![Page 1: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/1.jpg)
Enterprise Vulnerability Management
Alexander Leonov, Ekaterina Pukhareva, Alex Smirnoff
![Page 2: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/2.jpg)
1. A variety of Vulnerability Scanners
2. Experience in the use of Tenable SecurityCenter and Nessus
3. How to make an efficient vulnerability management?
4. Vulnerability Scanner as a valuable asset
5. Beyond scanners
Content
![Page 3: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/3.jpg)
A variety of Vulnerability Scanners
![Page 4: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/4.jpg)
• When the scan is finished, the results may already be outdated
• False positives
• Per-host licensing
Knowledge base
• How quickly vendor adds new vulnerability checks?
• No scanners will find all vulnerabilities of any software
• Some vulnerabilities may be found only with authorization or correct service banner
• You will never know real limitations of the product
A variety of Vulnerability Scanners
Some problems
![Page 5: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/5.jpg)
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196Nessus CVE links: 35032OpenVAS CVE links: 29240OpenVAS vs. Nessus: 3787;25453;9579
![Page 6: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/6.jpg)
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196Nessus CVE links: 35032OpenVAS CVE links: 29240OpenVAS vs. Nessus: 3787;25453;9579
2673 OpenVAS plugins
6639 Nessus plugins
38207 OpenVAS plugins and 50896 Nessus plugins
All NASL plugins:OpenVAS: 49747Nessus: 81349
![Page 7: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/7.jpg)
• “Old” vulnerabilities
• Vendor forgot to add links to CVE id
• Vulnerabilities in plugins (N: WordPress VideoWhisper)
• Don’t support “Local” software (N: openMairie)
• Stopped adding new vulnerabilities (N: vBulletin, O: Solaris)
Why?
![Page 8: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/8.jpg)
In other words
• Vulnerability Scanner is a necessity
• Don't depend too much on them
• Scanner does not detect some vulnerability —
it’s YOUR problem not your VM vendor
• Choose VM solution you can control
• Have alternative sources of Vulnerability Data (vulners.com, vFeed)
![Page 9: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/9.jpg)
Sometimes a free service detects better
![Page 10: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/10.jpg)
• Linux OS vulnerability scan
• Immediate results
• Dramatically simple
https://vulners.com/#audit
Vulners Linux Audit GUI
![Page 11: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/11.jpg)
• RedHat
• CentOS
• Fedora
• Oracle Linux
• Ubuntu
• Debian
Vulners Linux Audit GUI
![Page 12: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/12.jpg)
Vulners Linux Audit API
curl -H "Accept: application/json" -H "Content-Type: application/json" -X
POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64",
"samba-common-4.2.3-11.el7_2.noarch",
"gnu-free-fonts-common-20120503-8.el7.noarch",
"libreport-centos-2.1.11-32.el7.centos.x86_64",
"libacl-2.2.51-12.el7.x86_64"],"version":"7"}'
https://vulners.com/api/v3/audit/audit
+ Agent Scanner
![Page 13: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/13.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
![Page 14: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/14.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
![Page 15: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/15.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Discovery
Finding a live host
Assessment
What assets?
Analysis
What to fix first?
RemediationFix the problem
• What time for fixing?
• Risks?
Scan:
• External and Internal perimeters
Scan for specific assets:
• Workstations, Network Servers
• What CVSS score?
• Fixing
• Accepting risks
![Page 16: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/16.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Reporting and dashboards
![Page 17: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/17.jpg)
Nessus .audit files (built-in or highly customized plug-ins)
- Operation systems (SSH, password policy, local accounts, audit, etc.)
- Databases (privileges, login expiration check, etc.)
- Network devices (SSH, SNMP, service finger is disable, etc.)
- Etc.
Experience in the use of Tenable SecurityCenter and Nessus
Compliance checks
Checking the PCI DSS requirements and others
![Page 18: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/18.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Homemade Reporting Graphs: • MS Critical + Exploitable• MS Critical• MS Other• Windows Software
Tables:• Legend
• Top vulnerable hosts• Top vulnerabilities
![Page 19: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/19.jpg)
Experience in the use of Tenable SecurityCenter and Nessus
Homemade Ticketing
![Page 20: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/20.jpg)
● Scanners updating by scripts
● New plugins
● Log-management and monitoring
● Harmless pentest
● FalsePositive
● Authentication Failure
Experience in the use of Tenable SecurityCenter and Nessus
Usage Problems
![Page 21: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/21.jpg)
Nessus Agents
![Page 22: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/22.jpg)
Vulnerability Scanner as a valuable asset
Dangerous audit file
![Page 23: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/23.jpg)
Domain + two-factor authentication
Role model in SecCenter
Monitoring of using nessus account
Vulnerability Scanner as a valuable asset
Monitoring
![Page 24: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/24.jpg)
Restricting Nessus permissions
Defaults:scanaccount !requiretty
Cmnd_Alias NESSUSAA = /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]`
Cmnd_Alias NESSUSXA = ! /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *;*; echo nessus_su_`echo [0-9]*[0-9]`
Cmnd_Alias NESSUSXB = ! /bin/sh -c echo nessus_su_`echo [0-9]*;*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]`
Cmnd_Alias NESSUSXC = ! /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*;*[0-9]`
scanaccount ALL = (root) NESSUSAA, NESSUSXA, NESSUSXB, NESSUSXC
Not officially supported
May stop working anytime
More like security through obscurity rather than efficient protection
![Page 25: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/25.jpg)
What is still wrong
(from NopSec “2016 Outlook: Vulnerability Risk Management and Remediation Trends”)
![Page 26: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/26.jpg)
Risk management?
Asset management?
Threat intelligence?
Detecting scanning gaps?
Do you really need expensive “state of the art” solution?
..and what’s beyond vulnerability scanning?
![Page 27: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/27.jpg)
For pentesters
For splunk, big data and fancy tech HUBBLESTACK.IO
For the rest of us
There is an alternative
![Page 28: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/28.jpg)
Import all you scans data to the database
..do anything you want!
Monitor changes, create scopes, custom reports, whatever
Avoid VM vendor lock-in
Simple as that
![Page 29: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/29.jpg)
We do not have critical asset inventory!
Wait.. we do. It is called “monitoring”
Use zabbix data to create asset lists
Push back alerts to zabbix
Use case: asset management
![Page 30: Enterprise Vulnerability Management - ZeroNights16](https://reader033.vdocuments.net/reader033/viewer/2022052300/589f6e501a28abbf2e8b505b/html5/thumbnails/30.jpg)
Create exploit capabilities description (CVSS sucks!)
Add environment data (internal and external scans at least)
Add anything you want (threat intel)
No part is mandatory!
Use case: advanced risk management