Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Remediation Prioritization with Curated Vulnerabilities using Nessus (aka #CaughtWithPantsDown)

Almost every day we face the constant challenge of choosing from things that need our urgent attention and ones that are important. How we classify and prioritize these items largely reflects our true character. Procrastinate enough, and it doesn't take long for important items to become urgent. Fail to distinguish urgent items from the important, and it could lead to catastrophic failure. In short, identifying our priorities and executing them in our daily workflow is the key to success in any walk of life. And when it comes to vulnerability management, it’s no different.

Identifying our priorities and executing them in our daily workflow is the key to success in any walk of life

Not a day goes by when we don’t hear about a new breach affecting another major corporation. In fact it has become so common these days that we aren’t far from the day when it would be newsworthy to have no breaches. IBM even mocked this concept in their latest ad. And when that eventual breach does happen, the usual scapegoats (admins/CISOs/CIOs) get rounded up by the media, pundits and anyone who wants to publicly humiliate these people—who in most cases are just trying to do the best job they possibly can do.

Assigning blame to scapegoats and embarrassing them is easy. I routinely hear comments such as “oh, these guys were so lame they had default accounts all over the place” or “we could break into the network with a year old code execution flaw.” One thing that rarely gets mentioned is maybe—just maybe—the security teams were overwhelmed with the data that came out of all the sensors they bought, or the security team was short staffed and couldn't possibly deal with the avalanche of data that was reported.

How you patch, what you patch and how you prioritize the use of your resources is very important

To give you an example, if you assume a typical 5,000 host Nessus® scan, and a conservative hit rate of 0.0025% for approximately 90k Nessus plugins, you still end up with a million results. And even if you patched 99.99% of those vulnerabilities, and missed just one really critical flaw, it could be game over. So how you patch, what you patch and how you prioritize the use of your resources is very important.

With the release of Nessus 6.5, we are adding several more filters to help you make those decisions, and to make them quickly. Our engineers brought this feature to life by curating vulnerabilities that we deemed to be critical.

Curated vulnerabilities

So what are curated vulnerabilities? These are the choicest of vulnerabilities, plucked from your organization’s garden, ripe for hackers to plunder.

Internally, we refer to this feature as #CaughtWithPantsDown. Why? Well, if your organization gets breached, is investigated post-breach and these vulnerabilities show up on your report, then you will be caught with your pants down—at least figuratively. There is just no excuse.

New criteria

So what are some of the new filters/criteria that you can use to prioritize your remediation workflow?

Exploited By Nessus

Frequently when Nessus is trying to verify a vulnerability, it will actively try to exploit the flaw and show the results in a report. For example, run a command such as ipconfig or id or grab the contents of /etc/passwd or boot.ini and display it in the plugin output. If Nessus can exploit it, then anyone with a free HomeFeed® Nessus subscription or above can, and most likely will, review the plugin source and take it to the next level. Therefore, such vulnerabilities should be patched immediately.

Default/ Known Accounts

This one is self-explanatory. There is no reason to have default or known accounts with default passwords on the network. They should either be disabled or updated with non-default passwords.

Malware/Suspicious IPs

Over the past few years Nessus has made major strides in the area of malware detection and reporting. For example, Nessus can tell if a scanned host is on a known botnet list, is communicating with a known botnet IP, is hosting malicious content associated with botnet propagation, has some malicious process running or even checks against some custom malware MD5 hash list. And if you get a hit for any of those plugins, you should take care of them right away.

In the News

For folks who work at Tenable or other security-focused companies, our world revolves around vulnerabilities and compliance. But that’s not the case if you are, say, an oil company. Given today’s oil prices, whether your organization has patched CVE-2014-0160 or not is probably the least of your problems. The point I am trying to make is that keeping your network secure is not why you are in business, so it’s possible you might not be up on the latest vulnerabilities. That’s why we have a new filter called In the News. These are vulnerabilities that have received a lot of media coverage in the recent past. For example: Heartbleed, Shellshock, Conficker, etc. These should be patched right away.

Unsupported By Vendor

And finally we come to unsupported software.

I once heard a story about a customer who, for some reason, thought Windows 98 was a more secure OS than the modern OSs. And I was curious to find out why. It turns out that Nessus only reported one critical flaw for Windows 98 and hundreds for others. Can you blame him for thinking that Windows 98 was better?

Don’t get tricked into believing that a low severity count for unsupported software applications means that they are better in any way. They are sleepers waiting to be exploited, and should be eradicated from your network as soon as possible.

These are just some of the new filters we have added. You can combine them with existing filters such as Exploit Available, Severity, Vulnerability Publication Date etc. to come up with your own criteria for remediation prioritization.

Sample filter

Nessus Sample Filter

Post-scan action items and other use cases

With the addition of these new filters, it’s easy to create post scan action items to share with your internal security teams to lower risk and better prepare for an external pentest. All you have to do is apply the filter, and then click Export. The resulting report will be much smaller than your usual scan reports and is almost guaranteed to lower the risk to your organization since it’s most likely that 10 urgent items will be fixed quicker than 100 important ones.

With the addition of these new filters, it’s easy to create post scan action items to share with your internal security teams to lower risk and better prepare for an external pentest.

If you are consultant or a pentester who uses Nessus for vulnerability assessments, you can now share these reports in addition to the regular scan reports to provide extra value for your services.

Conclusion

Like most Nessus features, this feature arose from the sense of purpose we share at Tenable: if we care about something deeply enough and want to see it in our products, then there is a good chance that others would want to see it too.

This feature was also born out of Tenable’s recent Init15 hackathon. Not surprisingly, customers like you voted it as the winner, and now we are delivering on it.

Going forward, we will keep making refinements to this concept, but that shouldn’t stop you from using it right away—or should I say, keeping your pants up!

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training