Vulnerability assessments are one of the key tools that information security professionals use to learn about their network environment. With the increasing quantity of threat agents and government regulations that carry harsh penalties, businesses have to know where their security vulnerabilities exist and now to mitigate them.
I had an opportunity a little over a year ago to help analyze tools for a vulnerability assessment proof of concept project at a multi-national Fortune 500 company. The idea of the project was to learn the business value that vulnerability assessments might provide and to discover the actual vulnerabilities.
We were sure some level of vulnerability assessments were necessary, but recognized that there were no internal mitigation processes to support the findings of the assessments. This proved to be a good intuition. About nine months after we were successfully scanning and building processes, I read an article about a company who had spent about $90,000 on a commercial vulnerability scanning solution only to see it fail miserably because they had not developed support processes.
For the proof of concept phase, the scanner couldn't be on a short evaluation period timeframe because as much as the technical results of the scans were important, building internal mitigation support processes were equally important.
Even though we had access to commercial tools, we chose the open source Nessus (http://nessus.org) vulnerability scanner. Nessus is the de facto standard of vulnerability scanners. In fact, many commercial products use the Nessus engine in their products and nearly every major security hardware vendor supports Nessus scan results.
Nessus currently comes in two versions. The open source Nessus 2.2.x version and the recently released Nessus 3 closed source but free version. Tenable Security (http://www.tenablesecurity.com) supports the Nessus project and maintains the development of both versions.
Nessus features include:
- Highly configurable scan options like scanning as few a one host to multiple subnets.
- DNS resolution or MAC address tracking for DHCP-enabled targets
- Scan throttling to avoid network bandwidth saturation
- Fully featured, highly configurable nmap port scanner
- Plug-ins - each plug-in is a test, for example every Microsoft security patch is a separate plug in. Currently there are over 10,000 for the free version of Nessus 3
- NASL scripting that allows custom plug-in creation
- GUI or command line clients
- Reports in .html and txt formats
- Exports directly to MySQL databases for analysis
Working with Nessus
Nessus uses client-server architecture and is deployable on many different operating system types. Tenable Security offers a version of the Nessus scanner for Windows called NeWT, however; it is not as feature-rich as the Linux version of Nessus.
We really wanted to test the full features of Nessus so we decided to go with a SuSE Enterprise Linux 9 virtual machine on VMWare ESX for the server and our Windows XP machines running the Nessuswx GUI client.
The members of the testing team were not Linux gurus and fortunately, the installation of Nessus over a year ago on was not that difficult, but challenged our Linux skills. Today installing Nessus on openSUSE 10 Linux is no harder than installing an application on Windows. You only need a minimum installation of openSUSE 10, and then install the Nessus .rpm from http://nessus.org/download. The installation sets up Nessus as a running service on the openSUSE machine.
We began scanning local subnets and generated the built-in .html reports that Nessus creates. We found unknown vulnerabilities on the network nearly from the first scans completed. As I gained confidence in Nessus, and learned how to throttle the bandwidth usage, we expanded our scanning out to the company facilities near our location, then eventually to the locations throughout the United States.
You can scan with administrator credentials on the target machine, or as an unknown user to get different views of vulnerabilities with Nessus. Nessus scans ports and checks vulnerabilities in discovered services as the unknown user or with administrator credentials, conducts full host-based scans checking registry settings, services and file permission vulnerabilities.
Since Nessus has the ability to export the scan findings into MySQL, I installed MySQL and use custom queries to sort through the generous quantity of vulnerability data that Nessus creates. We conduct scans on the companyâ€™s subnets located all over the world from the Louisville location and generate insightful vulnerability reports using Nessus and MySQL.
See these screenshots (http://techrepublic.com.com/2300-1009-6048886.html) of Nessus and Nessuswx in the Nessus gallery.
Right tool for the job?
With Nessus in production for a little over a year now, we are able to provide the company the vulnerability assessment information from any facility in the world that we knew it needed.
Because Nessus is free, runs on free operating systems and requires little hardware resources, it has allowed the internal support processes to develop along with the skill sets to support vulnerability analysis.