The Value Of Credentialed Vulnerability Scanning
"What Am I Doing Wrong?"
I am often asked, "What am I doing wrong in regard to security?". This question is usually in reaction to some event, such as a failed audit, a network outage as a result of malware or worm or a breach that was detected in the environment. I ran into this situation while doing incident response for a large university. It was my job to monitor the network and respond to the major incidents that were occurring (it was also up to me to determine what was "major" and what was not). I worked with many different network and system administrators on campus to help them improve the security of their respective departments. However, this was an academic environment full of students and professors who wanted to work in a free and open environment, which turns out is one of the most difficult to secure!
If a department had a compromise, I would do my best to help them figure out what happened and take measures to prevent it from happening again. A comprehensive assessment would next be performed to gain a better understanding of the security shortcomings and appropriate remediation measures. These types of assessments can be a daunting task for any security professional. Nessus was one of the primary tools we used to get a handle on the vulnerabilities in the environment. While it is important to scan for vulnerabilities such as missing patches or buffer overflows, assessments need to go deeper than that because attackers will use any approach they can to breach a system. A mis-configured system does not necessarily have a CVE or BID entry. The more comprehensive the audit, the better chance I had of making a recommendation that would effect change and result in better security (which really boiled down to me not having to come back in “incident response mode”).
Credentialed scanning with Nessus is something that I wish I did more of when doing post-compromise follow-up assessments. This type of scan has several benefits:
- Not disrupting operations or consuming too many resources Because the scan is performed with credentials, operations are executed on the host itself rather than across the network. Everything from operating system identification to port scanning is done by running commands on the host, then sending the results of those commands back to the Nessus server. This allows Nessus to consume far less system and network resources than performing a traditional network scan that probes ports and services remotely.
- Definitive list of missing patches Rather than probe a service remotely and attempt to find a vulnerability, Nessus will query the local host to see if a patch for a given vulnerability has been applied. This type of query is far more accurate (and safer) than running a remote check.
- Client-side software vulnerabilities are uncovered By looking at the software installed and its version, Nessus will find client-side software vulnerabilities that are otherwise missed in a traditional network-based audit.
- Several other "vulnerabilities" - As you will see in the examples below, Nessus can read password policies, obtain a list of USB devices, check anti-virus software configurations and even enumerate Bluetooth devices attached to scanned hosts.
Seeing Is Believing
I recently had an opportunity to review results from a credentialed Nessus scan. The information provided was very interesting to analyze and useful to determine a plan for improved security architecture within the organization. Below are some examples of Nessus credentialed scanning results and recommendations that would follow:
USB device listing
Containing threats from USB devices can be a daunting task. Viruses can use USB thumb drives to propagate, U3 can enable thumb drives to compromise systems without user interaction and the risk of intellectual property leaving your organization on a USB thumb drive is always present (This one is perhaps my favorite). While it’s good to know what devices are being plugged into USB ports on your systems, I was surprised to see how detailed the results were. In the example above, we can see that a Palm Pre phone is being used on one of the systems. This Nessus plugin is a great way to enforce policies, especially those that govern the use of smart phones.
Bluetooth Device Enumeration
Bluetooth may not be seen as the highest priority threat against your organization but it is a channel that can be used to gain access to sensitive information, such as Bluetooth eavesdropping (Video), Man in the middle attacks against Bluetooth keyboards (Video) or even exploiting the protocol itself. The Nessus plugin shown above can enumerate Bluetooth devices connected to computers in your environment, allowing you to enforce policies aimed at stopping these threats.
Missing Client-Side Patches Report
Perhaps the most attacked client-side software, right next to Internet Explorer, is anything made by Adobe. They are responsible for some of the most popular client-side software including Adobe Acrobat, Adobe Flash and to a lesser extent Adobe Air. The ability to seek out Adobe products with missing patches in your environment, without running a client-side penetration test, is a win. You may have a system patching program in place, but why wait for an attacker to send exploits to test it when you can do it yourself first?
Anti-Virus Software Check
We can debate the effectiveness of anti-virus software, but let’s face it, a determined attacker will bypass your anti-virus defenses with little effort. However, for protection against known threats and common malware, anti-virus software provides a good line of defense. To maximize your investment in this technology, you have to keep software engines and virus definitions up-to-date. Nessus has a great plugin to help you keep tabs on this: plugin 16193 reports the anti-virus software installed on the system, its version and the latest revision of the virus signatures.
Password Policy Report
I've been known to say "Passwords are just so easy to abuse", and this couldn't be truer today. Attacks on end-user passwords and default passwords on embedded systems are extremely common, mostly because they are successful. Having a password policy is important, and even more important is to be certain the policy is enforced on all of the systems in your environment. Nessus provides a great way to check your systems’ password policies without going through the lengthy process of password brute forcing (you can tell Nessus to do password brute forcing as well).
Missing Microsoft Patches Report
While so-called "0-day" exploits get a lot of attention in the press, the dirty little secret of penetration testers (and most likely attackers) is that you don't need "0-day" exploits to compromise systems. Most successful penetration tests and breaches by attackers are accomplished by exploiting vulnerabilities for which the vendor has already released a patch, but the target organization has not yet applied. You may have a "world class" patch management system, but an attacker needs only one vulnerability on just one system in order to gain a foothold on your systems and network. You need a process of checks and balances to ensure that patches are being applied properly to all of your systems. Nessus plugin 38153 provides a nice report of missing Microsoft patches on a given host to ensure that the systems you think are patched really are.
Getting a handle on the security posture of an organization can be a daunting task. Regular vulnerability scans, penetration tests and audits are all a part of the ongoing task of risk management. Credentialed Nessus scans provide your organization with a more accurate snapshot of the current environment, allowing you to quickly, safely and easily collect information about your network and systems. This information can be used to fill the gaps in your security architecture and make better decisions on how to improve your information security program.