Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Exploitable Since 2002: New Nessus 5 Filters

With Nessus 5, the results from a single vulnerability scan can be filtered to show which hosts have ancient vulnerabilities, which hosts aren’t being managed, and also which hosts have been exploitable for long periods of time. This blog entry discusses the new Nessus 5 filters, how they can be used to track high-risk vulnerabilities, and how enterprise users of Tenable SecurityCenter can leverage these filters for dashboards and asset-based reporting.

New Nessus 5 Filters

The following two new Nessus 5 filters are available:

  • Exploit Frameworks – Users can filter reports for vulnerabilities that can be exploited with exploit frameworks from Core, Exploit Hub, Immunity, and many others.
  • Vulnerability Publish Date – The date a vulnerability was published to the public.

Nessus 5 can also take advantage of dozens of other new filters. In addition, Tenable’s Research team can push new “tags” into the plugins, and Nessus 5 can automatically learn about and use these to filter reports and vulnerability results. These tags will allow Nessus users to “go deeper” and provide more specific filters. Here is an example listing of filters from a recent scan of my test lab:

01-filter

 

Tracking Exploitable Vulnerabilities

There are many ways to filter results from vulnerability scans and patch audits to identify exploitable issues. In the screen shot below, I’ve selected a filter to match any found vulnerabilities that correlate with exploits available from the CORE Exploit Framework.

02-core-exploit-filter

Previous Tenable blog posts have described how correlating exploits with vulnerabilities can provide you with more insight as to which systems could be adding more risk to your network than others. In short, you should consider what type of exposure a system may have to attacks from the Internet, from within a DMZ, or even from within your network by malicious insiders or clients that have been exploited with social engineering and malware.

Tracking Older Vulnerabilities

Nessus 5 can filter vulnerability scan results by the date a particular plugin was published (when Tenable produced a check for a known vulnerability), as well as the date the vulnerability was first published. You can also use filtering of parameters, such as, CERT ID, CVE, OSVDB, etc., and include strings such as “2010” to match records from the year 2010.

Below is a screen shot of scan results from my network with a filter for plugins written before January 1, 2009:

05-plugin-date-less-than-2009

Keep in mind that scans occur at one point in time and vulnerability dates are at a different point in time. If you scanned a system and saw that it was running Windows XP, the vulnerabilities may be from 2009, but the actual system could have been installed years later.

Exploitable Since 2008

Using Nessus 5’s time filter and exploitability filters, we can create a view into scan results that identifies vulnerabilities that have exploits that are also older than a certain time period. In the screen shot below, I created a filter for plugins written before January 1, 2008, that also had an exploit available. 

06-exploit-since-2008

In this case, the vulnerability was in the TFTP service and the exploit architecture was Canvas. 

SecurityCenter Exploit by Year Dashboard – Chart Vulnerabilities Exploitable Since 2002!

One of the first dashboards I made for SecurityCenter 4.2 combined assets, the exploitation filter, and strings for each year in a CVE filter. This displayed the total number of vulnerabilities for each asset on a yearly basis, as well as the total number of exploitable vulnerabilities on a yearly basis.

For this blog entry, I updated the dashboard to color cells green that had zero vulnerabilities and red for those that had at least one. Below is screen shot from my test lab:

04-Sc4-dashboard-cve-trend

The top chart lists vulnerabilities by assets by year from 2002 through 2011. The bottom chart lists the same data, but only shows exploitable vulnerabilities.

SecurityCenter has the ability to unify data from Nessus credentialed scans (patch audits), vulnerability scans, and network traffic monitoring via the Passive Vulnerability Scanner and organize the data into various repositories. This can help you create views and automate reporting based on boundary and asset classes, such as, the internal and exterior perimeters of DMZs, remote partners connecting through Intranets, home users connecting in through VPNs, server farm exposures to internal users, and much more.

For More Information

Previous Tenable Blog Entries

Tenable SecurityCenter Dashboards which track exploits

Tenable Media Sites

 

 

 

 

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.