The feature of asset exposure analysis automatically analyzes the exposures of your Elastic Compute Service (ECS) instances on the Internet and visualizes the communication links between your ECS instances and the Internet. The feature also displays the details of the vulnerabilities that are detected on the exposed ECS instances in a centralized manner. This way, you can quickly identify the exposures of your assets on the Internet and fix the vulnerabilities based on the suggestions that are provided by the feature. This topic describes how to use asset exposure analysis of Security Center.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Limits

The feature of asset exposure analysis supports only ECS instances. The feature does not support servers that are not deployed on Alibaba Cloud.

Statistics

The analysis results of asset exposures are automatically refreshed on a daily basis. The Exposure Analysis page displays the statistics of assets exposed on the Internet and the details of the exposures. The following table describes the exposure statistics.

Item Description
Exposed Assets/Public IP The total numbers of ECS instances and IP addresses that are exposed on the Internet.
Gateways The total number of gateway assets that are exposed on the Internet. The gateway assets include NAT gateways and Server Load Balancer (SLB) instances. You can click the number below Gateways to go to the Gateways panel. In the panel, you can view the gateway assets that are exposed on the Internet. You can also click the name of an exposed gateway asset to go to the details page of the asset.
Exposed Ports The total number of ports that are exposed on the Internet. You can click the number below Exposed Ports to go to the Exposed Ports panel. In the panel, you can view the ports that are exposed on the Internet. You can also click the number of an exposed port to view the assets that use the port.
Exposed Components The total number of system components that run on your ECS instances and are exposed on the Internet. The components include OpenSSL and OpenSSH. You can click the number below Exposed Components to go to the Exposed Components panel. In the panel, you can view the components that are exposed on the Internet. You can also click the name of an exposed component to view the assets that use the component.
Exploitable Vul The total number of vulnerabilities that can be exploited by attackers and the numbers of high-risk, medium-risk, and low-risk vulnerabilities. You can click the number of high-risk, medium-risk, or low-risk vulnerabilities to go to the Vulnerabilities page. Vulnerabilities of different severities are marked in different colors:
  • High-risk vulnerabilities: red. These vulnerabilities pose major threats to your assets. We recommend that you take note of these vulnerabilities and fix them at the earliest opportunity.
  • Medium-risk vulnerabilities: orange. These vulnerabilities cause damages to your assets. We recommend that you fix the vulnerabilities at the earliest opportunity.
  • Low-risk vulnerabilities: gray. These vulnerabilities are less harmful to your assets than high-risk and medium-risk vulnerabilities. You can fix low-risk vulnerabilities at your convenience.
Weak Passwords The total number of detected weak passwords on your ECS instances that are exposed on the Internet. You can click the number below Weak Passwords to view the exposed ECS instances on which weak passwords are detected.

Prerequisites

Asset exposure analysis depends on the middleware information that is collected in the fingerprints of assets. To collect the middleware information, you must set the interval at which middleware information is collected to Collected once an hour, Collected once every 3 hours, Collected once every 12 hours, or Collected once a day. If you set the interval to Disable or a value that indicates a long collection cycle such as Collected once every 7 days, asset exposure analysis does not refresh the analysis results on a daily basis. For more information, see Collect the fingerprints of servers.

View asset exposure details

  1. Log on to the Security Center console. In the left-side navigation pane, choose Risk Management > Exposure Analysis.
  2. On the Exposure Analysis page, view asset exposure details.
    • View the overall data of asset exposures

      In the upper part of the Exposure Analysis page, view the overall data of assets exposures. The data includes Weak Passwords and Exploitable Vul. You can click the number in the lower part of each item to view the details.

    • View the data of specified asset exposures

      Specify search conditions on the Exposure Analysis page to search for asset exposures in different dimensions. For example, you can specify whether vulnerabilities exist, select an asset group, and enter a port.

    • View the exposure details of an asset
      Find the asset whose exposure details you want to view and click Exposure Details in the Operation column. In the panel that appears, view the communication link topology of the asset, the details of the links, and the information about the detected weak passwords and vulnerabilities.
      • Click the Weak Passwords tab to view the details of detected weak passwords. You can click the name of a weak password item to go to the details page of the asset. On the Baseline Risks tab, you can view all the baseline risks that are detected on the asset. Attackers may exploit the weak passwords of your ECS instances to log on to your ECS instances and steal data on your ECS instances or compromise your ECS instances. We recommend that you fix the weak password vulnerabilities at the earliest opportunity.
      • On the Exploitable Vul or All Vul tab, you can click the URL of a vulnerability to go to the details page of the vulnerability. On the details page, you can view the information about the vulnerability and manually fix the vulnerability based on the fixing suggestions that are provided. We recommend that you fix high-risk vulnerabilities at the earliest opportunity.
      • If your ECS instance accesses the Internet by using multiple methods, the communication link topology shows multiple paths to access the Internet. For example, if your ECS instance accesses the Internet by using a NAT gateway and an SLB instance, the communication link topology shows two paths to access the Internet. You can click the asset on each access path to switch to the path and view the details of the path.
        Note Different colors in a communication link topology indicate different severities of the vulnerabilities that are detected on each asset.
        • Red: High-risk vulnerabilities are detected on your asset. These vulnerabilities can be exploited over the Internet by attackers.
        • Orange: Medium-risk vulnerabilities are detected on your asset. These vulnerabilities can be exploited over the Internet by attackers.
        • Gray: Low-risk vulnerabilities are detected on your asset. These vulnerabilities can be exploited over the Internet by attackers.
        • Green: No weak passwords or vulnerabilities that can be exploited over the Internet by attackers are detected on your asset.

        The mappings between the colors and severities of vulnerabilities apply only to your assets. The mappings do not apply to other components in the communication link topology, such as the Internet. By default, the icon that indicates the Internet is gray.

    • Export the data of asset exposures

      In the upper-right corner above the exposed asset list, click the Export icon icon to export and save the details of the asset exposures to your computer. The exported file is in the Excel format.