Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

How to Maximize Compliance Scans with Nessus

Conduct compliance audit scans effectively and efficiently with Nessus Professional by leveraging these best practices. 

Tasks required to maintain compliance don't find themselves on most people's lists of favorite activities. But while such regulatory responsibilities can sometimes be taxing, complex or tedious, that doesn't make them any less necessary. Among the standards and practices pertaining to information security, compliance scanning is one of the most important.

Some in your organization may worry about performing a compliance scan of your network: Perhaps they think it's the same thing as a system-wide vulnerability scan and are worried about potential operational delays (though this is something of a misconception). Or maybe they're simply hoping to complete the process as soon as possible. As such, it will be critical to make sure your compliance scanning is as efficient and effective as possible. Following a few best practices can help you maximize the compliance audit functionality available in Nessus Professional.

Determine your scanning priorities

"Standards" and "regulations" are umbrella words that mean a lot of different things to different organizations. The business next door might solely adhere to PCI DSS for their payment processing, whereas you might also have HIPAA and GDPR to contend with. And then there may be "voluntary," but ultimately no less valuable, guidelines to follow like the security standards CIS creates for dozens of applications and operating systems. 

You don't have to conduct compliance audit scans for all standards you follow at the same time. Even if your system could handle the traffic that such a broad operation would create, it would slow everything down to a snail's pace and leave a lot of your peers frustrated (particularly everyone in IT). We recommend creating independent scans for each standard against which you're testing compliance to reduce the load and simplify reporting.

In other words, you'll want to schedule compliance scans around both regulatory and operational needs: for example, starting with PCI DSS in one scanning window, and then periodically rotating through the other standards. Prioritize anything that may have a specific recertification time frame, of course. So if it's been almost a year since your last PCI certification (or three months since your last scan),1 that should probably be at the top of your list for the moment.

Run compliance audits in close coordination with vulnerability scanning

Template-based and customized compliance scans

When you run Nessus Professional "straight out of the box," so to speak, it runs all of its compliance scanning operations based on templated policies for specific standards. In more than a few use cases, that may be all that's needed, as the audit templates cover a broad swath of protocols for all of the major operating systems. 

But that won't be true for every organization. Maybe your IT team has developed unique configurations for your registry values that a templated scan wouldn't properly analyze, or perhaps the terms of a particular standard changed a few hours ago and you need to change the existing audit policy to reflect that. Doing so is simple with Nessus - you and your infosec team can download the raw text files of the policies and modify them according to your precise scanning requirements.

Authenticate with credentials

You’ll need credentials to authenticate the execution of your compliance scans. With credentials, you'll be able to track down and resolve flaws, coding, configurations or other digital assets that represent even the slightest deviations from the standards you're obligated to uphold. This minimizes the risk of accruing fines or sanctions from either government agencies or industry regulators.

It's important to remember that credentialed compliance scans should be conducted using a dedicated account – one you create from scratch and provide with all appropriate administrator-level permissions. Doing so serves a dual purpose: You avoid exposing the admin-level credentials of an actual executive or member to a third-party application while allowing the solution to access all necessary areas of the network and paint the most accurate possible picture of your digital compliance. For added security, you can disable the auditing account whenever it isn't actively being used.2

Understand the compliance audit limits

To paraphrase Clint Eastwood: "An infosec operation's got to know its limitations." 

Lest you misinterpret this, there are little to no limits to a properly credentialed compliance audit conducted with Nessus. But compliance auditing and vulnerability scanning, which aren't identical, are sometimes confused with each other.

To achieve both optimal compliance and comprehensive network protection, it's critical that you run compliance audits in close coordination with vulnerability scanning. Stagger these processes appropriately to avoid major operational interruption, but not by too long: You don't want to risk missing a network issue that could either leave you open to a cyberattack or get you in hot water with a regulator. 

Nessus Professional can help give you the network visibility you need. Sign up now to get your free 7-day trial, and check out our ebook, 6 Ways to Optimize Your Nessus Scans, to learn more about how to maximize your assessment efforts. 

Start Your Free Nessus Trial

1. Merchant Services, "PCI DSS Frequently Asked Questions"
2. Security Boulevard, "Why You Should Perform Credentialed Scanning," April 2018

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training