The Need for Continuous Vulnerability Assessment and Remediation
When new vulnerabilities are reported a race begins, attackers, who have access to the same information seek to “weaponize,” deploy an attack, and exploit; vendors to develop, implement patches or signatures and updates, and defenders to assess risk, regression-test patches, install. So a critical part of any Threat Intelligence Program is to understanding attackers tactics, techniques, and processes (TTP) and to proactively identify and manage your vulnerabilities and patch program (See my post Threat-Based Defense Approach to Cyber Security).
Organizations that do not proactively scan for vulnerabilities and address discovered flaws increase their security and compliance risks. This is why “Continuous Vulnerability Assessment and Remediation” on the list of CIS Controls for “Cyber Hygiene” and a part of all informative references such as the NIST Special Publication 800-53, the NIST Cybersecurity Framework, the ISO/IEC 27000 family of controls, and compliance frameworks such as PC DSS, and HIPAA.
For instance the NIST Special Publication 800-53 (Rev. 4) “Security Assessment and Authorized Control Family” (See NIST Control Families) and the NIST Cybersecurity Framework (The Framework) both address the need for continuous monitoring and vulnerability assessments. The Framework specifically states that in “Risk Assessment (ID.RA) category of the Identify (ID) function that: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, including.RA-1: Asset vulnerabilities are identified and documented.”
The ISO/IEC 2700 family of controls also addresses the need for vulnerability assessment and management. For instance, ISO 27002:2013 has 35 control objectives, concerning the need to protect the confidentiality, integrity and availability of information. Each of the control objectives is supported by at least one control, for a total of 114. ISO 27001 control A.12.6.1 “Control of technical vulnerabilities” states “Timely information about technical vulnerabilities of information systems being used shall be obtained, the organization’s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk.”
PC DSS also covers vulnerability scanning. For instance, PCI DSS Requirement 11.2 covers scanning. It states that you need to “Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.” For internal scanning, the testing procedures must verify that four quarterly internal scans took place in the past 12 months and that rescans were repeated until you resolved all PCI DSS “high-risk” vulnerabilities. PCI DSS external scans, like internal scans, must be done at least quarterly. The difference is that the external scan must be done by an Approved Scanning Vendors (ASVs) approved by the Payment Card Industry Security Standards Council (PCI SSC). Scanning after significant changes (11.2.3) may also be performed.
While HIPAA does not require a vulnerability scan, it does require a risk analysis which, by default, requires covered entities to test their security controls. Two significant and essential methods for testing security controls are vulnerability scanning and penetration testing. Also, in their publication “HIPAA Rule SP 800-66, Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” the NIST states, “Conduct trusted penetration testing of the effectiveness of security controls in place, if reasonable and appropriate. This validates your exposure to actual vulnerabilities … and document any deficiencies that are identified in a technically detailed report and include effective, efficient, and precise methods for remediation.”
Tenable’s Nessus, outlined below, offers continous monitoring and real-time vulnerability assessment that supports security best-practices and compliance requirements. There are lots of approaches to using Nessus, but one of the best is to prioritize scans and plugins based on your environment to identify critical, unmatched systems between your patch management cycle, focusing on vulnerabilities that are part of a specific malicious attack vector.
For instance, many organizations use client-side software like Adobe Acrobat and Adobe Flash, which is a favorite threat actor attack vector. You can use Nessus search plugin tool to identify specific Adobe plugins and scan to identify unpatched systems that are at risk (see Search Plugins). To see a complete list of Nessus different plugin families, visit the View All Plugins page. To see Nessus newest plugins, visit the Newest Plugins page.
For a more comprehensive approach, Tenable also has pre-built NIST 800-53: Vulnerability Management scan policies and dashboards, supports ISO/IEC 27002 and CIS Critical Security Controls, PCI DSS and HIPAA, just to name a few.
Nessus by Tenable is one of the best vulnerability scanners available. There are commercial versions such as Nessus Professional and Nessus Manager, and Nessus Home, which is a free version. Nessus Home allows you to scan your home network (up to 16 IP addresses per scanner). Nessus Home does not provide access to support, allow you to perform compliance checks or content audits, or allow you to use the Nessus virtual appliance.
Download and Install Nessus
Nessus Home is easy to download and install. It runs on Microsoft Windows, macOS, Linux, and FreeBSD. To do so, you first obtain an activation code and download the software:
Second, once you install Nessus Home, go to localhost:8834 and login and select an available scan:
Nessus has many preconfigured scans, but Nessus Home does not allow you to run all of them. So I select the “Basic Network Scan” to run against Metasploitable 2 (See my post Six Steps to Install Metasploitable in VirtualBox).
Since Metasploitable 2 is an intentionally vulnerable Linux virtual machine it riddled with many vulnerabilities. Like the Nmap Vulnerability Scanner, Nessus finds 82 (See my post Nmap Vulnerability Scanner How-to) . Below is a snip of the NEssus scan results against Metasploitable 2:
How Nessus Works
Nessus scans host, applications, services, and identifies vulnerabilities. The necessary steps in running a scan are to 1) define the scan parameters, 2) create the scan, 3) launch the scan, and 4) analyze the results. Tenable suggests that you do not have a firewall in the Nessus scan path since doing so can deliver inaccurate effects and interfere with the operation of the firewall.
Tenable provides a series of templates that contain scan policies that you can tailor to suit your needs. After you create a scan policy, you create and run the scan. generally, a scan includes a name, description, folder (where to save the results), scheduling options, and a target list. Target lists can be IPv4, IPv6, or hostname based.
Once launched, Nessus completes a scan by using a series of plugins. A plugin is a piece of code that performs an individual test to retrieve data. Nessus plugins run against each target in a given scan. Nessus scan policy, discussed above, along with other options, defines which plugins run during a scan. For example, one plugin performs service and OS detection, while another test for vulnerabilities. At the time of this post, there are 91708 Nessus plugins, covering 41467 unique Common Vulnerabilities and Exposures (CVE) and Bugtraq IDs. For more information about what is a Nessus plugin and how to stay up-to-date see Tenable Plugins.
When Nessus performs a scan, it executes tasks in a specific order. Nessus takes five steps. First, Nessus retrieves the scan settings which includes which host, servers, and ports to scan, the plugins to use, and any additional parameters defined under your scan policy preferences.
Second, like Nmap (See my post Nmap Vulnerability Scanner How-to) when performing a basic network scan, Nessus first completes a host discovery scan by pinging each IP address in the target list to determine if a host is alive. Nessus can use ICMP, TCP, UDP, or ARP for host discovery.
Third, Nessus performs a port scan of each IP address in the target, which is provided by the scan policy. You can adjust the ports scanned in the Nessus scan policy. Your list of ports in the scan policy can contain either individual port numbers or ranges each separated by commas. Acceptable values range from 1 to 65535. After determining the target(s) open ports Nessus performs service detection through a series of banner captures and other tests on each port to identify which specific services are running on the target (See my post Banner Grabbing How-to).
Fourth, Nessus identifies the operating system (OS) running on the target based on those services.
Finally, once Nessus completes these steps it references the gathered information against known vulnerabilities. Nessus only performs vulnerability test(s) that are appropriate for the OS and services running on the target.
For example, Nessus would not perform a series of Secure Shell (SSH) vulnerability test on a Windows host that is not running SSH. So though Nessus has over 70,000 tests it can perform, it only runs a subset of those tests against any one particular target. This improves the speed and the accuracy of the scan.
There are two methods that Nessus can use to scan targets: credential scanning and network scanning (also known as authenticated and unauthenticated scans).
Nessus Credential Scans
Credential-based scans are authenticated scans that grant Nessus local access to scan the target system without requiring an agent. Credential scans allow Nessus to perform a wider variety of checks that result in more accurate scan results since there are often applications on the target that do not respond on a port. For example, suppose you are running an old version of Internet Explorer (IE) or Adobe Reader on a Windows target that you would not be able to identify with a network scan but you would be able to identify with a credential based scan. Because with a credential scan Nessus leverages the targets internal command structure to identify open ports and services (e.g., netstat). Second, depending on the targets OS Nessus uses the targets package management system, Windows Management Instrumentation (WMI) calls, or the system registry to identify installed software, system settings, and vulnerabilities that exist within the target. The Scan or Policy’s Credentials page, allows you to configure the Nessus scanner to use authentication credentials during scanning. Also, credential scans run faster than network scans since they are not probing every individual port and also reduce network traffic.
Credential scans also enable Nessus to check for running processes to help identify malware infection or botnet activity. Nessus supports many kinds of credentials, including database (e.g., Oracle), host (e.g., Windows), plaintext authentication (e.g., FTP), vendor-specific (e.g., Palo Alto Networks PAN-OS). Also, if you use Nessus Manager or Nessus Cloud and your organization supports a centralized credential management tool such asCyberArk Privileged Account Security Solution and itEnterprise Password Vault, you can use CyberArk in place of other authentication methods. For more information see Nessus Credentials.
The Scan or Policy’s Credentials page, allows you to configure the Nessus scanner to use authentication credentials during scanning:
Windows Credential Scans Best Practices
Windows credential scans configuration best practices dictate that you create a separate administrator account for scanning. In Windows, this account must be a member of the local admin group or a domain administrator. If using a local admin account, you must set the authentication method to classic. User access control must be disabled for the account performing the scan. Without admin-level privileges, Nessus will not be able to directly check file versions. In this case, Nessus will revert to searching the registry for installed updates instead of checking file versions directly. You must enable file and printing on the host. You must enable the remote registry service on the target. If set to manual on the target host, you can create a scan policy to start the service on the host automatically. The WMI service must be running and available to the Nessus scanner. You must also configure the Windows firewall via local or group policy to allow remote connections for file or print sharing as well as Windows management instrumentation.
Linux Credential Scans Best Practices
Linux credential scans best practices for a host that support Secure Shell (SSH) with key pair authentication is to use RSA/ DSA key pairs with a passphrase. With systems without this support, you should use OS encrypted username and password. Root privileges achieve best results. For Cisco devices, you must use a username and password and an enable password. When encrypted username and passwords logins are not available, you can use Telnet and clear username and passwords, but this raises security concerns and may be a violation of your organization’s policy.
When using RSA/DSA key pairs for authentication to hosts supporting SSH, you must first generate the key pair on your Nessus scanner and provide the private key in the scan policy and the passphrase if applicable. Then consult the target systems documentation to determine where to place the public key in the appropriate key file on the target system.
It is best practices to specify a know host file, so Nessus only attempts SSH logins to trusted systems. It also prevents rogue SSH servers from harvesting passwords. Nessus support a variety of methods for privilege elevation on Windows and Linux hosts such as su, sudo, su_sudo, pbrun, and dzdoe.
The most popular scans are are Host Discover, Basic Network Scan, and Credentialed Patch Audit. Host Discovery scan is the logical place to being since it run quickly and provides and inventory of systems and open ports on your network. The Basic Network Scan is the next step since it probes commonly used ports to services for known vulnerabilities. The Basic Network Scan allows you to add credentials, customize the ports to scan, and add web application checks. The Credentialed Patch Audit uses credentials to authenticate to and assess the host which gathers the most information and is the most accurate scan type. The advance policy template allows you to
The Advance Policy Template allows you to access all settings for creating a policy. These include advance discovery, performance options, adding compliance checks, and enabling and disabling individual plugins. Other Nessus scan template can be use to perform web application tests, malware scanning, compliance audits such as internal PCI DSS sans discussed above.
Nessus Network Scanning
Non-credentialed scans are a tool that provides a quick view of vulnerabilities by testing the network services exposed by the target’s open ports, providing a view from the outside looking in as an attack would see your network.
Unfortunately, as discussed above, network scans do not provide deeper insight into application and operating system vulnerabilities not exposed to the network or vulnerabilities that are covered up by a firewall that sits between the scanner and the host.
While valuable, network scans can provide false hope that your system(s) is safe, while in reality, those vulnerabilities are targeted by attackers that have gained credentialed access, so they aren’t an accurate indicator of security risk.
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.