>

Viewing vulnerabilities and threats in Cloud Security Command Center

This page provides a list of reference guides for sending vulnerability and threat data, or more simply security source data, to Cloud Security Command Center (Cloud SCC).

Vulnerabilities

Security Health Analytics

Security Health Analytics managed vulnerability assessment scanning for Google Cloud Platform (GCP) provides automatic detection of common vulnerabilities and misconfigurations across Stackdriver Monitoring and Stackdriver Logging, Compute Engine, Google Kubernetes Engine containers, networks, Cloud Storage, Cloud SQL, Cloud Identity and Access Management (Cloud IAM), Cloud Key Management Service (Cloud KMS), and Cloud DNS. Scans automatically run twice a day 12-hours apart.

Stackdriver Monitoring and Stackdriver Logging Vulnerability Description
Audit Config Not Monitored Indicates if log metric filter and alerts exists for Audit Configuration Changes.
Bucket IAM Not Monitored Indicates if log metric filter and alerts exists for Cloud Storage Cloud IAM permission changes.
Custom Role Not Monitored Indicates if log metric filter and alerts exists for Custom Role changes.
Firewall Not Monitored Indicates if log metric filter and alerts exists for VPC Network Firewall rule changes.
Network Not Monitored Indicates if log metric filter and alerts exists for VPC network changes.
Owner Assignment Not Monitored Indicates if log metric filter and alerts exist for Project Ownership assignments or changes.
Route Not Monitored Indicates if log metric filter and alerts exists for VPC network route changes.
SQL Instance Not Monitored Indicates if log metric filter and alerts exists for Cloud SQL instance configuration changes.
Compute Engine Vulnerability Description
Full API Access Indicates that an instance is configured to use the default service account with full access to all Google Cloud Platform APIs.
IP Forwarding Enabled Indicates that IP forwarding is enabled on Instances.
GKE Containers Vulnerability Description
IP Alias Disabled Indicates a GKE Cluster is created with Alias IP ranges disabled.
Legacy Authorization Enabled Indicates that Legacy Authorization is enabled on GKE Clusters.
Master Authorized Networks Disabled Indicates Master authorized networks is set to enabled on GKE Clusters.
Monitoring Disabled Indicates that Monitoring is disabled on GKE Clusters.
Network Policy Disabled Indicates Network policy is disabled on GKE Clusters.
PodSecurityPolicy Disabled Indicates that PodSecurityPolicy is disabled on GKE Clusters.
Private Cluster Disabled Indicates a GKE Cluster has Private cluster disabled.
Web UI Enabled Indicates GKE web UI / Dashboard is enabled.
Network Vulnerability Description
Default Network Indicates if the default network exists in a project.
Legacy Network Indicates if a legacy network exists in a project.
Open Firewall Indicates if a firewall rule allows ingress from all IP addresses or exposes all ports. Finding properties also specify the allowed sourceRanges and the allowed rule.
Cloud Storage Vulnerability Description
Bucket Policy Only Disabled Indicates Bucket Policy Only is not configured.
Logging Disabled Indicates if logging is disabled for a Cloud Storage bucket.
Public Bucket ACL Indicates that a Cloud Storage bucket is publicly accessible. Also specifies what Cloud IAM role is granted: reader, writer, owner, and to which entity: allUsers or allAuthenticatedUsers. For more information, see Understanding roles.
Cloud SQL Vulnerability Description
No root password Indicates if a Cloud SQL database instance doesn't require all incoming connections to use SSL.
Public SQL Instance Indicates if a Cloud SQL database instance accepts connections from all IP addresses.
SSL Not Enforced Indicates if a Cloud SQL database doesn’t have a password configured for the root account.
Weak Root Password Indicates if a Cloud SQL database has a weak password for the root account.
Cloud IAM Vulnerability Description
KMS IAM Role Separation Indicates that there are users that do not follow good separation of duties for Cloud KMS roles.
Non Org IAM Member Indicates that Gmail accounts have project-level or organization-level Cloud IAM permissions.
Cloud KMS Vulnerability Description
KMS Key Not Rotated Indicates rotation is not configured on a KMS encryption key.
Cloud DNS Vulnerability Description
DNSSEC Disabled Indicates that DNSSEC is disabled for Cloud DNS zones.
RSASHA1 For Signing Indicates that RSASHA1 is used for key signing in Cloud DNS zones.

To get started, follow the guide to Enable Security Health Analytics.

Cloud Security Scanner

Cloud Security Scanner provides managed web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications. Cloud Security Scanner displays granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content. Cloud Security Scanner findings are available in Cloud SCC if you've completed the Cloud Security Scanner quickstart.

Vulnerability Description
Mixed Content A page that was served over HTTPS also resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or to monitor the actions taken by the user.
Outdated Library The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.
Rosetta Flash This type of vulnerability occurs when the value of a request parameter is reflected at the beginning of the response, for example, in requests using JSONP. Under certain circumstances, an attacker may be able to supply an alphanumeric-only Flash file in the vulnerable parameter causing the browser to execute the Flash file as if it originated on the vulnerable server.
XSS Callback A cross-site scripting (XSS) bug is found via JavaScript callback. For detailed explanations on XSS, see Cross-site scripting.
XSS Error A potential cross-site scripting (XSS) bug due to JavaScript breakage. In some circumstances, the application under test might modify the test string before it is parsed by the browser. When the browser attempts to runs this modified test string, it will likely break and throw a JavaScript execution error, thus an injection issue is occurring. However, it may not be exploitable. Manual verification is needed to see if the test string modifications can be evaded and confirm that the issue is in fact an XSS vulnerability. For detailed explanations on XSS, see Cross-site scripting.
XSS Angular Callback An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.
Clear Text Password An application returns sensitive content with an invalid content type, or without an X-Content-Type-Options: nosniff header.
Invalid Content Type A cross-site scripting (XSS) vulnerability in AngularJS module that occurs when a user-provided string is interpolated by Angular.
Invalid Header A malformed or invalid valued header.
Misspelled Security Header Name Misspelled security header name.
Mismatching Security Header Values Mismatching values in a duplicate security header.
Accessible GIT Repository An accessible git repository was found by the scan.
Accessible SVN Repository An accessible SVN repository was found by the scan.

To display Cloud Security Scanner results in Cloud SCC, you need to run the security scan in the project that contains the publicly facing candidate App Engine, Compute Engine, or GKE application. Any application vulnerabilities that are detected will be automatically displayed in Cloud SCC.

  • To explore details about a specific finding, click the finding under Finding.
  • To display details about all Cloud Security Scanner findings, click View all security findings.

Threats

Cloud Anomaly Detection

Cloud Anomaly Detection leverages behavior signals from outside your system. It displays granular information about security anomalies detected for your projects and Virtual Machine (VM) instances, like potential leaked credentials, unusual activity, and coin mining. Cloud Anomaly Detection findings are automatically available in Cloud SCC and will be displayed when you enable it as a security source. Example detections include the following:

Potential for Compromise Description
Leaked Service Account Credentials GCP service account credentials that are accidentally leaked online or compromised.
Potential Compromised Machine Potential compromise of a resource in your organization.
Abuse Scenarios Description
Resource used for cryptomining Behavioral signals around a VM in your organization indicate that it might have been compromised and could be getting used for cryptomining.
Resource used for outbound intrusion Intrusion attempts and Port scans: One of the resources or GCP services in your organization is being used for intrusion activities, like an attempt to break in or compromise a target system. These include SSH brute force attacks, Port scans, and FTP brute force attacks.
Resource used for phishing One of the resources or GCP services in your organization is being used for phishing.
Anomalies Description
Possible Data Exfiltration A sudden change in behavior, such as large data egress from a VM to a previously unseen IP address range.
Unusual Activity/Connection Unusual activity from a resource in your organization.

Cloud Data Loss Prevention

Cloud DLP Data Discovery enables you to surface the results of Cloud Data Loss Prevention (Cloud DLP) scans directly in the Cloud SCC dashboard and Findings inventory. Each Cloud DLP Data Discovery finding only includes the category type of the identified PII data and the resource it was found in. It doesn't include any of the specific underlying data.

To display these findings, follow the guide to send DLP API results to Cloud SCC. After you complete the guide, Cloud DLP scan results will display in Cloud SCC:

  • To display details about a specific category of findings, click the finding under Finding.
  • To display details about all Cloud DLP scanner findings, click More.

For more information:

Event Threat Detection

Event Threat Detection (ETD) leverages log data from inside your systems. It watches your organization's Stackdriver Logging stream for one or more projects, and consumes logs as they become available. When a threat is detected, ETD writes a Finding to Cloud SCC and to a Logging project. ETD findings are available in Cloud SCC after you set up ETD.

Monitoring & Logging Description
Bruteforce SSH ETD detects brute force of SSH by examining SSH logs for repeated failures followed by success.
Cryptomining ETD detects coin mining malware by examining VPC logs for connections to know bad domains for mining pools as well as other logs.
Cloud IAM abuse Malicious grants - ETD detects the addition of accounts from outside of your organization’s domain that are given Owner or Editor organization or project permission.
Malware ETD detects Malware by examining VPC logs for connections to known bad domains and other log data.
Phishing ETD detects Phishing by examining VPC logs for connections and other log data.
Outgoing DDoS, port-scanning ETD detects DDoS attacks originating inside your organization by looking at the sizes, types, and numbers of VPC flow logs. Outgoing DDoS is a common use of compromised instances and projects by attackers. ETD detects portscans originating inside your organization by looking at the sizes, types, and numbers of VPC flow logs. Port scanning is a common indication of an attacker getting ready for lateral movement in a project.

Get started with Event Threat Detection.

Forseti Security

Forseti Security gives you tools to understand all the resources you have in Google Cloud Platform (GCP). The core Forseti modules work together to provide complete information so you can take action to secure resources and minimize security risks.

To display Forseti violation notifications in Cloud SCC, follow the Forseti Cloud SCC notification guide.

For more information:

Phishing Protection

Phishing Protection helps prevent users from accessing phishing sites by classifying malicious content that uses your brand and reporting the unsafe URLs to Google Safe Browsing. After a site is propagated to Safe Browsing, users will see warnings across more than three billion devices.

To get started with Phishing Protection, follow the guide to Enable Phishing Protection. After you enable Phishing Protection, results are displayed in Cloud SCC in the Phishing Protection card under Findings.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.