"Communicating Vulnerabilities to Management: Making the Rubber Meet the Road" Webcast - Recording and Q&A

by Paul Asadoorian
November 18, 2013

Renaud Deraison, Jack Daniel, and I recently presented the "Communicating Vulnerabilities to Management: Making the Rubber Meet the Road" webcast. This was part 4 in the “Vulnerabilities Exposed” webcast series.

If you missed the webcast or would like to re-watch it, view the recording.

View Recording

Q&A

Here are responses to questions we received during the webcast.

General

Will the slides be available for download?

Are there licenses for each implementation of Nessus and PVS?

  • Nessus and PVS can be licensed individually, and are also available in an introductory offer called "Nessus Plus." For more information, visit the Tenable Online Store. Each instance of Nessus or PVS requires a license.

I want to know more about the software, how to use it, and how much it costs. Will it be difficult to learn how to do the scan?

Does your product run in an IPv6 environment?

  • Both Nessus and PVS natively support IPv6 (both as targets and sniffing IPv6 traffic for vulnerabilities).

Configuration and Compliance

Nessus supports different types of frameworks. How easy it is to scan different types of compliance standards, and how do I perform the analysis by reviewing the vulnerabilities?

  • Configuration and compliance auditing is a feature of Nessus that is both easy-to-use and very flexible. For more information, including how to set up and run compliance audits using Nessus, refer to the video on our YouTube Channel and the compliance checks documentation.

Do you have a scanning policy for HIPAA compliance ?

Product Features

How can I set up a Nessus scan to only scan by a particular severity? For example, scan using only critical-severity plugins.

  • You can filter the plugins on several different types of criteria, including severity.

Can Nessus effectively determine vulnerabilities in web applications and CMSes such as Joomla or WordPress?

  • Yes, Nessus can detect both known and previously-unknown web application vulnerabilities. For more information, please refer to the video on our YouTube channel.

Say Nessus finds a critical patch is missing which was already deployed through our patching. Can we trigger patching from Nessus through SCCM or WSUS?

  • At this time, this feature is not supported. Nessus reports the patch status recorded from the target host and the patch management system(s).

Is it necessary to provide Exchange service account credentials in order to pull the ActiveSync data for mobile devices?

  • To use mobile device scanning, Nessus requires access to the Active Directory domain controller(s) and Domain Admin level privileges.

Is the email notification feature available with the basic version of Nessus?

  • Yes, the email notification feature is available on all types of the Nessus vulnerability scanner.

When you modify the severity, is it a global change, or can it be modified based on policy? Can I apply a system-wide severity change for a specific host?

  • Severity modification is changed on a per-user basis. You can set the host for which it will apply and a time frame for which it will be active.

SecurityCenter can also recast or accept risk, but it does not have an expiration date. Will that be added?

  • This is currently a planned feature for an upcoming SecurityCenter release.

Can multiple scans be combined as one report?

  • SecurityCenter allows you to aggregate data and generate reports from information collected from Nessus, PVS, and LCE (Log Correlation Engine). From within Nessus, you are not able to combine reports unless you interface with the API and create a custom script.

Tenable Resources

Webcast Recordings and Q&A

If you missed any of the previous webcasts in the "Vulnerabilities Exposed" series, view the recordings and read the Q&A.