Tuesday, July 31, 2018

Vulnerability Scanners - Nessus

This is part one of a three part series aimed at discussing vulnerability scanners; I plan to write a post for Nessus, Nexpose/Rapid7 and OpenVAS. The aim is to highlight the pros and cons of each, talk about how typical setup works, expectations of scan results and using the tools. Ultimately, the goal is to compare and contrast the products and provide some insight into why you might want to choose one over the other. The target audience for this is enterprise users with the need for a mature threat and vulnerability remediation program. While much of the information shared will be applicable to anyone in charge of running the scanning tools, the tone will be from an enterprise perspective.

Today's post will be on the Nessus product offering. Nessus is a proprietary vulnerability scanner developed by Tenable Network Security - Tenable just had (July 27th 2018) their IPO and is now a publicly traded company (for whatever that's worth which happens to be about $30 at the time of writing).


All vulnerability scanners that I am familiar with work essentially the same way which is by relying on a series of vulnerability checks or "plugins" or otherwise a database with known strings, characteristics, files, versions, etc to search for and a library of detailed information about the vulnerability check including remediation options and impacted software. For instance, a vulnerability check for MS15-034 will consist of a vetted way of stimulating a target system (sending network traffic) to induce a response which is then parsed (inspected) and determined to either match a known vulnerable response or not. An example of a simple check can be submitting a HTTP GET request and reading the response to pull out the headers and noting the version of PHP; then matching that version with a database of version numbers to produce output showing the known vulnerabilities for that given software number.

Generally what sets apart scanners is the amount of vulnerability checks they have (and their associated quality, and frequency of updates) and the ability to run the scanner in such a fashion where you as the administrator get accurate scan results in a convenient consistent way. These two points are exceedingly important - you must have accuracy of data and you need to have up-to-date vulnerability checks to helps with the former. Also of importance, is the ability to automate scanning and produce useful reports as well as configure or tune the scan engine to meet the needs of your organization.

Accuracy of data matters because as a security practitioner responsible for enterprise security you need to understand the risk associated with a given asset/network to be able to adequately prioritize remediation. Additionally, accuracy matters because in the case of a false negative you may end up with a breech and in the case of false positives you may end up eroding the trust in you and your team's ability to produce quality/actionable information. I've been in situations where false positives on a report resulted in the entire vulnerability remediation program being called into question across the enterprise and outsourcing of ones' job to a MSSP is discussed.

So Nessus...

Background:
Note that Tenable has several product offerings, their professional network vulnerability scanning tool is called Nessus Professional, the base price for which is $2,190 per year. I went through a VAR and bought mine for just under $2,000 for an annual fee. Nessus has been around for about two decades and has improved their product substantially over the years especially in the last 2-4 in terms of UI and ease of use. Once purchased you will have access to the Tenable portal which is not very user friendly, does not seem to support significantly long and complex passwords and is a bit clunky in my opinion. But this is where you can see your license number and reset it when need be as well as open tickets potentially.

Of important note is that you will have access to unlimited scans and target IPs (I believe and has so far seemed to be true) so you can scan whatever and whenever you want. The caveat if using the tool in a consulting role will be that once you register the scanner it talks back to Tenable to complete the process and notes your IP address; you can only register the product from one IP at a time for a period of one week. This means that if you need to install multiple scanners from multiple locations you have to wait one week before re-registering and using your product. This becomes a hassle of logging into the portal, resetting your license and spending at times significant amounts of effort to get the tool to properly register, download plugins and work as expected. If you only need to install the tool in one location essentially one time then this is not an issue.

Setup:
Setting up Nessus is a breeze when you do it all the time and know the quirks. The first thing you need to do after purchase is note your license number. Next dedicate a machine to being the scanner - i.e. install Nessus on a machine that will only be used for scanning purposes. Nessus supports Windows and Linux - I almost exclusively use CentOS7 as the base OS and install the Nessus RPM:



And when it works (dependencies are good to go, and you chose the right RPM from the Tenable website) it's that simple. Next simply do what the output says and start Nessus then browse to the web GUI to complete the setup.












Once this process complete you are greeted with the stating screen and its time to proceed to setup a scan.




I mentioned accuracy of results being very important, the way you ensure accuracy is essentially by making sure the scanner can "talk" to every host that you intend to scan (e.g. make sure firewall rules are in place to allow the scanner traffic and that host-based firewalls are not stopping traffic likewise a WAF/IPS is not obstructing scanning). Also use credentials! This is called "authenticated scanning" because when you provide your scanner with SSH or domain credentials for example, now the scanner can actually login to each properly configured endpoint and produce MUCH more accurate scan results. Think of it this way... if you don't use credentials and you scan a system you may find ports 135, 139, 445, and 3389 open on a windows machine. The scanner will check for version information, try various SSL/TLS handshakes and launch hundreds of other vulnerability checks at the system and only find a few medium risk findings perhaps. When you provide credentials for the scanner to login to the remote systems, now the scanner can check the patch level of the given target(s) and provide accurate information in terms of what patches are missing and what flaws are present. It's the difference between a few medium risk issues and dozens of high risk vulnerabilities. Note that this example is for internal network scanning; when I scan externally I don't typically provide credentials or expect the most accurate results. But for internal scanning as part of a robust threat and vulnerability remediation program - always use valid credentials such as a specific service account dedicated just to scanning that is active on all windows hosts in the environment. Consider the same for SSH with Linux hosts and understand that not all hosts (printers, badge readers, network devices, etc) will support authenticated scans. Also understand that scanning with credentials, while more accurate, also can increase risk such as when web applications scanned with credentials or the credentials are not stored properly and the like. The way we could set up this type of scan using Nessus would be via a "Credentialed Patch Audit" which is a scanning template we can easily choose to use.




There are no shortage of credential options to choose from in Nessus. Once again make sure you have a dedicated account (or multiple) for scanning and test out your setup (tail the secure log on the Linux hosts you scan to see authentication working properly and/or watch the windows event logs or do this all from a single pane of glass to essentially confirm the authentication is working - sometimes its not always obvious from the results of the scan if authentication worked as you expected).



The amount of templates and icons looks nice but know that all that is being done behind the scenes is simply modifying which plugins (vulnerability checks) will be executed. For example the "DROWN Detection" simply checks for the existence of CVE-2016-0800. It's convenient but not ideal for what we typically want to accomplish (although great for when its exactly what we need to do). Use the "Advanced Scan" and tune it to meet your needs. There are literally tens of thousands of vulnerability checks included with the scanner (and updated regulatory). Based on your environment you can disable ones that may be irrelevant (like if you don't have any CISCO appliances in your environment you may choose to not use any plugins from that "Plugin Family" (grouping of vulnerability checks for a given product/software class)).




In addition to credentials and plugins, further tuning of the scan template may be required for your environment and similar to a nmap scanning there are some basic discovery options you can modify as well as port scanning choices. I have found that the defaults work fine in most cases and the only other important thing to pay attention to prior to scanning is the "Enable safe checks" in the advanced section. Check this (it is by default) unless causing harm to the target environment is acceptable (while not guaranteed it will actually happen).




While there certainly are some other tweaks you can make to better tune the scan or modify your template there is not MUCH more to the scanning tool that comes into play for typically scanning other than creating a custom template (Policy) that works best for your environment(s). What you do want to look into is the "Settings" section accessed via your profile/account link. Setup SMTP to automatically email scan results if desired, configure other tools to use the REST API, setup a custom CA/certificate and modify the authentication/password policy.





Next kickoff your scan!

You can see the results of scanning as the scan runs and vulnerabilities are color coordinated to denote risk.



You can also drill into each vulnerability/host to get more information about what was found including a description of the flaw and suggested remediation (usually patch).



The GUI is useful for reviewing the results and getting specifics but what we need to do is produce a report to share with other teams in a given organization. The report should include results of the scan(s), the CVSS score for each vulnerability and enough details for the confirmation and remediation to take place. Nessus supports several report export file types, HTML, PDF, CSV and two Nessus specific ones.


The reports are not very customizable but provide basic information needed to help with fixing the flaws.

The Verdict:
Nessus is an industry standard and definitely one of the most popular tools on the market for vulnerability scanning. It's simple and gets the job done most of the time.

Pros

  • Affordable
  • Easy to setup and use
  • Fast implementation time (setup, scanning and results)
  • Licensing is great in terms of unlimited scanning
Cons
  • Too basic - not enough customizable features for niche settings
  • Following industry trend of charging extra for web application scanning, mobile scanning, enterprise integration and no more free version
  • Reporting is weak
  • Does not always find as many vulnerabilities as competitors (discussed later in series)



1 comment: