnerabilities page. The priorities of vulnerabilities are marked in different colors:
  • High-risk vulnerabilities: red. These vulnerabilities pose major threats to your assets. We recommend that you take note of these vulnerabilities and fix them at the earliest opportunity.
  • Medium-risk vulnerabilities: orange. These vulnerabilities cause damages to your assets. We recommend that you fix the vulnerabilities at the earliest opportunity.
  • Low-risk vulnerabilities: gray. These vulnerabilities are less harmful to your assets than high-risk and medium-risk vulnerabilities. You can fix low-risk vulnerabilities at your convenience.
Weak Passwords The total number of detected weak passwords on your servers that are exposed on the Internet. You can click the number below Weak Passwords to view the exposed servers on which weak passwords are detected.

View the exposure details about an asset

The panel of asset exposure details shows the communication link between assets and the Internet. To view the exposure details about an asset, perform the following steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Exposure Analysis.
  3. Specify filter conditions above the list of exposed assets to query the assets that you want to view.
    You can query the assets on which vulnerabilities are detected or no vulnerabilities are detected. You can also filter assets by asset group. Alternatively, you can enter a public IP address, port number, component name, name of your ECS instance, or ID of your ECS instance.
    In the upper-right corner above the exposed asset list, you can click the Export icon icon to export and save the exposure details of the assets to your computer. The exposure details of the assets are exported to an Excel file.
    Note The time required to export the exposure details varies based on the size of the exposure details data.
  4. Find the asset that you want to view and click Exposure Details in the Operation column.
  5. In the panel that appears, view the communication link topology between the asset and the Internet, the details of the link, the detected weak passwords, and the details of vulnerabilities. Panel of asset exposure details

    If your server accesses the Internet by using multiple methods, the communication link topology shows multiple paths to access the Internet. For example, if your server accesses the Internet by using a NAT gateway and an SLB instance, the communication link topology shows two paths to access the Internet. You can click the asset on each access path to switch to the path and view the path details.

    Different colors in a communication link topology indicate different severities of the vulnerabilities detected in each asset.
    • Red: High-risk vulnerabilities are detected in your asset. These vulnerabilities can be exploited over the Internet by attackers.
    • Orange: Medium-risk vulnerabilities are detected in your asset. These vulnerabilities can be exploited over the Internet by attackers.
    • Gray: Low-risk vulnerabilities are detected in your asset. These vulnerabilities can be exploited over the Internet by attackers.
    • Green: No vulnerabilities that can be exploited over the Internet by attackers or weak passwords are detected in your asset.
    Note The mappings between the colors and severities of vulnerabilities apply only to your assets. The mappings do not apply to other components in the communication link topology, such as the Internet. By default, the icon that indicates the Internet is gray.
  6. Click the name of a vulnerability. On the Application tab of the Vulnerabilities page, you can view the details of the application vulnerability.
    In the vulnerability list that shows the application vulnerabilities detected in the asset, you can view the details of the vulnerabilities and manually fix the vulnerabilities based on the fix suggestions. We recommend that you fix high-risk vulnerabilities at the earliest opportunity. For more information, see View and handle application vulnerabilities.
  7. Click the Weak Passwords tab to view the details of detected weak passwords.
    You can click the name of a weak password item to go to the details page of the asset. On the Baseline Risks tab, you can view all the baseline risks that are detected on the asset. Attackers may exploit the weak passwords of your servers to log on to your servers and steal data on your servers or compromise your servers. We recommend that you fix weak password vulnerabilities at the earliest opportunity.