View the exposures of assets on the Internet - Security Center

The asset exposure analysis feature allows you to scan and analyze Alibaba Cloud resources in a comprehensive manner and identify security risks and vulnerabilities that may be exposed on the Internet. The resources include Elastic Compute Service (ECS) instances, gateway assets, system components, and ports. This helps you identify and resolve issues at the earliest opportunity to improve the security of cloud resources. This topic describes how to use the asset exposure analysis feature of Security Center.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Supported asset types

The asset exposure analysis feature supports Alibaba Cloud ECS instances, Tair (Redis OSS-compatible), ApsaraDB RDS, and ApsaraDB for MongoDB. The feature does not support assets that are not deployed on Alibaba Cloud.

Statistics

The analysis results of asset exposures are automatically refreshed on a daily basis. The Asset Exposure Analysis page displays the statistics about assets that are exposed on the Internet and the details of the exposures. The following table describes the exposure statistics.

Item	Description
Exposed Assets/Public IP Addresses	The total numbers of ECS instances, Tair (Redis OSS-compatible), ApsaraDB RDS, ApsaraDB for MongoDB, and public IP addresses that are exposed on the Internet.
Gateways	The total number of gateway assets that are exposed on the Internet. The gateway assets include NAT gateways and Server Load Balancer (SLB) instances. You can click the number below Gateways to go to the Gateways panel. In the panel, you can view the gateway assets that are exposed on the Internet. You can also click the name of an exposed gateway asset to go to the details page of the asset.
Exposed Port	The total number of ports that are exposed on the Internet. You can click the number below Exposed Port to go to the Exposed Port panel. In the panel, you can view the ports that are exposed on the Internet. You can also click the number of an exposed port to view the assets that use the port.
Exposed Component	The total number of system components that run on your ECS instances and are exposed on the Internet. The components include OpenSSL and OpenSSH. You can click the number below Exposed Component to go to the Exposed Component panel. In the panel, you can view the components that are exposed on the Internet. You can also click the name of an Exposed Component to view the assets that use the component.
Exploitable Vulnerabilities	The total number of vulnerabilities that can be exploited by attackers and the numbers of high-risk, medium-risk, and low-risk vulnerabilities. You can click the total number to go to the Vulnerabilities page. Vulnerabilities of different severities are marked in different colors: High-risk vulnerabilities: red. These vulnerabilities pose major threats to your assets. We recommend that you take note of these vulnerabilities and fix them at the earliest opportunity. Medium-risk vulnerabilities: orange. These vulnerabilities cause damage to your assets. We recommend that you fix the vulnerabilities at the earliest opportunity. Low-risk vulnerabilities: gray. These vulnerabilities are less harmful to your assets than high-risk and medium-risk vulnerabilities. You can fix low-risk vulnerabilities at your convenience.
Weak Password	The total number of detected weak passwords on your ECS instances and databases that are exposed on the Internet. You can click the number below Weak Password to view the list of the exposed assets on which weak passwords are detected.

Prerequisites

The Security Center agent that is installed on your ECS instance is online. If the icon is displayed in the Agent column of the ECS instance on the Host page, the agent is online.

Quick asset exposure scan

Security Center automatically performs a scanning task once a day.

Manually perform attack path scan

On the Asset Exposure Analysis page, click Quick Scan on the Asset Exposure Scan tab.

Task management

Security Center provides Task Management feature, which records both automatic and manual scan tasks for the past seven days by default.

On the Asset Exposure Analysis page, click Task Management in the the upper-right corner.
Click Asset Exposure tab on the Task Management page.
You can view the task ID, type, time, status, and progress based on the chosen Task Type, Task Status (including Not Started, In Progress, Waiting for Data Collection, Collecting Data, Complete, Time Out, Stop, and Failed), and Task Started At.
Click Details of the target task to view more information about the scan task, including the number of exposed instances, successful instances, failed instances, and a list of asset instances.
You can filter out scan results of certain assets based on status and instance ID.

View asset exposure details

Log on to the Security Center console. In the top navigation bar, select China as the region of the asset that you want to protect.
In the left-side navigation pane, choose Risk Governance > Asset Exposure Analysis.
On the Asset Exposure Analysis page, view the asset exposure details.
- View the overall data of asset exposures
  In the upper part of the Asset Exposure Analysis page, view the overall data of asset exposures. The data includes Weak Password and Exploitable Vulnerabilities. You can click the number in the lower part of each item to view the related details.
- View the list of exposed assets
  Specify search conditions on the Exposure Analysis page to search for asset exposures in different dimensions. For example, you can specify whether vulnerabilities exist, select an asset group, and enter a port.
- View the exposure details of an asset
  Find the asset whose exposure details you want to view and click Exposure Details in the Actions column. In the panel that appears, view the communication link topology of the asset, the details of the links, and the information about the detected weak passwords and vulnerabilities.
  - Click the asset dropdown list at the top of the Exposure Details panel to view the exposure details of the target asset.
  - View risk details:
    - Click the Weak Password tab to view the details of detected weak passwords. You can click the name of a weak password item to go to the details page of the asset. On the Baseline Risks tab, you can view all baseline risks that are detected on the asset. Attackers may exploit the weak passwords of your assets to log on to your assets and steal data or compromise your assets. We recommend that you change the weak passwords at the earliest opportunity.
    - On the Exploitable Vulnerabilities or All Vulnerabilities tab, you can click the URL of a vulnerability to go to the details page of the vulnerability. On the details page, you can view the information about the vulnerability and manually fix the vulnerability based on the fixing suggestions that are provided. We recommend that you fix high-risk vulnerabilities at the earliest opportunity.
    - On the Risk-related Configurations tab, click the risk items detected in the configuration assessment to go to the Cloud Service page, where you can view the risk details and fix it.
  - View exposure links:
    If your ECS instance or database accesses the Internet by using multiple methods, the communication link topology shows multiple paths to access the Internet. For example, if your ECS instance accesses the Internet by using a NAT gateway and an SLB instance, the communication link topology shows two paths to access the Internet. You can click the asset on each access path to switch to the path and view the details of the path.
    Note
    Different colors in a communication link topology indicate different severities of vulnerabilities that are detected on each asset.
    Red: High-risk vulnerabilities are detected on your asset. These vulnerabilities can be exploited over the Internet by attackers.
    Orange: Medium-risk vulnerabilities are detected on your asset. These vulnerabilities can be exploited over the Internet by attackers.
    Gray: Low-risk vulnerabilities are detected on your asset. These vulnerabilities can be exploited over the Internet by attackers.
    Green: No weak passwords or vulnerabilities that can be exploited over the Internet by attackers are detected on your asset.
    The mappings between the colors and the severities of vulnerabilities apply only to your assets. The mappings do not apply to other components in the communication link topology, such as the Internet. By default, the icon that indicates the Internet is gray.
- Export the data of asset exposures
  In the upper-right corner above the exposed asset list, click the image to export and save the details of the asset exposures to your computer. The exported file is in the Excel format.

References

If you want to reduce the exposures of ECS instances on the Internet, refer to the following topics:
If you want to handle vulnerabilities that are detected in assets, refer to the following topics:
- View and handle vulnerabilities
- Fix vulnerabilities
If you want to change the weak passwords in your system, refer to the following topic:
- Reinforce password security