Designing A Vulnerability Management Program
Activity 4.1: Install a Vulnerability Scanner
In this excercise I will install Nessus on a Kali Linux VM. After installation, I will run a vulnerability scan on an unpatched version of Windows Server 2019 and the Metapsloitable VM.
Steps
-
Visit Nessus in order to obtain an activation code. Its free. Put your email in and done!
-
Download the correct version of Nessus. As Kali Linux is based on Debian Linux, I will download that version.
-
In order to install on Kali, first open a terminal as root. Navigate to the directory where Nessus was downloaded. Run the below install command or refer to the documentation for the correct command to run.
-
Start the Nessus Scanner by typing
# /bin/systemctl start nessusd.service
for Debian, Kali or Ubunutu. Red Hat, CentOS, Oracle Linux, Fedora, SUSE and FreeBSD can use# service nessusd start
-
Complete the install from the webbrowser by visiting the URL stated in the terminal. In my case it is “https://kali:8834/.” Make sure you have your activation code ready.
Once you create a username and password, Nessus will reach out and install the required plugins. Grab some popcorn this can take some time.
Activity 4.2: Run a Vulnerability Scan
Running a vulnerability scan from Tenable is easy.
-
Login to your Nessus Server via the URL provided after install. Mine was “https://kali:8834/.”
-
Select New Scan > Basic Network Scan
- Input the hosts you would like scanned into here. In this situation I will select:
- 10.0.2.4 - The Metasploitable VM
- 10.0.2.6 - The Windows VM Once the scan is created, launch the scan.
-
Here are the results! You can click the report button in the corner for a nice pretty report in the formant of your choice.
-
As this is a non-credentialed scan, what happens when we add credentials to our scan? I will create a new credentialed scan for my Windows VM. Create a new scane. Under the credentials tab, add the credentials for our Windows Server. Note: In a production environment, you would create a service account for this purpose.
- Lets review the results. We are able to get greater insight and view more vulnerabilities by running the credentialed scan.
Credentialed Scan: 260 Vulnerabilities
Un-Credentialed Scan: 51 Vulnerabilities
Glossary
A glossary of all the terms, acronyms and slang I run across for this chapter.
Active Scanning | The scanning actively engages and tests the host for vulnerabilities. |
Agent-based Scanning | Systems run a lightweight agent which scans and reports back to the scanning server |
Barries to Scanning | Fear of service degradations, Rigid customer agreements, IT Governance and Change management processes |
Common Vulnerability Scanning Tools | Tenable Nessus, Qualys, Rapid7 Nexpose and OpenVAS |
Compensating Control | Additional steps taken to address a vulnerability without fully remediating it |
CPE | Common Platform Enumeration; SCAP component that provides standard naming for products and versions |
Credentialed Scanning | Providing system access to a scan allowing access to operating systems, databases and applications |
CVSS | Common Vulnerability Scoring System, provides a standardised approach for measuring vulnerability severity |
Determining Scan Frequency | Depends on organisation's risk appetite, compliance standards, target system technical constraints, business constraints and licensing limitations |
External Scan PCI DSS Scan | Must be run an approved scanning vendor |
Federal Agency Scanning Scope | Applies to low, moderate and high impact systems |
FISMA | Federal Information Security Act |
Identifying Scan Targets | Targets are often identified by asset criticality, data classification of the info stored, system exposure to the internet or private networks and environment type of the system |
Interception Proxies | Run on a tester's system and intercept requests from the web browser to the web server before being released; can be classified as an exploit tool. |
Ongoing Scanning | Similar to continuous monitoring, constantly scans the network for vulnerabilities, instead of traditional scheduled scanning |
Passive Scanning | Monitor the network passively, looking for outdated or vulnerable systems |
PCI DSS | Payment Card Data Security Standard |
PCI DSS Internal Scannin Scope | Scans only need to be run on systems dedicated to credit card processing. |
PCI DSS Scan Frequency | Scans must be performed quarterly at a minimum |
Prioritizing Remediation | Deciding factors include: Criticality of systems affected, Difficulty of remediation, Severity of the Vulnerability, Exposure of the vulnerability |
Remediation Workflow | After a scan, organisations should have a workflow that prioritises testing, detection and remediation of detected vulnerabilities |
Scan Perspective | Running scans from different network vantage points and the internet in order to provide a different view into potential vulnerabilities |
Scan Scope | What systems and networks will be included in the scan; What kind of scan will be conducted. |
SCAP | Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. |
Vulnerability Feeds | Ensures scans have the latest virus signatures, file hashes and plugins in order to scan for specified vulnerabilities |
Vulnerability Management Program | Seeks to identify, prioritize and remediate vulnerabilities |
Web App Scanning Tools | Common tools include Nikito, command line based, and Archani |
Wireless Assessment Tools | Air crack-ng, Reaver, Hashcat (formerly known as oclHashcat) |
Zed Attack Proxy | Popular open source interception proxy |