Security optimize

Pinpoint vulnerabilities on your system with Nessus


Fixing vulnerabilities is an ongoing process that requires diligence -- it's not something you can ever cross off your task list. However, there are plenty of excellent tools available that will assess your systems for known vulnerabilities. Let me introduce you to one of the best.

Finding and fixing vulnerabilities on your systems isn't a task you can complete once and then cross off your list -- it's an ongoing process that requires diligence and consistent attention. There's never a point when you can feel confident you've discovered every possible vulnerability.

Of course, you've hopefully signed up to receive notifications on patches and security updates for every product deployed on your organization's network, which can go a long way toward keeping things secure. However, the only way you can verify that you've successfully closed the vulnerabilities is to perform a vulnerability assessment.

While the days of manual vulnerability assessments are long gone, there are plenty of excellent tools on the market that will assess your systems and determine whether they're up to date against known vulnerabilities. One of the best -- and freely available -- tools on the market is Nessus.

Nessus is an extremely popular tool commonly used to audit critical systems and applications for vulnerabilities. It offers an installation and client for the following platforms:

  • Linux: Fedora FC5 and 6, Red Hat Enterprise 3 and 4, SuSE 9.3 and 10, Debian 3.1 (i386)
  • FreeBSD: FreeBSD 5 and 6 (i386)
  • Solaris: Solaris 9 and 10 (Sparc)
  • Mac OS X: Mac OS X 10.4 (Intel and PPC)
  • Windows: Windows 2000, XP, and 2003 (32 bits)

Once installed, Nessus is fairly simple to run. The tool simulates attacks against known vulnerabilities and weaknesses to produce an excellent report. But it's your job to turn the report into actionable information so your organization can decide whether to patch a reported vulnerability or accept the risk.

Nessus groups the vulnerabilities analyzed for each system into three classifications:

  • Security Holes: The attack was a success and poses a great security risk.
  • Security Warnings: The attack was a success but doesn't pose a great security problem.
  • Security Notes: The tool found information about your system through scans and/or banners.

The tool further breaks down these classifications by risk factor:

  • Critical: Something has already compromised the remote host.
  • Serious: The vulnerability leaks information that can be extremely useful to an attacker.
  • High: An attacker can gain a shell on the remote host or execute arbitrary commands.
  • Medium: There's a security hole that can lead to privilege escalation.
  • Low: The information found is useful but doesn't pose an immediate threat.
  • None: There's no inherent risk.

Keep in mind that Nessus can report a vulnerability as having multiple risk factors. It's your job to determine the specific risk a vulnerability discovered by Nessus poses to your organization.

For each vulnerability discovered, the report may also list links for the BugTraq ID (BID), the Common Vulnerabilities and Exposures (CVE) number, and a Nessus ID. Each of these references can provide more information about a specific potential vulnerability.

Nessus creates its reports as HTML files. That means you can edit these files to include your comments prior to distributing them.

Analyzing reports is a tedious -- but essential -- duty. Make sure to base your recommendations for each vulnerable system on the overall security architecture that protects these systems.

Final thoughts

It's important to analyze Nessus reports to determine whether vulnerabilities are really significant to your organization. You can fix some vulnerabilities by deploying a patch or update to the application.

However, some of the fixes might involve patching a custom application that could yield unknown results. For these instances, you can mitigate the risk by blocking the appropriate TCP and UDP ports at your perimeter security devices. And don't forget that some results may be false positives.

Nessus is a good tool, but before taking drastic action that could negatively impact your operations, I recommend conducting some manual testing to verify results. Then, once you're confident with the results, prioritize and repair your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

9 comments
abovethetimberman
abovethetimberman

Anyone know if it works on Fedora 7?

apotheon
apotheon

Nessus isn't exactly some newfangled fly-by-night application that hasn't filtered down to most of the Linux distros yet. It should be available in every major distro. Give it a whirl.

pbourgeois
pbourgeois

Great in pointing out that a tool only indicates possible problems, it takes analysis to actually remedy a threat.

BALTHOR
BALTHOR

So---the Walmart girl says:"Whose virus scanner are you using--that one's no good"?"When's the last time that you had your browser checked for vulnerabilities---you've never heard of bad code then"."How new is your hard drive"?"Don't you ever call me sweetheart"!

Understaffed
Understaffed

We're having a security audit done very soon that is essentially going to be a $2,500 Nessus scan with interpretation of the results. Question posed: If you had no direct, first-hand experience with Nessus, and no time to speak of to complete this yourself, would you pay $2,500 to have this completed?

icmp30
icmp30

No way would I pay somebody else to run a Nessus scan. I've been on the receiving end of way to many "please respond to the vulnerabilities listed by COB tomorrow" msgs from our security office where they had some contractor run a Nessus scan. They've never found anything that a. we didn't already know about. b. wasn't already in our security plan > a $2,500 Nessus scan with interpretation > of the results. My experience with the contractors that our security office hires is that they can't interpret squat. At best, all they can do is re-word the explanation that Nessus gives. > ... and no time to speak of to complete this yourself If you've never had a Nessus scan run on your network I'd suggest that you find the time to run one yourself. The big cost in time is answering all the "why is this enabled" questions, so having someone else run the scan for you isn't going to save all that much time, The only value I see in having an outside contractor run a Nessus scan is that you don't have to trust the people responsible for securing the devices to report all of the issues found by Nessus.

Recknam
Recknam

I agree it is a waste of money to pay a consultant to run a scan and give you half a tree worth of data that you still have to interpret. Most of the "results" we got were false positives on Windows machines. Nessus doesn't seem to be able to track patches that were superceded by newer versions, rollups and service packs. I finally tested other products and bought GFI Languard. We still use Nessus for firewall and network scans but not for OS checks.

Understaffed
Understaffed

-I really don't relish the thought of spending that much cash on a free tool, when the bulk of the work is after the fact. You confirmed that for me- and I appreciate it. Now I just have to get the purchase rec for that cloning machine signed... ;)