{"passed":{"encryption":[{"id":"ssl_enabled","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"SSL","value":"true"}],"actual":[{"property":"SSL","value":"true"}],"severity":5,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL available","description":"SSL is supported for this site.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary.","riskDetails":"Without SSL, all communications between systems are sent in plain text. This plain text can then be intercepted by a third party in what is called a man-in-the-middle (MITM) attack. These attacks target and harvest credentials and other sensitive information, which can in turn be used for further malicious activity. Improperly configured SSL/TLS and certificates that are out of date or encrypted with weak algorithms do not provide the necessary protection to prevent MITM attacks, and will make the site unreachable in most browsers.","recommendedRemediation":"Valid SSL/TLS certificates with strong encryption algorithms should be obtained from a trusted authority and properly installed and configured on all internet facing systems. Every system must have its name on the certificate to prevent mismatch errors in the browser. HTTPS should be made mandatory, with the necessary redirects and enforcement in place to ensure no plain text connections are possible. Processes should be established to ensure certificates are renewed before they expire.","knownExploitedVulnCount":0,"checkID":"ssl_enabled","category":"ssl","controlCheckID":"IM.EN.DT.PA","passTitle":"SSL available","passDescription":"SSL is supported for this site.","passGroupDescription":"SSL is supported on all sites.","failTitle":"SSL not available","failDescription":"SSL is the standard encryption method for browsing websites. Enabling SSL requires installing an SSL certificate on the site.","remediation":"Install SSL certificates.","issue":"We've detected websites that lack a valid SSL certificate. Without SSL, website visitors and customers are at higher risk of having their data stolen through man-in-the-middle and other cyber attacks.","recommendation":"Install valid SSL certificates on affected domains. Websites without valid SSL certificates are shown as 'non-secure' in modern browsers and will rank worse in Google and other search engines.","defaultSeverity":5,"categoryTotalCost":29,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary.","RiskDetails":"Without SSL, all communications between systems are sent in plain text. This plain text can then be intercepted by a third party in what is called a man-in-the-middle (MITM) attack. These attacks target and harvest credentials and other sensitive information, which can in turn be used for further malicious activity. Improperly configured SSL/TLS and certificates that are out of date or encrypted with weak algorithms do not provide the necessary protection to prevent MITM attacks, and will make the site unreachable in most browsers.","RecommendedRemediation":"Valid SSL/TLS certificates with strong encryption algorithms should be obtained from a trusted authority and properly installed and configured on all internet facing systems. Every system must have its name on the certificate to prevent mismatch errors in the browser. HTTPS should be made mandatory, with the necessary redirects and enforcement in place to ensure no plain text connections are possible. Processes should be established to ensure certificates are renewed before they expire."},{"id":"ssl_strength","pass":true,"meta":"SHA256-RSA","vendorOnly":false,"expected":[{"property":"SSL > Algorithm","value":"[at least 'sha256']"}],"actual":[{"property":"SSL > Algorithm","value":"SHA256-RSA"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Strong SSL algorithm","description":"Industry standard SHA-256 encryption in use.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate utilizes an encryption algorithm to scramble the encrypted data and make it unreadable. These algorithms are designed to be extremely difficult to reverse engineer, giving the best protection. Better algorithms are incorporated as they come about and certificates are constantly adapting to more secure standards.","riskDetails":"Although encryption algorithms are designed to be difficult to break, they are occasionally broken. When an algorithm has been successfully reverse engineered, it is no longer considered secure, as third parties may be able to access the encrypted data with an imposter key. Even when an algorithm hasn’t been breached, new algorithms may provide increased protection and are thus preferable over maintaining older algorithms. Most browsers have a changing list of approved encryption algorithms. If an algorithm is not approved, the browser will not be able to access that site.","recommendedRemediation":"Certificates with weak SSL algorithms should be replaced with new valid certificates from a trusted authority. When requesting the certificate, you will be able to specify stronger encryption algorithms from the issuer. Because algorithms are always changing, it is important to consistently renew certificates about every year and always use the most secure algorithm available at the time of renewal.","knownExploitedVulnCount":0,"checkID":"ssl_strength","category":"ssl","controlCheckID":"IM.EN.SE.PA","passTitle":"Strong SSL algorithm","passDescription":"Industry standard SHA-256 encryption in use.","passGroupDescription":"Industry standard encryption in use.","failTitle":"Weak SSL algorithm","failDescription":"Industry standard SHA-256 encryption is not in use. The SSL certificate should be migrated to a SHA-256 certificate.","remediation":"Upgrade to at least SHA-256 encryption for SSL certificates.","issue":"The impacted domains are using a weak SSL-cipher. It’s important to only use strong ciphers on websites to ensure secure communications with visitors. Otherwise, attackers may be able to decrypt SSL traffic between the server and visitors.","recommendation":"Migrate to an SSL certificate that uses the industry standard, SHA-256 encryption. SHA-256 provides stronger encryption and has replaced SHA-1 as the defacto standard for encryption on the web.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate utilizes an encryption algorithm to scramble the encrypted data and make it unreadable. These algorithms are designed to be extremely difficult to reverse engineer, giving the best protection. Better algorithms are incorporated as they come about and certificates are constantly adapting to more secure standards.","RiskDetails":"Although encryption algorithms are designed to be difficult to break, they are occasionally broken. When an algorithm has been successfully reverse engineered, it is no longer considered secure, as third parties may be able to access the encrypted data with an imposter key. Even when an algorithm hasn’t been breached, new algorithms may provide increased protection and are thus preferable over maintaining older algorithms. Most browsers have a changing list of approved encryption algorithms. If an algorithm is not approved, the browser will not be able to access that site.","RecommendedRemediation":"Certificates with weak SSL algorithms should be replaced with new valid certificates from a trusted authority. When requesting the certificate, you will be able to specify stronger encryption algorithms from the issuer. Because algorithms are always changing, it is important to consistently renew certificates about every year and always use the most secure algorithm available at the time of renewal."}],"email_sec_v2":[{"id":"spf_enabled","pass":true,"meta":"v=spf1 a mx a:smtp.datadog.co.nz include:email-od.com include:spf.protection.outlook.com -all","vendorOnly":false,"expected":[{"property":"DNS > SPF","value":"v=spf1..."}],"actual":[{"property":"DNS > SPF","value":"v=spf1 a mx a:smtp.datadog.co.nz include:email-od.com include:spf.protection.outlook.com -all"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF enabled","description":"Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"When enabled, SPF (Sender Policy Framework) prevents fraudulent emails from being sent by unauthorized domains or IP addresses, which helps to stop spoofing and phishing attacks.","riskDetails":"Emails from unauthorized domains or IP addresses can be sent to employees or customers. These emails could contain malicious links, attachments, or fake domains that can trick employees into providing sensitive information or downloading malware.","recommendedRemediation":"To remediate this risk, add SPF authentication on all email-enabled domains. This can be done by creating a DNS TXT record that specifies which IP addresses are authorized to send emails from that domain.","knownExploitedVulnCount":0,"checkID":"spf_enabled","category":"email","controlCheckID":"IM.ES.EA.PA","passTitle":"SPF enabled","passDescription":"Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses.","passGroupDescription":"All applicable sites have Sender Policy Framework (SPF) enabled. This prevents spammers from sending messages with forged addresses.","failTitle":"SPF not enabled","failDescription":"Sender Policy Framework (SPF) record is not present. This may allow spammers to send messages with forged addresses using this domain. The DNS record for the domain should be modified to include an SPF record.","remediation":"Add SPF record.","issue":"Impacted domains do not have a Sender Policy Framework (SPF) record. This allows spammers to send messages with forged addresses using the domain, which greatly improves phishing and other social engineering-based attacks.","recommendation":"To implement SPF, the domain owner will need to add a DNS TXT record that lists the IP addresses authorized to send emails on behalf of their domain. Each domain can have a maximum of one SPF record, defined as a TXT or SPF record type.","defaultSeverity":4,"categoryTotalCost":9,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"When enabled, SPF (Sender Policy Framework) prevents fraudulent emails from being sent by unauthorized domains or IP addresses, which helps to stop spoofing and phishing attacks.","RiskDetails":"Emails from unauthorized domains or IP addresses can be sent to employees or customers. These emails could contain malicious links, attachments, or fake domains that can trick employees into providing sensitive information or downloading malware.","RecommendedRemediation":"To remediate this risk, add SPF authentication on all email-enabled domains. This can be done by creating a DNS TXT record that specifies which IP addresses are authorized to send emails from that domain."},{"id":"spf_filter_check","pass":true,"meta":"contains -all","vendorOnly":false,"expected":[{"property":"DNS > SPF > Filter","value":"contains -all"}],"actual":[{"property":"DNS > SPF > Filter","value":"contains -all"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"Strict SPF filtering - not using +all","description":"Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The +all mechanism is an instruction in an SPF record that tells mail recipients that any server can send mail on behalf of the sending domain, which opens this domain up to impersonation via email.","riskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. While the +all mechanism is a valid directive, it is overly permissive and does not prevent attackers from impersonating a domain. The + mechanism indicates that mail send from this source should \"pass\" the SPF check done by the recipient. The \"all\" mechanism applies the \"pass\" rule to all domains and IPs, meaning that anyone, including attackers, can send email on behalf of this domain.","recommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain. Any other sender should receive a \"fail\" response from the SPF check and thus block content from unauthorized domains. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"+all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems. If the domain is used to send mail and no IP addresses or domains specified yet, those should be added before the \"-all\" mechanism.","knownExploitedVulnCount":0,"checkID":"spf_filter_check","category":"email","controlCheckID":"IM.ES.EA.ZW","passTitle":"Strict SPF filtering - not using +all","passDescription":"Sender Policy Framework (SPF) record strictly enforces specific domains allowed to send email on its behalf.","passGroupDescription":"All applicable sites have a strict Sender Policy Framework (SPF) record.","failTitle":"SPF policy uses +all","failDescription":"Sender Policy Framework (SPF) record is too permissive as to which domains are allowed to send email on the domain's behalf. This record should not contain a +all mechanism, as this allows all hosts to send email posing as this domain.","remediation":"Use '-all' in SPF record.","issue":"We've identified domains with Sender Policy Framework (SPF) records that are too permissive (+all). This could result in fraudulent email being sent on the domain's behalf.","recommendation":"Change the SPF records associated with these domains and remove the +all mechanism. We recommend using '-all' in your SPF records.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Sender Policy Framework, or SPF, is a standard for specifying which domains and IP addresses can send email from a given domain. When SPF records are securely configured, email clients can validate that the sender is authorized to send mail from that domain and can filter out unwanted or malicious mail impersonating an organization. The +all mechanism is an instruction in an SPF record that tells mail recipients that any server can send mail on behalf of the sending domain, which opens this domain up to impersonation via email.","RiskDetails":"Email security is vital to preventing phishing attacks, malware delivery, and protecting against brand abuse. SPF records are one of the foundational tools for preventing those attacks. While the +all mechanism is a valid directive, it is overly permissive and does not prevent attackers from impersonating a domain. The + mechanism indicates that mail send from this source should \"pass\" the SPF check done by the recipient. The \"all\" mechanism applies the \"pass\" rule to all domains and IPs, meaning that anyone, including attackers, can send email on behalf of this domain.","RecommendedRemediation":"The SPF record for the domain should be configured to only allow specified systems under your organization's control to send mail on behalf of the domain. Any other sender should receive a \"fail\" response from the SPF check and thus block content from unauthorized domains. Through your DNS provider you should be able to find and update the SPF record for the domain. The \"+all\" mechanism should be changed to \"-all\" to hard fail all mail sent from unauthorized systems. If the domain is used to send mail and no IP addresses or domains specified yet, those should be added before the \"-all\" mechanism."},{"id":"spf_syntax_check","pass":true,"meta":"passes simple syntax check","vendorOnly":false,"expected":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"actual":[{"property":"DNS > SPF > Syntax","value":"passes simple syntax check"}],"severity":3,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF syntax correct","description":"Sender Policy Framework (SPF) record passes basic syntax checks.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","riskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","recommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure.","knownExploitedVulnCount":0,"checkID":"spf_syntax_check","category":"email","controlCheckID":"IM.ES.EA.UQ","passTitle":"SPF syntax correct","passDescription":"Sender Policy Framework (SPF) record passes basic syntax checks.","passGroupDescription":"All applicable sites have Sender Policy Framework (SPF) records that pass a basic syntax check.","failTitle":"SPF syntax error","failDescription":"Sender Policy Framework (SPF) record fails a basic syntax check. Records with syntax errors result in the protection mechanisms associated with SPF not being enforced. To be properly protected the SPF record syntax errors should be corrected.","remediation":"Fix SPF record syntax.","issue":"Impacted domains have a Sender Policy Framework (SPF) record that has failed a basic syntax check.  Records with syntax errors result in the protection mechanisms associated with SPF not being enforced.","recommendation":"To be properly protected the SPF record syntax errors should be corrected. SPF records always start with the v= element. This indicates the SPF version that is used. One or more terms will follow the version indicator. These define the rules for which hosts are allowed to send mail from the domain, or provide additional information for processing the SPF record.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"SPF (Sender Policy Framework) is a protocol used to protect against email spoofing, spam and phishing. An SPF syntax error occurs when the SPF record in a domain's DNS configuration is malformed, preventing the SPF mechanism from functioning properly.","RiskDetails":"This type of error can cause email delivery failures, since email receivers may reject emails that appear to be from an unauthorized source due to incorrect SPF information. Additionally, an SPF syntax error can also make an email system more vulnerable to phishing and spam, since spammers can potentially send messages that appear to be from the affected domain.","RecommendedRemediation":"To remediate an SPF syntax error, review the SPF record for your domain and correct any issues. The record can be validated using online tools or test emails. Finally, update the domain's DNS with the corrected SPF record. DNS propagation may take some time. Regular review of the SPF record is important to ensure that it remains effective in preventing email spoofing and protecting against phishing and spam. Update the record if changes are made to your email infrastructure."},{"id":"spf_ptr_mechanism","pass":true,"meta":"SPF record does not contain a ptr mechanism","vendorOnly":false,"expected":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"actual":[{"property":"DNS > SPF > ptr","value":"SPF record does not contain a ptr mechanism"}],"severity":2,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"SPF ptr mechanism not used","description":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","riskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","recommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain.","knownExploitedVulnCount":0,"checkID":"spf_ptr_mechanism","category":"email","controlCheckID":"IM.ES.EA.VG","passTitle":"SPF ptr mechanism not used","passDescription":"Sender Policy Framework (SPF) record does not include the ptr mechanism.","passGroupDescription":"All applicable sites that have an SPF record do not include the ptr mechanism.","failTitle":"SPF ptr mechanism used","failDescription":"Sender Policy Framework (SPF) record contains the ptr mechanism. This mechanism is intended to be used temporarily to check that a domain resolves to itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail checkers may drop the SPF record if this mechanism is found.","remediation":"Remove ptr mechanism from SPF record.","issue":"The impacted domains have Sender Policy Framework (SPF) records that contain the 'ptr' mechanism. This mechanism is intended to be used temporarily to check that a domain resolves itself via a known IP address. This should not be used permanently as it puts unnecessary burden on DNS servers and some mail servers may drop the SPF record.","recommendation":"The domain owner should remove the ‘ptr’ from all SPF records to ensure that mail servers do not drop the SPF records associated with the domain.","defaultSeverity":2,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"An SPF (Sender Policy Framework) PTR (Pointer) mechanism is used in email authentication to detect and prevent email spoofing. The SPF PTR mechanism compares the domain name of the sending email address to the IP address of the server that sent the email, to ensure that the email was indeed sent from the domain it claims to be sent from.","RiskDetails":"The SPF PTR mechanism relies on looking up a domain to check if it resolves to an SPF allowed IP address. This can be easily faked by someone who creates a fraudulent DNS record in their domain. This can allow unauthorized individuals to send emails that appear to come from a trusted domain, leading to the recipient being misled or giving sensitive information to an unauthorized source.","RecommendedRemediation":"SPF should only rely on authorized IP addresses and domains. The PTR mechanism should be disabled. It is also recommended to implement a DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy in conjunction with SPF. This allows domain owners to monitor the authentication of emails sent from their domain and to take action against any unauthorized activity. In addition, it is important to regularly review and update the SPF record to ensure that it accurately reflects the authorized mail servers for the domain."}],"ip_domain_reputation":[{"id":"suspected_malware_provider","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Malware","value":"false"}],"actual":[{"property":"Google Safe Browsing > Malware","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not a suspected malware provider","description":"This website does not appear to contain malicious code.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing malware. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for suspected malware distribution when other users report suspicious activity making use of the domain. In the case of malware pages, this indicates that either an attacker or insider are making use of the domain to distribute malware to other users. ","recommendedRemediation":"","knownExploitedVulnCount":0,"checkID":"suspected_malware_provider","category":"malware","controlCheckID":"IM.IP.MA.UQ","passTitle":"Not a suspected malware provider","passDescription":"This website does not appear to contain malicious code.","passGroupDescription":"No websites appear to contain malicious code.","failTitle":"Suspected malware provider","failDescription":"This website may contain malicious code. The website should be checked and any malicious code removed.","remediation":"Check sites and remove malicious code.","issue":"Websites may contain malicious code (malware). Malware is any program or file that is harmful to a computer user. Types of malware include computer viruses, worms, Trojan horses, spyware, adware and ransomware.","recommendation":"The owner of the identified domains needs to check the website for malicious code. If any malicious code is found, it needs to be removed as soon as possible.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing malware. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for suspected malware distribution when other users report suspicious activity making use of the domain. In the case of malware pages, this indicates that either an attacker or insider are making use of the domain to distribute malware to other users. ","RecommendedRemediation":""},{"id":"suspected_unwanted_software","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Unwanted Software","value":"false"}],"actual":[{"property":"Google Safe Browsing > Unwanted Software","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not suspected of unwanted software","description":"This website does not appear to be attempting to install unwanted software.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing unwanted software. Unwanted software is less malicious than malware but takes advantage of the end user's compute resources to launch unwanted advertisements and other nuisances. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for being suspected of unwanted software when other users report suspicious activity making use of the domain. In the case of unwanted software pages, this indicates that either an attacker or insider are making use of the domain to distribute such software to other users. ","recommendedRemediation":"","knownExploitedVulnCount":0,"checkID":"suspected_unwanted_software","category":"malware","controlCheckID":"IM.IP.MA.ZW","passTitle":"Not suspected of unwanted software","passDescription":"This website does not appear to be attempting to install unwanted software.","passGroupDescription":"No websites appear to attempt to install unwanted software.","failTitle":"Suspected of unwanted software","failDescription":"This website may be attempting to install unwanted software. The website should be checked and any offending code removed.","remediation":"Check sites and remove unwanted software.","issue":"Websites may be attempting to install unwanted software on the end-users computer. This is often referred to as grayware, unwanted applications or files that are not classified as malware.","recommendation":"The owner of the identified domains needs to check for any unwanted software and remove any offending code as required.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.12.2.1"],"ISO2022Controls":["8.7"],"NISTControls":["PR.DS-6","DE.CM-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of distributing unwanted software. Unwanted software is less malicious than malware but takes advantage of the end user's compute resources to launch unwanted advertisements and other nuisances. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for being suspected of unwanted software when other users report suspicious activity making use of the domain. In the case of unwanted software pages, this indicates that either an attacker or insider are making use of the domain to distribute such software to other users. ","RecommendedRemediation":""},{"id":"suspected_phishing_page","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Google Safe Browsing > Phishing","value":"false"}],"actual":[{"property":"Google Safe Browsing > Phishing","value":"false"}],"severity":4,"cloudscanCategory":"ip_domain_reputation","prevCloudscanCategory":"phishing","title":"Not a suspected phishing page","description":"This site does not appear to be a forgery or imitation of another website.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"This page has appeared in Google Safe Browsing's list of sites suspected of being used for phishing. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","riskDetails":"Domains are flagged for suspected phishing when other users report suspicious activity making use of the domain. In the case of phishing pages, this indicates that either an attacker or insider are making use of the domain to send emails that other users have marked as phishing attempts.","recommendedRemediation":"Access to the domain and its mail records should be reviewed to understand whether it has been compromised and used in phishing campaigns. If the site is not maintained, decommissioning it or its mail records may be the easiest way to prevent future abuse. If the site has been identified for phishing in error, the classification should be appealed with Google.","knownExploitedVulnCount":0,"checkID":"suspected_phishing_page","category":"malware","controlCheckID":"IM.IP.MA.PA","passTitle":"Not a suspected phishing page","passDescription":"This site does not appear to be a forgery or imitation of another website.","passGroupDescription":"No sites are suspected of forgery or imitating other websites.","failTitle":"Suspected phishing page","failDescription":"This site may be a forgery or imitation of another website. The site should be checked, and remediated if it is a phishing site.","remediation":"Check sites and remove phishing code.","issue":"Websites have been identified as potential phishing pages, which may be attempting to steal users' personal information or credit card details.","recommendation":"The owner of the identified domains needs to check the website for forgery or signs of imitation. If any issues are found, they will need to be remediated as soon as possible to mitigate this risk.","defaultSeverity":4,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"This page has appeared in Google Safe Browsing's list of sites suspected of being used for phishing. Safe Browsing is a service that Google's security team built to identify unsafe websites and notify users and website owners of potential harm.","RiskDetails":"Domains are flagged for suspected phishing when other users report suspicious activity making use of the domain. In the case of phishing pages, this indicates that either an attacker or insider are making use of the domain to send emails that other users have marked as phishing attempts.","RecommendedRemediation":"Access to the domain and its mail records should be reviewed to understand whether it has been compromised and used in phishing campaigns. If the site is not maintained, decommissioning it or its mail records may be the easiest way to prevent future abuse. If the site has been identified for phishing in error, the classification should be appealed with Google."}],"network_sec_v2":[{"id":"open_port","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"actual":[{"property":"Ports > Ports Open","value":"[all ports closed]"}],"severity":3,"cloudscanCategory":"network_sec_v2","prevCloudscanCategory":"network_sec","title":"No ports are open","description":"No open ports were detected.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0}],"patch_management":[{"id":"verified_vuln:CVE-2014-0160","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2014-0160","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2014-0160","value":"[not vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Not vulnerable to CVE-2014-0160 (Heartbleed)","description":"A bug in OpenSSL's implementation of the TLS heartbeat extension allows access to portions of memory on the targeted host e.g. cryptographic keys and passwords.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":1,"isVerifiedVuln":true},{"id":"verified_vuln:CVE-2015-0204","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2015-0204","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2015-0204","value":"[not vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Not vulnerable to CVE-2015-0204 (FREAK)","description":"The server does not offer RSA_EXPORT cipher suites, so clients are not vulnerable to the FREAK attack.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0,"isVerifiedVuln":true},{"id":"verified_vuln:CVE-2015-4000","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2015-4000","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2015-4000","value":"[not vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Not vulnerable to CVE-2015-4000 (Logjam)","description":"The server is using strong Diffie-Hellman parameters and is not vulnerable to the Logjam attack.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":null,"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0,"isVerifiedVuln":true}],"website_sec_v2":[{"id":"x_powered_by_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-powered-by","value":"[not set]"}],"actual":[{"property":"Headers > x-powered-by","value":"[not set]"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"X-Powered-By header not exposed","description":"Information about specific technology used on the server is obscured.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The X-Powered-By header is specifically used to describe technologies in use on the server, such as the type and version of web server software or PHP.","riskDetails":"Some technologies populate the X-Powered-By header by default. If the X-Powered-By header is exposed, the risk of an attack on the server is increased. The exposed information often specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","recommendedRemediation":"The X-Powered-By header should be removed. The specific process for this varies by technology. PHP versions can often be found in the X-Powered-By field. This can be disabled by switching “expose_php” to OFF in php.ini. In Microsoft IIS, the header can be removed under HTTP Response Headers in the GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"x_powered_by_header","category":"discovery","controlCheckID":"IM.WS.MI.PA","passTitle":"X-Powered-By header not exposed","passDescription":"Information about specific technology used on the server is obscured.","passGroupDescription":"No sites are exposing the X-Powered-By header.","failTitle":"X-Powered-By header exposed","failDescription":"The X-Powered-By header reveals information about specific technology used on the server. This information can be used to exploit vulnerabilities. The server configuration should be changed to remove this header.","remediation":"Remove X-Powered-By header.","issue":"We've found websites that have their X-Powered-By header exposed. This header reveals information about the specific technology used to run the website which could be used to find known vulnerabilities that can be exploited.","recommendation":"The website needs to stop exposing the X-Powered-By header. This reduces the risk that an attacker will be able to find an exploitable vulnerability in the software running the website.","defaultSeverity":3,"categoryTotalCost":4,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The X-Powered-By header is specifically used to describe technologies in use on the server, such as the type and version of web server software or PHP.","RiskDetails":"Some technologies populate the X-Powered-By header by default. If the X-Powered-By header is exposed, the risk of an attack on the server is increased. The exposed information often specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","RecommendedRemediation":"The X-Powered-By header should be removed. The specific process for this varies by technology. PHP versions can often be found in the X-Powered-By field. This can be disabled by switching “expose_php” to OFF in php.ini. In Microsoft IIS, the header can be removed under HTTP Response Headers in the GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"asp_net_version_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-aspnet-version","value":"[not set]"}],"actual":[{"property":"Headers > x-aspnet-version","value":"[not set]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"ASP.NET version header not exposing specific ASP.net version","description":"Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","riskDetails":"An exposed ASP.NET version drastically narrows the attack vector for the server and allows malicious actors to immediately begin probing specific ASP.NET and IIS vulnerabilities for that version. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","recommendedRemediation":"The entire X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Just clearing the value of the header is not enough. Even the presence of the X-AspNet-Version header reveals that some version of ASP.NET and likely IIS is running on the server. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"asp_net_version_header","category":"discovery","controlCheckID":"IM.WS.MI.AA","passTitle":"ASP.NET version header not exposing specific ASP.net version","passDescription":"Ensuring the ASP.NET version header is not exposing a specific version makes it harder for attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites detected to expose specific ASP.NET versions in headers.","failTitle":"Specific ASP.NET version exposed via header","failDescription":"Exposing a specific ASP.NET version in the ASP.NET version header makes it easier for attackers to exploit certain vulnerabilities. The website configuration should be changed to remove this header completely.","remediation":"Remove x-aspnet-version header.","issue":"The impacted websites are exposing the specific ASP.NET version they use in the ASP.NET version header. This makes it far easier for attackers to exploit certain vulnerabilities.","recommendation":"Configure the identified websites so they don’t expose the X-AspNet-Version header. This minimizes the risk of an attacker finding an exploit in the website.","defaultSeverity":2,"categoryTotalCost":3,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","RiskDetails":"An exposed ASP.NET version drastically narrows the attack vector for the server and allows malicious actors to immediately begin probing specific ASP.NET and IIS vulnerabilities for that version. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","RecommendedRemediation":"The entire X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Just clearing the value of the header is not enough. Even the presence of the X-AspNet-Version header reveals that some version of ASP.NET and likely IIS is running on the server. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."},{"id":"asp_net_header","pass":true,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > x-aspnet-version present","value":"[not present]"}],"actual":[{"property":"Headers > x-aspnet-version present","value":"[not present]"}],"severity":2,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"ASP.NET version header not exposed","description":"Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","riskDetails":"Even if it is not populated, the presence of the X-AspNet-Version header reveals that IIS is running on the system. This drastically narrows the attack vector for the server and allows malicious actors to begin probing known IIS vulnerabilities immediately. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","recommendedRemediation":"The X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"asp_net_header","category":"discovery","controlCheckID":"IM.WS.MI.XG","passTitle":"ASP.NET version header not exposed","passDescription":"Ensuring the ASP.NET version header is not exposed makes it harder for attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites detected to expose ASP.NET headers.","failTitle":"Use of ASP.NET exposed via header","failDescription":"Exposing the ASP.NET version header indicates that the site is built with ASP.NET, which makes it easier for attackers to exploit certain vulnerabilities. The website configuration should be changed to remove this header.","remediation":"Remove x-aspnet-version header.","issue":"We've found websites that expose the ASP.NET version header which indicates that the site is built with ASP.NET. This makes it easier for attackers to exploit certain vulnerabilities.","recommendation":"Configure the identified websites so they don’t expose the X-AspNet-Version header. This minimizes the risk of an attacker finding an exploit in the website.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. Default installations of Microsoft IIS web servers often include an HTTP response header called X-AspNet-Version. This can contain the version of ASP.NET that is currently running.","RiskDetails":"Even if it is not populated, the presence of the X-AspNet-Version header reveals that IIS is running on the system. This drastically narrows the attack vector for the server and allows malicious actors to begin probing known IIS vulnerabilities immediately. Because this header is created by default on most IIS installations, the information is often exposed unbeknownst to the system’s administrators.","RecommendedRemediation":"The X-AspNet-Version header should be removed. It can be found and removed under HTTP Response Headers in the IIS GUI. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."}]},"failed":{"email_sec_v2":[{"id":"dmarc_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"DNS > DMARC","value":"v=DMARC1; p=reject; ..."}],"actual":[{"property":"DNS > DMARC","value":"[not set]"}],"severity":4,"cloudscanCategory":"email_sec_v2","prevCloudscanCategory":"email_sec","title":"DMARC policy not found","description":"DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","riskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","recommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy.","knownExploitedVulnCount":0,"checkID":"dmarc_enabled","category":"email","controlCheckID":"IM.ES.EA.DQ","passTitle":"DMARC policy exists","passDescription":"DMARC protects against fraudulent emails being sent from a domain.","passGroupDescription":"All applicable sites have a DMARC policy deployed.","failTitle":"DMARC policy not found","failDescription":"DMARC policy was not found. This makes it easier for attackers to send email from this domain. A DMARC policy should be deployed for this domain.","remediation":"Add DMARC record.","issue":"We didn't find a DMARC policy associated with some domains. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise (BEC) attacks, phishing emails, email scams and other email threats.","recommendation":"The domain owner needs to add a DMARC policy to these domains. This will provide a mechanism to authenticate the domain in the From header based on their SPF and DKIM records.","defaultSeverity":4,"categoryTotalCost":7,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.2.3"],"ISO2022Controls":["5.14"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email security feature that works in conjunction with Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM) to ensure that messages actually originate from the organizations claimed in the From: address. It does this by “aligning” the From: address with either the SPF or DKIM policy in the sender domain. If a message’s From: address does not align with either of these policies, DMARC offers options on how to handle the message, including delivering it, quarantining it and blocking it altogether.","RiskDetails":"One of the most common phishing techniques is called email spoofing. Spoofing is when a malicious actor rewrites their email headers to make it seem as if the message is coming from a different, legitimate email domain. Users are much more likely to fall for phishing scams when the From: address appears legitimate. Phishing scams usually involve the harvesting of credentials and other information from victims who are directed to malicious websites. DMARC helps prevent spoofing by authenticating the From: address to the sender’s domain.","RecommendedRemediation":"DMARC should be established on the email domain. To establish DMARC, you must already have SPF and/or DKIM in place on the email domain. Once one or both of those are ready, a TXT record named _DMARC should be created in DNS. There are several parameters for the _DMARC record, but the most important are to specify v=DMARC1; rua=yourpreferredaddress@yourdomain.com; and p= none, quarantine or reject. The v= value is constant. The rua= value allows you to specify the address to receive reports from DMARC. The p= value provides instructions on what to do with an email that fails DMARC alignment. The p= value should ultimately be set to reject for best security; however, the other options may be introduced first to ensure no false positives are being picked up by the DMARC policy."}],"encryption":[{"id":"http_available","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"HTTP Accessible","value":"false"}],"actual":[{"property":"HTTP Accessible","value":"true"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"HTTP does not redirect to HTTPS","description":"The domain is still accessible over HTTP. All HTTP requests should be redirected to HTTPS.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"The HTTP Still Available check is used to measure whether a server is allowing users to connect to it via HTTP rather than HTTPS. Connecting to a website via HTTPS is more secure as it involves a SSL/TLS-based connection, which encrypts data in transit. Many web browsers will try the HTTP version of a website first before trying the HTTPS version. If you have a proper redirect response on your HTTP port then you will pass this check. You should combine this with proper HSTS settings to ensure browsers always attempt a HTTPS-based connection from the beginning.","riskDetails":"Encrypting data using SSL/TLS prevents any attackers who intercept the data from reading it. If any part of the connection transmits data using HTTP, even if it later uses HTTPS, the data transmitted over HTTP is susceptible to man-in-the-middle attacks. For example, a user might attempt to visit your website and embed their username and password in the URL parameters or the request headers as part of the request. Even if that data is then redirected to an HTTPS connection, it was still transmitted via HTTP.","recommendedRemediation":"All HTTP connections should be redirected to HTTPS connections instead. The method for doing this differs by technology. For some websites, the .htaccess file can be modified to reroute requests to HTTPS. For Microsoft IIS, the URL Rewrite module for IIS will allow you to redirect HTTP requests to HTTPS. HTTPS redirects should always be paired with HTTP Strict Transport Security (HSTS). HSTS will ensure no HTTP connections are allowed.","knownExploitedVulnCount":0,"checkID":"http_available","category":"ssl","controlCheckID":"IM.EN.DT.ZW","passTitle":"HTTP requests are redirected to HTTPS","passDescription":"All HTTP requests are redirected to HTTPS.","passGroupDescription":"All HTTP requests are redirected to HTTPS.","failTitle":"HTTP does not redirect to HTTPS","failDescription":"The domain is still accessible over HTTP. All HTTP requests should be redirected to HTTPS.","remediation":"Redirect HTTP requests to HTTPS.","issue":"Websites are still accessible over HTTP. All HTTP requests should be redirected to HTTPS to ensure encrypted communications between the website and its visitors.","recommendation":"Redirect users and search engines to the HTTPS page or resource with server-side 301 HTTP redirects. This ensures all communications are encrypted, preventing certain man-in-the-middle attacks.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.2"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"The HTTP Still Available check is used to measure whether a server is allowing users to connect to it via HTTP rather than HTTPS. Connecting to a website via HTTPS is more secure as it involves a SSL/TLS-based connection, which encrypts data in transit. Many web browsers will try the HTTP version of a website first before trying the HTTPS version. If you have a proper redirect response on your HTTP port then you will pass this check. You should combine this with proper HSTS settings to ensure browsers always attempt a HTTPS-based connection from the beginning.","RiskDetails":"Encrypting data using SSL/TLS prevents any attackers who intercept the data from reading it. If any part of the connection transmits data using HTTP, even if it later uses HTTPS, the data transmitted over HTTP is susceptible to man-in-the-middle attacks. For example, a user might attempt to visit your website and embed their username and password in the URL parameters or the request headers as part of the request. Even if that data is then redirected to an HTTPS connection, it was still transmitted via HTTP.","RecommendedRemediation":"All HTTP connections should be redirected to HTTPS connections instead. The method for doing this differs by technology. For some websites, the .htaccess file can be modified to reroute requests to HTTPS. For Microsoft IIS, the URL Rewrite module for IIS will allow you to redirect HTTP requests to HTTPS. HTTPS redirects should always be paired with HTTP Strict Transport Security (HSTS). HSTS will ensure no HTTP connections are allowed."},{"id":"ssl_host_match","pass":false,"meta":"www.datadog.co.nz does not match any of these Subject Alternative Names in the SSL certificate: www.astro.net.nz, astro.net.nz","vendorOnly":false,"expected":[{"property":"SSL > Host Match","value":"[hostname matches SSL certificate]"}],"actual":[{"property":"SSL > Host Match","value":"www.datadog.co.nz does not match any of these Subject Alternative Names in the SSL certificate: www.astro.net.nz, astro.net.nz"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Hostname does not match SSL certificate","description":"The site's hostname does not match the SSL certificate. The domain name should be added to the certificate, either as a Subject Alternative Name or as the Common Name.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate should include the preferred hostname(s) for the system that is being protected, so that the certificate can be verified to the address being accessed by the client.","riskDetails":"When a certificate does not match the hostname the client is trying to access, it produces an error in the browser. This is because each certificate must specify the addresses for which it is valid. In addition to sites being rendered inaccessible to most browsers, mismatched certificates open the door for man-in-the-middle (MITM) attacks, as name confusion reduces the trustworthiness of all systems involved.","recommendedRemediation":"A new certificate should be requested from a trusted authority with the correct hostname(s) listed on it. This will prevent browser errors and reduce certificate complexity across the organization. All existing certificates should be audited to ensure that each one has the proper hostnames. Changes to hostnames or aliases should include steps to update certificates with the new names.","knownExploitedVulnCount":0,"checkID":"ssl_host_match","category":"ssl","controlCheckID":"IM.EN.TC.PA","passTitle":"Hostname matches SSL certificate","passDescription":"The site's hostname matches the SSL certificate.","passGroupDescription":"All hostnames match their corresponding SSL certificates.","failTitle":"Hostname does not match SSL certificate","failDescription":"The site's hostname does not match the SSL certificate. The domain name should be added to the certificate, either as a Subject Alternative Name or as the Common Name.","remediation":"Set certificate Subject Alternative Name or Common Name correctly.","issue":"The hostname does not match the SSL certificate on the identified websites. This will result in modern browsers throwing an error and in some cases, refusing to connect to the website. This can also be a signal of an in-progress cyber attack.","recommendation":"Add the hostname to the SSL certificate, as a Subject Alternative Name or as Common Name, to ensure the website remains secure and does not expose errors to visitors through their browser.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. Every certificate should include the preferred hostname(s) for the system that is being protected, so that the certificate can be verified to the address being accessed by the client.","RiskDetails":"When a certificate does not match the hostname the client is trying to access, it produces an error in the browser. This is because each certificate must specify the addresses for which it is valid. In addition to sites being rendered inaccessible to most browsers, mismatched certificates open the door for man-in-the-middle (MITM) attacks, as name confusion reduces the trustworthiness of all systems involved.","RecommendedRemediation":"A new certificate should be requested from a trusted authority with the correct hostname(s) listed on it. This will prevent browser errors and reduce certificate complexity across the organization. All existing certificates should be audited to ensure that each one has the proper hostnames. Changes to hostnames or aliases should include steps to update certificates with the new names."},{"id":"ssl_expired","pass":false,"meta":"2020-04-15 23:59:59 UTC","vendorOnly":false,"expected":[{"property":"SSL > Expired","value":"[has not expired]"}],"actual":[{"property":"SSL > Expired","value":"2020-04-15 23:59:59 UTC"}],"severity":4,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"SSL expired","description":"SSL certificate has expired. The certificate will need to be renewed for connections to your domain to be trusted.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","riskDetails":"Expired SSL/TLS certificates can no longer provide encrypted channels for data, increasing the risk of a man-in-the-middle attack. Furthermore, most browsers will not allow access to sites with expired certificates, rendering them unavailable to most users.","recommendedRemediation":"Expired certificates must be replaced with valid certificates from a trusted authority. Once a valid certificate has been installed on the system, SSL/TLS functionality will be restored. Validity periods are limited to 398 days. In order to maintain continuity, processes should be established to renew certificates within that time frame before they expire.","knownExploitedVulnCount":0,"checkID":"ssl_expired","category":"ssl","controlCheckID":"IM.EN.DT.DQ","passTitle":"SSL has not expired","passDescription":"SSL certificate has not expired.","passGroupDescription":"No SSL certificates have expired.","failTitle":"SSL expired","failDescription":"SSL certificate has expired. The certificate will need to be renewed for connections to your domain to be trusted.","remediation":"Renew expired SSL certificates.","issue":"Websites have expired SSL certificates. SSL certificates facilitate the encryption of data in transit. When an SSL certificate expires, modern web browsers will issue a security warning that often results in visitors leaving the website.","recommendation":"Renew expired SSL certificates to ensure that the connections to the domain are secure and trust by modern browsers. This keeps your customers secure and ensures visitors don't bounce from your site.","defaultSeverity":4,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. Certificates expire after a set period of time and must be renewed to keep SSL/TLS active.","RiskDetails":"Expired SSL/TLS certificates can no longer provide encrypted channels for data, increasing the risk of a man-in-the-middle attack. Furthermore, most browsers will not allow access to sites with expired certificates, rendering them unavailable to most users.","RecommendedRemediation":"Expired certificates must be replaced with valid certificates from a trusted authority. Once a valid certificate has been installed on the system, SSL/TLS functionality will be restored. Validity periods are limited to 398 days. In order to maintain continuity, processes should be established to renew certificates within that time frame before they expire."},{"id":"http_strict_transport_security","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"Headers > strict-transport-security","value":"[header set]"}],"actual":[{"property":"Headers > strict-transport-security","value":"[not set]"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"HTTP Strict Transport Security (HSTS) not enforced","description":"Without HSTS enforced, people browsing this site are more susceptible to man-in-the-middle attacks. The server should be configured to support HSTS.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times.","riskDetails":"Without HSTS, servers are still allowed to establish unencrypted connections on the HTTP protocol. This can open the door for unexpected and unseen circumstances where a client passes sensitive information in plain text. HTTP to HTTPS redirects can still pass sensitive information, such as credentials in the URL, in plain text. This opens a window for a man-in-the-middle (MITM) attack. Old links that were overlooked might still specify HTTP. Users might create their own browser bookmarks using HTTP. As long as HTTP connections are possible, the risk of data interception is present.","recommendedRemediation":"Enable HSTS on the server. This is done by including the Strict-Transport-Security header on the system. The “includeSubDomains” directive should be specified to ensure all subdomains on the system use HTTPS. Submit your domain to Google’s HSTS preload service. This preload list is included in most browsers and will automatically make all connections to the domain use an encrypted channel.","knownExploitedVulnCount":0,"checkID":"http_strict_transport_security","category":"ssl","controlCheckID":"IM.EN.ET.PA","passTitle":"HTTP Strict Transport Security (HSTS) enforced","passDescription":"With HSTS enforced, people browsing this site are less susceptible to man-in-the-middle attacks.","passGroupDescription":"No sites detected as having missing HSTS settings.","failTitle":"HTTP Strict Transport Security (HSTS) not enforced","failDescription":"Without HSTS enforced, people browsing this site are more susceptible to man-in-the-middle attacks. The server should be configured to support HSTS.","remediation":"Set the Strict-Transport-Security header.","issue":"Websites are not enforcing HTTP Strict Transport Security (HSTS). Without enforcing HSTS, visitors are susceptible to certain man-in-the-middle attacks.","recommendation":"Configure the website to enforce HSTS by setting up the Strict-Transport-Security header, which ensures browsers will only communicate over HTTPS.","defaultSeverity":3,"categoryTotalCost":8,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. These certificates provide a keypair, private and public, that is used to guarantee the encryption. SSL/TLS uses the HTTPS protocol, so all client connections must be rerouted from HTTP to HTTPS when necessary. HTTP Strict Transport Security (HSTS) ensures that no HTTP connections will be allowed from the server. This forces the use of HTTPS, which maintains encryption at all times.","RiskDetails":"Without HSTS, servers are still allowed to establish unencrypted connections on the HTTP protocol. This can open the door for unexpected and unseen circumstances where a client passes sensitive information in plain text. HTTP to HTTPS redirects can still pass sensitive information, such as credentials in the URL, in plain text. This opens a window for a man-in-the-middle (MITM) attack. Old links that were overlooked might still specify HTTP. Users might create their own browser bookmarks using HTTP. As long as HTTP connections are possible, the risk of data interception is present.","RecommendedRemediation":"Enable HSTS on the server. This is done by including the Strict-Transport-Security header on the system. The “includeSubDomains” directive should be specified to ensure all subdomains on the system use HTTPS. Submit your domain to Google’s HSTS preload service. This preload list is included in most browsers and will automatically make all connections to the domain use an encrypted channel."},{"id":"ssl_version","pass":false,"meta":"SSLv3, TLSv1, TLSv1.1","vendorOnly":false,"expected":[{"property":"SSL > Insecure Protocol Versions","value":"[none found]"}],"actual":[{"property":"SSL > Insecure Protocol Versions","value":"SSLv3, TLSv1, TLSv1.1"}],"severity":3,"cloudscanCategory":"encryption","prevCloudscanCategory":"website_sec","title":"Insecure SSL/TLS versions available","description":"Any version of the SSL protocol, and TLS prior to version 1.2, are now considered insecure. The server should disable support for these old protocols.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["120.138.28.84"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. There are multiple versions of SSL and TLS that can be used. Although each version supersedes the last, many times the older protocols remain enabled for legacy support.","riskDetails":"All versions of SSL, and TLS versions below 1.2, are insecure. There are known vulnerabilities for these versions that can allow malicious actors to bypass encryption and access the data. Therefore, these versions of SSL and TLS are susceptible to man-in-the-middle (MITM) attacks, where a third party intercepts data between the client and server.","recommendedRemediation":"Only TLS 1.2 or higher should be allowed. All older versions should be disabled on the server to prevent malicious actors from trying to connect to these vulnerable protocols.","knownExploitedVulnCount":0,"checkID":"ssl_version","category":"ssl","controlCheckID":"IM.EN.SE.UQ","passTitle":"No insecure SSL/TLS versions available","passDescription":"No insecure SSL/TLS versions are available for this site.","passGroupDescription":"No insecure SSL/TLS versions are available for any site.","failTitle":"Insecure SSL/TLS versions available","failDescription":"Any version of the SSL protocol, and TLS prior to version 1.2, are now considered insecure. The server should disable support for these old protocols.","remediation":"Disable support for the SSL protocol and TLS prior to version 1.2.","issue":"Impacted websites are using an insecure SSL/TLS version. Any version of the SSL protocol, and TLS protocol prior to version 1.2 are now insecure. Websites should not use these protocols.","recommendation":"Disable support of the SSL protocol and TLS protocol prior to version 1.2. Doing so will ensure the integrity of communications between the website and its visitors.","defaultSeverity":3,"categoryTotalCost":0,"overrideContext":null,"Deprecated":false,"ISOControls":["A.14.1.3"],"ISO2022Controls":["8.12"],"NISTControls":["PR.AC-5","PR.DS-2","PR.DS-5","PR.DS-6","PR.PT-4"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are mechanisms for securing traffic between two systems. They do this by using an encryption algorithm that makes the data unreadable for everyone except the two systems that possess the necessary certificates. There are multiple versions of SSL and TLS that can be used. Although each version supersedes the last, many times the older protocols remain enabled for legacy support.","RiskDetails":"All versions of SSL, and TLS versions below 1.2, are insecure. There are known vulnerabilities for these versions that can allow malicious actors to bypass encryption and access the data. Therefore, these versions of SSL and TLS are susceptible to man-in-the-middle (MITM) attacks, where a third party intercepts data between the client and server.","RecommendedRemediation":"Only TLS 1.2 or higher should be allowed. All older versions should be disabled on the server to prevent malicious actors from trying to connect to these vulnerable protocols."}],"patch_management":[{"id":"verified_vuln:CVE-2014-3566","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"Vulnerabilities > CVE-2014-3566","value":"[not vulnerable]"}],"actual":[{"property":"Vulnerabilities > CVE-2014-3566","value":"[vulnerable]"}],"severity":3,"cloudscanCategory":"patch_management","prevCloudscanCategory":"website_sec","title":"Vulnerable to CVE-2014-3566 (POODLE)","description":"The server supports SSLv3 and is therefore vulnerable to POODLE, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["120.138.28.84"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"","riskDetails":"","recommendedRemediation":"","knownExploitedVulnCount":0,"isVerifiedVuln":true}],"website_sec_v2":[{"id":"server_information_header","pass":false,"meta":"Microsoft-HTTPAPI/2.0","vendorOnly":false,"expected":[{"property":"Headers > server","value":"[does not contain version number]"}],"actual":[{"property":"Headers > server","value":"Microsoft-HTTPAPI/2.0"}],"severity":3,"cloudscanCategory":"website_sec_v2","prevCloudscanCategory":"website_sec","title":"Server information header exposed","description":"Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["www.datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The Server header is specifically used to describe the type and version of web server software, e.g. Server: Apache/2.4.1 (Unix).","riskDetails":"Some technologies populate the Server header by default. If the Server header is exposed, the risk of an attack on the system is increased. The exposed information specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","recommendedRemediation":"The Server header should be removed, blanked out or minimized. The method for doing so differs based on technology. In IIS, a URL rewrite rule can be used to replace the server header with a blank string. In Apache, however, the Server header cannot be blanked out, but can be configured to display only “Apache” by setting “ServerTokens Prod” in the Apache config file. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared.","knownExploitedVulnCount":0,"checkID":"server_information_header","category":"discovery","controlCheckID":"IM.WS.MI.VG","passTitle":"Server information header not exposed","passDescription":"Ensuring the server information header is not exposed reduces the ability of attackers to exploit certain vulnerabilities.","passGroupDescription":"No sites are exposing unnecessary server header information.","failTitle":"Server information header exposed","failDescription":"Exposing information about the server version increases the ability of attackers to exploit certain vulnerabilities. The website configuration should be changed to prevent version information being revealed in the 'server' header.","remediation":"Remove 'server' header.","issue":"The web server information of the impacted websites is exposed. Exposing information about the server version increases the ability of attackers to exploit known vulnerabilities.","recommendation":"Configure these websites to prevent version information from being revealed by removing the 'Server' header. This reduces the chance of attackers successfully exploiting known vulnerabilities.","defaultSeverity":3,"categoryTotalCost":5,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.1"],"ISO2022Controls":["8.9"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"HTTP response headers pass additional information about the web server being contacted to the client contacting it. Such information can include the age of cached information, any redirection targets, and descriptions of currently running software. These headers are configured on the server, and depending on the platform, may contain default values for these fields. The Server header is specifically used to describe the type and version of web server software, e.g. Server: Apache/2.4.1 (Unix).","RiskDetails":"Some technologies populate the Server header by default. If the Server header is exposed, the risk of an attack on the system is increased. The exposed information specifies the type and version of software currently running. This can be used by malicious actors to pinpoint vulnerabilities in the server, especially on systems running older versions of software. These headers can be harvested programmatically since they are offered publicly, making it easy to discover systems with populated headers across the internet.","RecommendedRemediation":"The Server header should be removed, blanked out or minimized. The method for doing so differs based on technology. In IIS, a URL rewrite rule can be used to replace the server header with a blank string. In Apache, however, the Server header cannot be blanked out, but can be configured to display only “Apache” by setting “ServerTokens Prod” in the Apache config file. Monitoring or auditing of exposed headers on all systems is recommended to ensure information about servers is not being shared."}],"dns":[{"id":"dnssec_enabled","pass":false,"meta":"","vendorOnly":false,"expected":[{"property":"DNSSEC enabled","value":"true"}],"actual":[{"property":"DNSSEC enabled","value":"false"}],"severity":2,"cloudscanCategory":"dns","prevCloudscanCategory":"network_sec","title":"DNSSEC not enabled","description":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","checkedAt":"2021-07-06T00:17:03.376764Z","dateDetected":null,"sources":["datadog.co.nz"],"none":false,"noneReason":null,"prevProvisionalID":null,"summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","riskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","recommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play.","knownExploitedVulnCount":0,"checkID":"dnssec_enabled","category":"dns","controlCheckID":"IM.DS.DA.PA","passTitle":"DNSSEC enabled","passDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity.","passGroupDescription":"All applicable sites have DNSSEC enabled.","failTitle":"DNSSEC not enabled","failDescription":"DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.","remediation":"Configure DNSSEC for domain.","issue":"We've detected that DNSSEC is missing from some domains. DNSSEC provides DNS resolvers origin authentication of DNS data, authenticated denial of existence and data integrity but not availability or confidentiality.","recommendation":"The domain owner should turn on DNSSEC for all domains. This can generally be done at their domain name registrar.","defaultSeverity":2,"categoryTotalCost":2,"overrideContext":null,"Deprecated":false,"ISOControls":["A.13.1.2"],"ISO2022Controls":["8.20"],"NISTControls":["PR.AC-5"],"ExcludeFromHardcodedPassedRisks":false,"Summary":"Domain Name System (DNS) is the service that translates human-friendly names to IP addresses. When a URL is sent from the browser, it goes to a DNS server that references its database and returns an IP address for the browser to use. Domain Name System Security Extensions (DNSSEC) is an optional feature of DNS that authenticates (but does not encrypt) responses to DNS requests. DNSSEC uses certificates to ensure only authorized DNS translations are returned to a client.","RiskDetails":"Without DNSSEC, domains are much more susceptible to DNS poisoning attacks. DNS poisoning is when a malicious actor manipulates the response to a DNS request in order to point the client to an IP address of their choosing. This allows them to then impersonate a valid website and capture any credentials or sensitive information given by the client.","RecommendedRemediation":"Enable DNSSEC on the domain. This is a three step process that involves creating the necessary DNSSEC records in your domain, activating DNSSEC at your domain registrar and enabling DNSSEC signature validation on all DNS servers. The specifics of each step vary depending on the platforms and vendors in play."}]},"cstarScore":285,"publicScore":-1,"vendorName":"datadog.co.nz","name":"datadog.co.nz","display_name":"datadog.co.nz","vendorId":5966669134757888,"business":{},"address":{},"ceo":{},"primaryHostname":"datadog.co.nz"}