SYSTEM REFERENCE GUIDE

Software Version 10.1

 Table of
Contents

Table of Contents
1 Introduction. . . . . . . . . . . . . . . . 1 5 Explore. . . . . . . . . . . . . . . . . . . 28

2 Cyber Risk . . . . . . . . . . . . . . . . . 2 6 Report . . . . . . . . . . . . . . . . . . . 30

2.1 Run a Risk Assessment . . . . . . . . . . . . . . . . . 2 6.1 Asset Counting. . . . . . . . . . . . . . . . . . . . . . 31
2.2 Dashboard View . . . . . . . . . . . . . . . . . . . . . . 3 6.2 Book Reports . . . . . . . . . . . . . . . . . . . . . . . 32
2.3 Evaluating Risk Data. . . . . . . . . . . . . . . . . . . 4 6.3 Certificate Expirations. . . . . . . . . . . . . . . . . 33
2.3.1 Identity Risk. . . . . . . . . . . . . . . . . . . . . . 4 6.4 Certificate Wildcards. . . . . . . . . . . . . . . . . . 34
2.3.2 Device Risk . . . . . . . . . . . . . . . . . . . . . . 5 6.5 Clear vs Encrypted Traffic. . . . . . . . . . . . . . 35
2.3.3 Network Risk. . . . . . . . . . . . . . . . . . . . . 5 6.6 Dta Report . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3.4 Application Risk . . . . . . . . . . . . . . . . . . 8 6.7 Endpoint Network Traffic . . . . . . . . . . . . . . 37
2.3.5 Data Risk. . . . . . . . . . . . . . . . . . . . . . . . 9 6.8 Recent Database or Client Activity. . . . . . . 39
2.4 Risk Adjustments. . . . . . . . . . . . . . . . . . . . . 10 6.9 SSL/TLS Usage. . . . . . . . . . . . . . . . . . . . . . 40
6.10 Self-Signed and Untrusted Certificates. . . 41
3 Zero Trust. . . . . . . . . . . . . . . . . 12 6.11 TLS Cipher Suite Usage. . . . . . . . . . . . . . . 42
3.1 Encryption Visibility. . . . . . . . . . . . . . . . . . 12
3.1.1 Dashboard Details . . . . . . . . . . . . . . . 13 7 Certificate Validation. . . . . . . . 43
3.2 Digital Certificates . . . . . . . . . . . . . . . . . . . 14 7.1 Certificate Sources . . . . . . . . . . . . . . . . . . . 43
3.2.1 Dashboard Details . . . . . . . . . . . . . . . 14 7.2 Validation Settings . . . . . . . . . . . . . . . . . . . 44
7.3 Updating Individual Certificate Settings. . . 45
4 Discover. . . . . . . . . . . . . . . . . . 18
4.1 Violations . . . . . . . . . . . . . . . . . . . . . . . . . . 24 8 System Alerts. . . . . . . . . . . . . . 46
4.2 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Certificate of Compliance. . . . . . 48
4.3 Nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.4 Certificate Chains . . . . . . . . . . . . . . . . . . . . 25
4.5 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.6 Certificate Authorities. . . . . . . . . . . . . . . . . 27
4.7 Invalid Certificates. . . . . . . . . . . . . . . . . . . . 27

QuantumXC.com #BeQuantumSafe / i i
 Table of

1 Introduction Contents

This document describes the features and functionality of the CipherInsights product. The expectation is that the system
has already been installed and configured using the CipherInsights ISO Installation Guide and the CipherInsights Analytics
Hub Configuration and Management Guide.

The CipherInsights application provides a comprehensive automated internal assessment across 7 risk factors from
endpoints and authentication at the edge to the application servers and databases in the network core, along with all the
protocols connecting them.

Each risk factor is scored from 0 to 100, with 100 being the highest risk. The score is derived by assessing the vulnerabilities
associated with each risk factor. Each vulnerability is cataloged, and objective evidence is collected to drive remediation
efforts both internally and on network-connect third parties.

The CipherInsights application also provides a Zero Trust visibility solution for encryption and digital certificate visibility of
encrypted traffic in motion, when the associated license is installed.

Zero Trust features include:

• Automatic identification of encrypted and unencrypted traffic, at a macro level, down to session.
• Advanced filtering for the investigation of both encrypted and unencrypted traffic of on-net or off-net traffic in both
cloud and on-prem deployments.
• Discovery of all certificates that are in use inside a company’s infrastructure.
• Identification of certificates that are self-signed, contain wildcards or are expired and still being actively used.
• Reporting of the session usage count of various TLS versions, so older versions can be acted upon and removed,
enabling enforcement of security policy through active visibility.
• Display of all certificate authorities actively being used inside the infrastructure (valid, invalid, unknown).
• A discovery workbench to drill and trace into the session information including:
- List un-encrypted servers on net
- List obsolete TLS 1.0, 1.1 versions in use
- List self-signed certs in use
- List wildcard certs in use
- List expired certs in use
• Real-time processing of TCP sessions enables continuous discovery of all active servers responding to connection
attempts and their associated clients.
• Tabular and visual summaries and drill downs through a web console and an extensive set of analytical reports to
enable alignment of your encryption environment with best practices for securing data.
• Identification of all databases in use in the network.
• Ability to map applications based on certificate use.
This guide assumes the reader is familiar with logging in and navigating through the system. For detailed instructions on
system navigation, see the CipherInsights Analytics Hub Configuration and Management Guide.

QuantumXC.com #BeQuantumSafe / 1
 Table of

2 Cyber Risk Contents

When the user logs in to the CipherInsights application for the first time, they will be taken to the Cyber Risk page. After
allowing the system to collect data for a short period of time, one week is recommended, the first step of the evaluation
process is to run an assessment to generate the scorecard and dashboard view.

2.1 Run a Risk Assessment

As stated above, the first step in the Cyber Risk evaluation process is to run a risk assessment. The initial landing page will
display the risk assessment configuration page on first log in.

Fill out each of the fields to run the assessment:

Description and Timeframe

To run a one-week assessment, select a timeframe using Relative to Run Time and then set the start time to feed local
minus seven days.

QuantumXC.com #BeQuantumSafe / 2
 Table of
Contents
Description and Timeframe

Run the initial assessment as One-off. Once you have evaluated the overall score you can adjust and then schedule on
a nightly, weekly, or monthly basis.

2.2 Dashboard View

Once an assessment has been run, the system will display the assessment report dashboard.

The left side of the screen provides the company The right side of the dashboard provides the scores for
aggregate score. The default configuration sets the five pillars of the CISA Zero Trust maturity model.
this score as the maximum of the five pillar scores
• Identity Risk
calculated by the system. The reason for this being
your overall security, and associated risk, is only as • Device Risk
strong as the weakest link. • Network Risk
• Application Risk
• Data Risk
Each pillar has one or more risk factors that are evaluated
and averaged to provide a risk score for that pillar.

QuantumXC.com #BeQuantumSafe / 3
 Table of
Contents

2.3 Evaluating Risk Data

Each risk pillar has multiple factors used to calculate the overall score. At the pillar level, the scores are averaged to
generate the pillar risk score.

2.3.1 Identity Risk

The Identity Risk score evaluates authentication and authorization risk in the network.

The score is made up of the average of the User Authentication Risk Score and the User Authorization Risk Score.

QuantumXC.com #BeQuantumSafe / 4
 Table of
Contents
User Authentication Risk

The Authentication Risk score is based on insecure vs secure forms of user authentication in the network under
evaluation. The application looks for relationships using LDAP vs LDAPs and Microsoft Global Catalog vs Microsoft
Global Catalog SSL.

User Authorization Risk

The User Authorization Risk score is based on least-privilege, i.e., the number of endpoints accessing internal servers.
This scorer is still under development and is not used in scoring in this version of the software.

2.3.2 Device Risk

The Device Risk pillar is still under development and is not used in scoring in this version of the software.

2.3.3 Network Risk

The Network Risk score evaluates encryption, certificate trust, and certificate validation in the network.

The score is made up of the average of the Encryption Quality, Certificate Trust, Certificate Validation, Segmentation,
and Volatility Risk scores.

QuantumXC.com #BeQuantumSafe / 5
 Table of
Contents

Encryption Quality

The Encryption Quality scorer evaluates SSL and TLS usage in the network. Use of modern encryption – TLS1.2 and
TLS1.3 are scored positively. Use of obsolete encryption including SSLv3, TLS1.0, and TLS1.1 put the network at risk
and are identified for potential remediation.

QuantumXC.com #BeQuantumSafe / 6
 Table of
Contents
Trust Risk

The Trust Risk scorer evaluates certificates to identify self-signed vs trusted third party certificate usage in the network.
Hackers use self-signed certificates to encrypt data for exfiltration from customer networks.

Validation Risk

The Validation Risk scorer evaluates certificates and certificate chains. The CipherInsights system attempts to validate
certificate chains to the root certificate of trust. If the root certificate cannot be found or identified, then the certificate
chain is invalid.

Segmentation Risk

The Segmentation Risk scorer is still under development at this time and is not used in risk scoring at this time.

Volatility Risk

The Volatility Risk scorer is still under development at this time and is not used in risk scoring at this time.

QuantumXC.com #BeQuantumSafe / 7
 Table of
Contents

2.3.4 Application Risk

The Application Risk score evaluates availability and security of the cyber environment.

The score is made up of the average of the Availability Risk, Third-Party Risk, and SaaS Risk scorers.

Availability Risk

The Availability Risk score evaluates the use of expired certificates in the cyber environment. If an application is properly
configured to not allow the use of expired certificates, then that application will shut down when the server certificate expires.

Third-Party Risk

The Third-Party scorer is still under development at this time and is not used in risk scoring at this time.

SaaS Risk

The SaaS Risk scorer is still under development at this time and is not used in risk scoring at this time.

QuantumXC.com #BeQuantumSafe / 8
 Table of
Contents

2.3.5 Data Risk

The Data Risk score evaluates the method and security of the flow of data in the cyber environment.

The score is made up of the average of the Privacy, Database, and Recovery Risk scorers.

Privacy Risk

The Privacy Risk scorer evaluates the protocols used to move data throughout the cyber environment.

QuantumXC.com #BeQuantumSafe / 9
 Table of
Contents
Database Risk

The database risk evaluates the database traffic to determine if that traffic is encrypted.

Recovery Risk

The Recovery Risk scorer is still under development at this time and is not used in risk scoring at this time.

2.4 Risk Adjustments

Once the initial risk assessment has been run and you have evaluated the results, you may choose to adjust the overall
or individual scores. You can either make an adjustment to the existing scorer or create a new assessment and adjust
prior to running it.

To adjust an existing assessment, click the Make Adjustments button at the bottom of the Company Aggregate pane:

You can adjust any assessment that has already been run. Select the assessment and then make adjustments on the
right side of the screen. For example, we can see the same assessment but with weighted average of all scores for the
company aggregate rather than the maximum value:

QuantumXC.com #BeQuantumSafe / 10
 Table of
Contents
Select Weighted Average and Run Risk Assessment. When the assessment is complete, you will get a message
and a button to view the adjusted scores:

In this example, changing the Company Aggregate score to Weighted Average results in an overall score of 88 vs 100.

QuantumXC.com #BeQuantumSafe / 11
 Table of

3 Zero Trust Contents

The Zero Trust pages of the CipherInsights product provide dashboard views into the nature of network traffic with respect
to encryption and digital certificates. In addition to collecting and evaluating session, traffic, and node data the system
evaluates digital certificates and will alert on possible violations such as untrusted, self-signed, or wild card certificates, and
definite violations in the form of expired certificates. The Zero Trust tab has two dashboard pages.

3.1 Encryption Visibility

The Zero Trust Encryption Visibility dashboard provides a summary view of the encryption, certificates, and sessions
collected by the CipherInsights software.

QuantumXC.com #BeQuantumSafe / 12
 Table of
Contents

3.1.1 Dashboard Details

On the top left of the screen, the system provides a view into the encryption in motion implemented in the network based
on sessions and traffic.

Hovering over and clicking either the Session or Traffic bar graph and clicking the encrypted or unencrypted portion will
filter the entire page with the associated information.

The Violations modal provides summary information on certificate issues.

Clicking the View button takes you to the Discover page and displays the pre-defined Violations detailed report. Clicking
any individual option, such as “Self-Signed,” takes you to the same page and automatically enters the appropriate filter.

The Nodes Monitored modal provides information on both database and server nodes. Clicking the View button takes you
to the Discover page and displays the pre-defined Nodes detailed report. Clicking on either Database Nodes or Server
Nodes will take you to the Nodes report with the associated filter automatically configured.

QuantumXC.com #BeQuantumSafe / 13
 Table of
Contents
Detailed session information is displayed at the bottom of the screen in tabular form, based on the selections entered in
the search criteria.

This data can be sorted by any of the columns in the display. The initial click will sort from lowest to highest, a second click
reverses the order.

3.2 Digital Certificates

The Digital Certificates function of the product provides detailed information about certificate usage throughout the network.
This includes total end-entities and flags for self-signed, wild card, and expired certificates. In addition, the page summarizes
the number of certificates in use by Certificate Authorities and the encryption version used for each. The page can be filtered
as described previously.

3.2.1 Dashboard Details

The overview page provides a summary of certificate and session information collected by the system, including encryption
version information, certificate expirations, and certificate authorities along with detailed information on each certificate chain
in tabular form at the bottom of the page.

QuantumXC.com #BeQuantumSafe / 14
 Table of
Contents
The Certificate Authorities modal can be displayed either by connection count or client count. Selecting the “more”
count at the bottom of the page takes you to the Discover page and displays the Certificate Authority report which
displays all certificate authorities captured by the system.

The center portion of the display includes the encryption summary graph and a bar graph of certificate expirations.

Clicking any of the bars in the Expirations graph takes you to the Discover page and displays the certificate page, filtered
according to the graph you select.

The bottom of the page includes a list of certificate chains identified by the application, sorted by traffic volume.

QuantumXC.com #BeQuantumSafe / 15
 Table of
Contents
Selecting an individual certificate from the list, by using the arrow button on the right side of the row, will take
you to the Certificate detail page. The system will provide an overview of the certificate, including Subject,
Issuer, Root CA, and Expiration. It also includes the Validation status and offers the user the ability to look at the
detailed certificate, text, and the mesh of the certificate chain.

QuantumXC.com #BeQuantumSafe / 16
 Table of
Contents

QuantumXC.com #BeQuantumSafe / 17
 Table of

4 Discover Contents

The Discover tab provides a rich search engine that allows you to query the system data lake and build reports derived
from all the data the system collects. The language is SQL-like, but specific to the CipherInsights system.

The system provides a pre-configured set of reports that can be viewed by clicking the saved search button on the left
side of the filter line. These reports are described later in this section.

QuantumXC.com #BeQuantumSafe / 18
 Table of
Contents
Selecting one of the reports will provide an example of the language used to develop that report. For example,
the Nodes report will display:

The items included in the report are shown at the top of the page.

The box on the right is the sort order. If a field is sortable, it will be displayed in the drop-down box.

You can limit the amount of data in the report by using the filter bar at the top, and you can select previously saved queries
to filter the data. As in the case of other screens, the filter must be applied to adjust the results of the displayed report.

QuantumXC.com #BeQuantumSafe / 19
 Table of
Contents
You can use the drop-down button to build a new report. When you click that button the list of options is
displayed. Click on an item to include it in the report.

When the items selected and filter are correct, the system will prompt you to click Apply to execute the report.

QuantumXC.com #BeQuantumSafe / 20
 Table of
Contents
The system allows you to create a report from a properly formatted discovery search for use later in the Reports page.
Select the Apply button on the top right of the screen and then select Save Query to open the report creation tool.

QuantumXC.com #BeQuantumSafe / 21
 Table of
Contents
The Description will be used on the reports page as the name of the report. The Report Title is displayed on the report
when run. The string entered in the Unique component output file name field will be added to the report each time it
is run and is important when multiple reports will be run and downloaded on the same day. The name must not contain
spaces or special characters other than dash (-) or underscore (_).

Check the appropriate box for pdf and/or csv file generation. To get the complete report in pdf, set the Maximum rows
to show in pdf report to zero. The system limits PDF reports to a maximum of 500 rows of data.

Each report created in the Discover page will be available in the Reports > DTA Report page, described in Section 6.

Items that can be grouped for display are listed in Table 4-1.

Table 4-1. Validation Fields

Field Description Options/Format

Indicates the number and detail of alt names found in the

Alt Names Number/text
certificate
Certificate Authority Indicates if the certificate authority is in the trust store True/false
Certificate Count Number of certificates identified in a certificate chain Number
IP address and domain name (if available via DNS lookup)
Client 0.0.0.0
of the client in the session
Client Realm The client realm, if configured Text
Client – TLS Version Version of TLS supported by the client Text
Client Count Number of clients associated with the reported object Number
Client/Server Side Identifies if a node has been identified as a client or server Client/server
Dialect The database dialect, when applicable. SQL Server, Oracle Text
Effective TLS Version Version of TLS negotiated on the session Text

Encrypted Whether or not encryption is detected in the session True/False

Identifies the type of encryption used in the session, if

Encryption Clear or Encryption Type
applicable.

End Entities Identifies the service or URL identified, if applicable Text

Ended Connections Number of connections that completed Number

Date and timestamp when a service or database is first
First Seen Date/Time
detected by the system
Issuer The issuing company for the certificate Text
Issuer - Organization The issuing company for the certificate Text
Identifies the last date/time traffic was seen for the object
Last Seen Date/Time
in the report
A count of new connections seen for the time window
New Connections Number
selected
Node Type Type of Node Server/Database
Not Valid After Date the certificate is not valid after Date/Time
Not Valid Before Date the certificate is not valid before Date/Time
Packet Volume Number of total packets seen for the object in the report Number

QuantumXC.com #BeQuantumSafe / 22
 Table of
Contents

Field Description Options/Format

Number of packets destined for the client that were seen

Packets to Client Number
for the object in the report
Number of packets destined for the server that were seen
Packets to Server Number
for the object in the report
PEM The PEM of the certificate Text
Port The port used by the client and/or server in the session Number
Protocol The communication protocol detected in the conversation Text
Proxy Indicates if the certificate is configured as a proxy True/false
Public Key The public key of the certificate Text
Public Key Algorithm The public key algorithm of the certificate Text
Self-Signed Indicates if the certificate is self-signed True/false
Serial Number Certificate serial number Number
IP address and domain name (if available via DNS lookup)
Server 0.0.0.0
of the server in the session
Server Certificates Includes the server certificates detected in the session Text
Server Realm The server realm, if configured Text
When used on a certificate report, identifies the servers
Servers Number/text
using the associated certificate
Service - Name Service name of the database or application, if applicable Text
Signature The signature portion of the certificate Text
Signature Algorithm The signature algorithm of the certificate Text
Subject The subject information of the certificate Text
Subject – Common Name The CN of the certificate Text
Text The complete certificate text Text

Traffic Volume Number of total bytes seen for the object in the report Number

Number of bytes destined for the client that were seen for
Traffic Volume to Client Number
the object in the report
Number of bytes destined for the server that were seen for
Traffic Volume to Server Number
the object in the report

Trust The trust status of the certificate in the system Infer/Never/Always

Valid Indicates if the certificate is valid True/false

Validated On Date/time the certificate was validated Date/time

Validations Text describing validation issues, if applicable Text

Version Certificate version Number

Wildcard Indicates if the certificate uses a wildcard True/false

QuantumXC.com #BeQuantumSafe / 23
 Table of
Contents

4.1 Violations
The Violations page provides a tabular list of all sessions in which certificate violations were detected. The display
includes the number of connections and traffic volume. This data can be sorted by any of the columns in the display.
The initial click will sort from lowest to highest, a second click reverses the order.

4.2 Sessions
The Sessions page displays the complete detail for each session detected in tabular form. This includes both encrypted and
unencrypted sessions. The search criteria line can be used to narrow the display, and the data can be sorted by any of the
columns in the display. The initial click will sort from lowest to highest, a second click reverses the order.

QuantumXC.com #BeQuantumSafe / 24
 Table of
Contents

4.3 Nodes
The Nodes page displays information on the nodes discovered by the product. The page can be filtered by
time and search criteria, like prior pages. The table can be sorted by any column displayed on the page.

4.4 Certificate Chains

The Certificate Chains page provides a list of all certificate chains identified by the system. The page includes the subject
common name, issuer organization, validation end data, the signature algorithm that determines TLS level, the number servers
identified as using the certificate, number of connections, and amount of traffic seen with that certificate chain.

QuantumXC.com #BeQuantumSafe / 25
 Table of
Contents

4.5 Certificates
The Certificates page provides a tabular list of all certificates detected by the system. The data can be filtered using
the search bar and the amount of data can be adjusted based on the date, in the same manner as other pages. The
data can be sorted by clicking on the associated column.

The page includes an option to add or remove columns from the page display by editing the options at the top of the page.

Delete columns by clicking the x next to the item to remove and selecting Apply.

To add columns, use the drop-down arrow on the right side of the list and select the option you wish to display.

Certificate details such as subject, issuer, validation dates, subject key identifier, and authority key identifier are
displayed. You can click to view the certificate and PEM. The validation status of self-signed, wildcard, and certificate
authority are also displayed.

QuantumXC.com #BeQuantumSafe / 26
 Table of
Contents
Finally, the current trust status is displayed. If the Trust identifier is “Infer,” it is being validated using the system
trusted certificate store. You may set the trust status of individual certificates on the Certificate Validation page. See
Section 7, Certificate Validation for details.

4.6 Certificate Authorities

The Certificate Authority page provides a tabular list of all certificate authorities identified by the system. The data can
be filtered by subnet and the amount of data can be adjusted based on the date, in the same manner as other pages.

All certificate authorities are initially displayed; each column can be used to sort the display.

4.7 Invalid Certificates

The application evaluates all certificates to determine if they are valid. The Invalid Certificates page provides a tabular view
of all certificates that failed validation, the date and time the validation was run, the reason it failed, along with other details
about the certificate.

QuantumXC.com #BeQuantumSafe / 27
 Table of

5 Explore Contents

The explore page provides a graphical view of server, client, and certificate interactions. The tool allows a user to map
applications and evaluate certificate usage.

Depending on the amount of traffic captured, the system will typically display “Too Many Data Points” if no search
criteria is entered.

The information button provides help for entering search criteria, including the format of the command. One simple
view is to select a specific server IP to evaluate:

QuantumXC.com #BeQuantumSafe / 28
 Table of
Contents
The system defaults to displaying the session view, including servers, clients, and all certificates in use. Clicking
on the certificate view button in the top right of the screen will change the display to focus on the display on the
interactivity of the certificate.

Clicking on each of the datapoints in the graph will display detailed information about that entity.

The server display shows a list of all sessions, including the client IP, certificates, and certificate chains in use for each session.
Clicking a session will take you to the session detail page which includes encryption, traffic volume, and traffic rate information,
along with details on the certificate chain.

QuantumXC.com #BeQuantumSafe / 29
 Table of

6 Reports Contents

The Reports page of the application provides access to pre-built reports on a variety of activity recorded by the system,
along with any reports you have built using the Dta discovery page.

All reports run on the system then downloaded to a local machine for viewing. The page includes a summary of the most
recently run reports on the right side of the screen. Those reports that have run will remain in the system until manually
deleted. All reports provide details on the top five of each category reported.

QuantumXC.com #BeQuantumSafe / 30
 Table of
Contents

6.1 Asset Counting

The Asset Counting report provides a summary of IT assets by type as identified by the application software. This includes
a breakdown of servers and server networks, clients, and users. The report can be configured to identify backups and wi-fi
networks along with email security information. The report also provides subnet details on both clients and servers.

The report can be edited prior to running using the edit button and run on a schedule:

QuantumXC.com #BeQuantumSafe / 31
 Table of
Contents

6.2 Book Reports

Book Reports are a compilation of all the pre-built reports the system generates. It includes sections including
Certificate Expirations, Self-Signed and Untrusted Certificates, Clear vs Encrypted Traffic, Certificate Wildcards,
SSL/TLS Usage, and TLS Cipher Suite Usage.

The reports can be run against traffic for All Time, End of Current Quarter, Weekly, Weekly on External network
connections, and Weekly on Internal network connections.

Each report can be edited prior to running using the edit button:

QuantumXC.com #BeQuantumSafe / 32
 Table of
Contents

6.3 Certificate Expirations

The Certificate Expirations report shows you a summary of all certificate usage, certificates used after the
expiration date, and weekly projected expirations.

The reports can be run against traffic for All Time, End of Current Quarter, Weekly, Weekly on External network
connections, and Weekly on Internal network connections.

The report can be edited using the edit button and has several options:

QuantumXC.com #BeQuantumSafe / 33
 Table of
Contents
The report can be downloaded as a PDF or CSV. The CSV contains the details from the top five of each
category in the report.

6.4 Certificate Wildcards

The Certificate Wildcards report provides details on wildcard certificates in use in the network. It provides
information on levels of potential threat for wildcards:

• Good – no wildcard certificates

• Caution – simple wildcards
• Warning – malformed wildcards
• Danger – prefixed wildcards
• Violation – tld wildcard such as *.com
The report can be edited using the edit button and has several options:

QuantumXC.com #BeQuantumSafe / 34
 Table of
Contents

6.5 Clear vs Encrypted Traffic

The Clear vs Encrypted Traffic report provides summary and detailed analysis of all traffic captured by the system. The
report includes information about all traffic, web traffic, LDAP traffic, database traffic, interactive traffic, and all other forms
of traffic that cannot be classified in any of those categories. It includes trends and graphs of encrypted traffic by type. The
report includes details on top five servers and clients running both encrypted and unencrypted traffic in each category.

The report can be edited using the edit button and has several options:

QuantumXC.com #BeQuantumSafe / 35
 Table of
Contents

6.6 Dta Report

The Dta Report will display any reports that have been created by a user on the system using the Discover page.

Each report can be edited using the edit button and has the same options as those used to create the report originally.

QuantumXC.com #BeQuantumSafe / 36
 Table of
Contents

6.7 Endpoint Network Traffic

The Endpoint Network Traffic report can be used to get detailed connection information about a specific server. Before
running the report, you must use the edit button to open the report data and enter the Server IP you wish to report on.

QuantumXC.com #BeQuantumSafe / 37
 Table of
Contents
Advanced options for the report include:

QuantumXC.com #BeQuantumSafe / 38
 6.8 Recent Database or Client Activity Table of
Contents

The Recent Database or Client Activity report can be used to send nightly alerts when new databases are discovered,
or new clients are identified connecting to a database. Run the report nightly to send the alert. In addition, the email
alert settings must be configured via the shell or command line and include an alert name that is entered into the
report configuration.

Use Application Settings > Reports SMTP to configure the SMTP server that will process the report emails. See the
CipherInsights Configuration and Management Guide for details.

The time window for comparison of previously seen vs new databases or client activity is configurable; the report is
preconfigured to compare the previous day with the prior week leading up to that day.

To configure the report to run nightly, adjust the time range for viewing, set the alert for email or syslog notification,
and determine if the report will include new databases or new clients connecting to an existing database, use the
screens below.

QuantumXC.com #BeQuantumSafe / 39
 Table of
Contents

6.9 SSL/TLS Usage

The SSL/TLS Usage report provides summary and detailed analysis of all traffic captured by the system with respect
to encryption methods detected. It includes trends and graphs of encrypted traffic by type.

The report includes details on top 5 servers and clients running encryption levels below NIST recommended levels
(SSL/V3, TLS1.0, and TLS1.1).

The report can be edited using the edit button and has several options:

QuantumXC.com #BeQuantumSafe / 40
 Table of
Contents

6.10 Self-Signed and Untrusted Certificates

The Self-Signed and Untrusted Certificates report provides summary and detailed information on untrusted or
self-signed certificates. It includes an overview and a trend graph as well as a top five report that includes a list
of servers using self-signed certificates.

The report can be edited using the edit button and has several options:

QuantumXC.com #BeQuantumSafe / 41
 Table of
Contents

6.11 TLS Cipher Suite Usage

The TLS Cipher Suite report provides summary information on TLS Ciphers used, Key Exchange Algorithms,
Authentication Algorithms, Block Stream Ciphers, and Signature Algorithms. It also includes daily trending
information and top five servers using obsolete ciphers.

The report can be edited using the edit button and has several options:

QuantumXC.com #BeQuantumSafe / 42
 Table of

7 Certificate Validation Contents

The Application Settings > Certificate Sources page lists the validation settings and pre-programmed certificate sources
(trust stores) and that can be used by the system to validate certificates.

7.1 Certificate Sources

The Microsoft Windows trust store is the default store used by the application.

You can choose to Import additional certificates that you want to include as trusted or build your own trust store. Create a
file with the PEM of each certificate that you wish to be added to the system. Upload that file to the system using System >
File Management.

Once the file is on the system, you may then use the Import button to add the new trust store to the system.

The file must be tarred and zipped so that it has a file extension of .gz for the system to recognize it. The file name structure
must be xxx.pem.tar.gz.

QuantumXC.com #BeQuantumSafe / 43
 Table of
Contents

7.2 Validation Settings

The Validation Settings page provides all the options that can be used by the system to validate certificates.

The options for validation, with explanation and defaults, are listed in the table below.

Table 7-1. Validation Fields

Field Description Options/Format

Determine if the system will OSCP to check revocation of

Check revocation using OCSP No
certificates
Ignore unhandled critical Tells the system what to do if an unhandled critical extension
Yes
extensions error is experienced while reading the cert
Disable workarounds for broken Determines if the system will allow workarounds for bad
No
certificates certificates
If a proxy certificate is identified, determine if the system will
Enable proxy certificate validation Yes
validate that cert
Extended CRL features such
as indirect CRLs, alternate CRL Determine processing of certificate revocation lists Yes
signing keys

QuantumXC.com #BeQuantumSafe / 44
 Table of
Contents

Field Description Options/Format

Tells the system whether to use the Delta CRLs to determine if a

Delta CRL support Yes
certificate has been revoked
Determines if the system will evaluate signatures of self-signed
Check self-signed CA signature Yes
certificates
Determines if the system will use the trust store initially to
Use trusted store first Yes
validate certificates
Allow partial chains if at least one
Tells the system whether to allow partial chains for validation Yes
certificate is in trusted store
Do not try alternate chains Tells the system whether to use alternate chains for validation No
Maximum number of validations Number of certification validation processes that can run at any
1
running at once one time. Leave this number at the default.

Automatic validation of certificates Tells the system whether to validate certificates Yes

7.3 Updating Individual Certificate Settings

At the bottom of the certificate validation page is the list of each certificate the software has detected while monitoring.

The default validation setting for each certificate is “Infer,” which means it will use the system certificate sources to determine if
a certificate is valid. That configuration can be adjusted on a per-certificate basis using this screen.

Select the Trust option drop down and select the option you wish to set.

QuantumXC.com #BeQuantumSafe / 45
 Table of

8 System Alerts Contents

The application can send alerts on a scheduled basis for a pre-determined set of activity identified by the software.
These alerts are found on the Reports page.

The activities include:

• Any new expired certificate used on an internal server

• Any new certificate used that was not in the configured trust store
• Any new certificate subjects identified
• New database clients detected
• New database services detected
• Any new TLS connection below TLS1.2 on an internal server

These reports/alerts can be run manually with the Run Report button, or automatically by configuring the alert to run
on a scheduled basis using the configuration button. Options for alert timing include half-hour, hourly, morning,
evening, or nightly.

QuantumXC.com #BeQuantumSafe / 46
 Table of
Contents
The alerts are configured with windows of time relative to the current feed time. The application compares the current
window with the history window to determine if any new item has been identified, and alerts if it finds something new.

The default configuration is for a daily alert, so the windows are:

In the example shown, the system looks at data starting one day prior (feed now minus 1 day) up to the current time
(feed now), then compares that to 30 days (feed now minus 30 days) prior up to one day prior (feed now minus 1 days).

Those windows will be adjusted if the alerts are scheduled on a more frequent (half-hour, hourly) basis.

The Alert option determines how the alert will be delivered. The application creates a set of default alerts that sends
the message via syslog. For example, the expired certificate alert uses:

The system can be configured to send the alerts via email by changing the alert to “reports” and configuring the
Application Settings > Reports SMTP page.

QuantumXC.com #BeQuantumSafe / 47
 Table of
Contents

Certificate of Compliance

This is to certify that Demo has no cleartext

Awarded To
passwords
Demo
Evaluation Period: 30 days
Compliance Covered Network Nodes Monitored: 8630
Password Exposure Risk Discovery License Expiration: Never

Conditions of issuing:

Holly A Neiweem 1. Quantum Xchange has issued this certificate to indicate that
the company's user authentication environment has been
validated against industry cryptographic standard for strong
Holly A Neiweem as of the Date of Compliance stated below.
2. This certificate is valid through the expiration of the risk
Quantum Xchange, CFO assessment license.
3. The assessment shall not warrant or guarantee to any third
party that the company's environment is invulnerable to
Certificate ID: attack or compromise.
65cf65e5bfaea8413738bead459b0945 4. This certificate is issued by Quantum Xchange as a
commercial representation of work completed.
Issued On: 2023-07-13T20:37:52.184Z

Filter: No Filter

QuantumXC.com #BeQuantumSafe / 48