Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

How to Maximize Compliance Scans with Nessus

Conduct compliance audit scans effectively and efficiently with Nessus Professional by leveraging these best practices. 

Tasks required to maintain compliance don't find themselves on most people's lists of favorite activities. But while such regulatory responsibilities can sometimes be taxing, complex or tedious, that doesn't make them any less necessary. Among the standards and practices pertaining to information security, compliance scanning is one of the most important.

Some in your organization may worry about performing a compliance scan of your network: Perhaps they think it's the same thing as a system-wide vulnerability scan and are worried about potential operational delays (though this is something of a misconception). Or maybe they're simply hoping to complete the process as soon as possible. As such, it will be critical to make sure your compliance scanning is as efficient and effective as possible. Following a few best practices can help you maximize the compliance audit functionality available in Nessus Professional.

Determine your scanning priorities

"Standards" and "regulations" are umbrella words that mean a lot of different things to different organizations. The business next door might solely adhere to PCI DSS for their payment processing, whereas you might also have HIPAA and GDPR to contend with. And then there may be "voluntary," but ultimately no less valuable, guidelines to follow like the security standards CIS creates for dozens of applications and operating systems. 

You don't have to conduct compliance audit scans for all standards you follow at the same time. Even if your system could handle the traffic that such a broad operation would create, it would slow everything down to a snail's pace and leave a lot of your peers frustrated (particularly everyone in IT). We recommend creating independent scans for each standard against which you're testing compliance to reduce the load and simplify reporting.

In other words, you'll want to schedule compliance scans around both regulatory and operational needs: for example, starting with PCI DSS in one scanning window, and then periodically rotating through the other standards. Prioritize anything that may have a specific recertification time frame, of course. So if it's been almost a year since your last PCI certification (or three months since your last scan),1 that should probably be at the top of your list for the moment.

Run compliance audits in close coordination with vulnerability scanning

Template-based and customized compliance scans

When you run Nessus Professional "straight out of the box," so to speak, it runs all of its compliance scanning operations based on templated policies for specific standards. In more than a few use cases, that may be all that's needed, as the audit templates cover a broad swath of protocols for all of the major operating systems. 

But that won't be true for every organization. Maybe your IT team has developed unique configurations for your registry values that a templated scan wouldn't properly analyze, or perhaps the terms of a particular standard changed a few hours ago and you need to change the existing audit policy to reflect that. Doing so is simple with Nessus - you and your infosec team can download the raw text files of the policies and modify them according to your precise scanning requirements.

Authenticate with credentials

You’ll need credentials to authenticate the execution of your compliance scans. With credentials, you'll be able to track down and resolve flaws, coding, configurations or other digital assets that represent even the slightest deviations from the standards you're obligated to uphold. This minimizes the risk of accruing fines or sanctions from either government agencies or industry regulators.

It's important to remember that credentialed compliance scans should be conducted using a dedicated account – one you create from scratch and provide with all appropriate administrator-level permissions. Doing so serves a dual purpose: You avoid exposing the admin-level credentials of an actual executive or member to a third-party application while allowing the solution to access all necessary areas of the network and paint the most accurate possible picture of your digital compliance. For added security, you can disable the auditing account whenever it isn't actively being used.2

Understand the compliance audit limits

To paraphrase Clint Eastwood: "An infosec operation's got to know its limitations." 

Lest you misinterpret this, there are little to no limits to a properly credentialed compliance audit conducted with Nessus. But compliance auditing and vulnerability scanning, which aren't identical, are sometimes confused with each other.

To achieve both optimal compliance and comprehensive network protection, it's critical that you run compliance audits in close coordination with vulnerability scanning. Stagger these processes appropriately to avoid major operational interruption, but not by too long: You don't want to risk missing a network issue that could either leave you open to a cyberattack or get you in hot water with a regulator. 

Nessus Professional can help give you the network visibility you need. Sign up now to get your free 7-day trial, and check out our ebook, 6 Ways to Optimize Your Nessus Scans, to learn more about how to maximize your assessment efforts. 

Start Your Free Nessus Trial

1. Merchant Services, "PCI DSS Frequently Asked Questions"
2. Security Boulevard, "Why You Should Perform Credentialed Scanning," April 2018

Related Posts

Auditing Databases with Nessus

By Justin Brown • October 3, 2017 - 9:59am

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.