nessus help

There's been some changes at work and I've been ask to take over our vulnerability management software. We use Security Center.

I said yes, I'll do it, even though I'm not a security guy. I'm interesting in possibly going that route down the road.

In looking at what we do, we run a weekly scan using the "Internal PCI Network Scan". My question for Nessus users or even for people who use competing products, is this good enough? Should we be also running another type of scan?

Find more posts tagged with

Comments

soccarplayer29

"Internal PCI Network Scan" is a pre-configured scan option. I'm going to assume that your organization is subject to PCI requirements.

PCI does not require credentialed scans but that might be something you want to consider by providing credentials so the scanner can authenticate to the targets and identify additional vulnerabilities for the software and packages installed on the actual devices.

1) A critical first step in a scanning program is asset/inventory management and identifying all devices. See discovery scanning and the whole if you don't know what you have how are you protecting everything mantra.
2) Setup scan policies with selected targets, ip ranges, scan with credentials, and enable plugins (either just the applicable plugins or preferably all plugins).
3) Set a reoccurring frequency to conduct scans.
4) Analyze scan results, do trend analysis

I left out the patching of vulnerabilities in this because I'm guessing that's a different team in your organization. But whoever is responsible for that should be made aware of the identified vulnerabilities so they can begin testing/patching so you don't see persistent vulnerabilities.

mnashe

hi soccarplayer,

yes, PCI is a requirement and we do add credentials, I checked the scans.

I had this situation today after I posted this. A system had vulnerabilities, but that system was retired yesterday, a new system was created but is using the IP address of the prior system. How do you deal with these situations? I don't see an option to remove that system. I guess removing this could affect the trend analysis?

soccarplayer29

Another thing with doing credentialed scanning is to make sure the scanner is actually able to authenticate (Check nessus plug 19506--if "Credentialed Checks: Yes" then you know that the scanner successfully authenticated.

As for the change of systems was it a swap out from an old windows server 2008 to 2012/2016? or a same OS/image swap? If the old system was actually retired and a new configuration replaced it then I'd disregard the previous vulnerability results since those aren't applicable to the new system and tracking/remediating vulnerabilities that may/may not exist in the new system would be a mess and instead simply start fresh with the first full scan on the host.

JoJoCal19

mnashe wrote: »

hi soccarplayer,

yes, PCI is a requirement and we do add credentials, I checked the scans.

I had this situation today after I posted this. A system had vulnerabilities, but that system was retired yesterday, a new system was created but is using the IP address of the prior system. How do you deal with these situations? I don't see an option to remove that system. I guess removing this could affect the trend analysis?

Not Nessus/SC, but our product uses the correlation of multiple data points to avoid duplicates (MAC address, IP, Host Name, and UUID). I'd hope Nessus/SC also has some sort of correlation to avoid dupe assets and discern between different assets on DHCP. Also, depending on what the Internal PCI Network scan template has configured, that's not enough to have a good picture of all the possible vulnerabilities in your environment. Ideally a scan that has all vulnerability checks enabled would be ideal.

soccarplayer29

^ This. In nessus that is done by making sure all Nessus plugins (aka vulnerability checks) are enabled within the scan policy. I'd first verify that the credentialed checks are enabled and completing successfully then make sure all nessus plugins are enabled.

iBrokeIT

I don't use SC but use Tenable.io with the options "Designate hosts by their DNS name" and "Create unique identifier on hosts scanned using credentials" which should take care of it.