Enumerating Corporate Data

Many Tenable customers and Nessus users have asked us for recommended strategies to discover where sensitive information is placed on the network. Often, organizations have segregated networks to separate sensitive data and want to verify compliance with the corporate policy. This is particularly important for organizations subject to legislation such as Sarbannes-Oxley or HIPAA. This blog entry describes some scenarios and strategies for finding sensitive data using Nessus, the Passive Vulnerability Scanner and the Security Center.

Searching for "Office" Documents on Web Servers

Plugin #11419 will search web servers for any documents with the following extensions:

.doc .wri .xls .ppt .csv .rtf .pdf

as well as less common:

.dif (another spreadsheet extension)
.sxw (Open Office Writer)
.sxi (Open Office Presentation)
.sxc (Open Office Spreadsheet)
.sdw (StarWriter)
.sdd (StarImpress)
.sdc (StarCalc)

This plugin is dependent upon the Web Mirror plugin (#10662). This NASL creates a mirror of all files on the remote server. Plugin #11419 then searches the Nessus knowledge base for files which have the above extensions. Mirroring a web server could take longer than your average scan due to bandwidth, size of the web server or even the performance of the web server.

Also, the Web Mirror plugin will follow links on default web pages and try to enumerate common web directories, but it won't find a specific file just being served on a web server. It needs to see a link to the file. For this demo, I placed an example.ppt file in the root directory of an Apache web server. The scans didn't find it until I either turned on directory indexing, or created an index.html file which references the example.ppt file.

Here is an example record of plugin #11419 as viewed under the Security Center:

The presence of one of these files by itself doesn't necessarily mean that your internal records are exposed to the Internet. All this means is that you have found a web server which is hosting a file with an extension that may indicate an "office" document that isn't protected by a password. Tenable has many customers which publish "official but unsensitive" documents as spreadsheets, Word documents or event Adobe PDFs.

Searching for "Office" Documents in Network Shares

Nessus plugin #23974 scans systems for SMB shares which contain the following list of "office" related files:

.doc .wri .xls .ppt .csv .rtf .pdf

as well as less common:

.dif (another spreadsheet extension)
.sxw (Open Office Writer)
.sxi (Open Office Presentation)
.sxc (Open Office Spreadsheet)
.sdw (StarWriter)
.sdd (StarImpress)
.sdc (StarCalc)

Access to the shares is based on the credentials of the scan. Documents identified with this plugin may or may not contain sensitive information. The purpose of the plugin is to simply try to find all of the systems (laptops, servers, SANs, portable NAS devices, .etc) which have files that might need to be secured.

Using Security Center Dynamic Asset lists

The Security Center can be used to create a dynamic asset list of all hosts that have certain types of documents being shared on the web. Actually, the Security Center can create asset lists on almost any sort of data detected by Nessus or the PVS. Below is a screen shot of a dynamic asset rule that would create a list of all systems that had Nessus vulnerability #11419 active:

Plugin #11419 looks for many different types of files (.doc, .pdf, .ppt, .etc), but there may be occasions when we want to look for content that is just for a specific file type. If we know what sort of file extensions we want to find, we can add some text search to our dynamic asset rule to match just what we want. In this case, if we wanted to look for just "Power Point" files, we could add a "Contains the Pattern" clause for the word "PowerPoint" as shown below:

If the pattern was more complex, we could have used a regular expression instead of a simple pattern match.

What can we do with these Asset Lists of hosts that contain sensitive data?

Once we have an asset list of all hosts that contain potentially sensitive data, there are several actions we can take:

All of the vulnerabilities for these servers can be independently considered. For example, all of these servers have specific web or SSH issues that should be addressed.

Instead of looking for the "top" vulnerabilities on these assets, searching them for systems or servers which were not under management could prevent future disclosure issues. If a system is holding sensitive data and it is not under management, common sense dictates this to be a problem.
If a system is holding sensitive data AND it is browsing the network, this could potentially also be suspicious. Typically, servers browse the network only for updates, backups and database queries. If a system holding sensitive data is heavily browsing the Internet, it could potentially be a target for malware, or perhaps the user doesn't know that they are also hosting a server.

If IDS events are being sent to the Security Center, or logs and network traffic are being sent to the Log Correlation Engine (LCE), they can be considered in context of the targets with sensitive data. Dynamic asset lists created by the Security Center are available for immediate use with  queries to the LCE. Login failures, buffer overflows, network anomalies, and even authorized access attempts can all be logged. This can help identify access control violations. For example, if a connection from a certain business group or even the Internet were seen connecting to a server with sensitive data on it, this could constitute a policy violation.

Advanced Dynamic Asset List Usage

Let's say we have many servers, all with some sort of interesting data on them and we also have the PVS recording which ports the systems it is monitoring get "browsed".  We'd like to create a dynamic asset list that identifies all systems with  both Nessus plugin ID #11419 and PVS plugin ID #2 destined for port 80. To do this, create a rule that looks like this:

The first rule clause is probably not familiar to readers. This is an extended regular expression, also associated with a plugin ID. For performance reasons, most rules are evaluated as an "OR" sequence. This makes it easy to find a certain combination of plugin IDs and ports. This rule clause matches if a server has plugin #2 present on it, and the data for that vulnerability ends with " 80". The ":" is used to separate the plugin ID from the regular expression. Regular expressions can use anchors such as "^" to indicate the start of a line and "$" to indicate the end of the line.

The second rule clause is a simple plugin match for Nessus ID #11419.

Both of these rules together will create a dynamic asset list of any host that has sensitive data that has also browsed the web on port 80. Since servers likely use the web queries to obtain updates, the reader should consider using a port such as 110 for POP or 143 for IMAP  or even 22 for SSH. These ports aren't used as often as port 80 though.  Another idea would be to look for PVS plugin IDs that identify the web browser in use as Mozilla.

For More Information

Tenable has other methods to search for sensitive data in motion. Several plugin libraries exist for the Passive Vulnerability Scanner which allow it to monitor plain-text traffic for credit cards, social security numbers and other types of sensitive data. Tenable has blogged about the PVS libraries and how to install them here. In addition, Tenable has partnered with content monitoring vendors such as Reconnex and has written several TASL scripts for the Log Correlation Engine engine.