Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Maximize Your Vulnerability Scan Value with Authenticated Scanning

Maximize Your Vulnerability Scan Value with Authenticated Scanning in Tenable Nessus

Want to get a lot more value out of your vulnerability scans? Start doing authenticated scanning.

Performing authenticated scans of your environment offers essential benefits and is a practice widely recognized as valuable. However, it's interesting to note that a significant number of Tenable Nessus users tend towards unauthenticated scans. The scan configurations we observe in Tenable’s SaaS products are telling: our customers run unauthenticated scans 20 times more than authenticated ones. Why the substantial gap?

Through customer interactions, we've learned that, often, users simply overlook the possibility of authenticated scanning amidst the urgency to initiate scans. It doesn’t cross their minds that they can add several different types of credentials fairly quickly, especially if a Privileged Access Management solution is in use in their enterprise.

We also find some customers are looking to have an “attacker’s perspective” on their assets — assuming the attackers have not obtained valid credentials to their machines, they want to see what those attackers would see by probing remotely.

And there are certainly users who are unclear about how credentials work in the product. What types of credentials can I use? Is it insecure to place these secrets inside this scanning tool? How will Nessus use them, or log their use? The best resource to find this kind of detailed information is the Nessus documentation on credentialed scanning.

It is important to understand some fundamentals and the advantages of credentialed scanning, though. Nessus Attack Scripting Language (NASL) plugins operate in a scan context, and a scan context is defined by the scan configuration settings. Think of the scan context as the atmosphere in which the plugins grow. The richer the environment, the greater the yield of the plugin scan results.

In a standard Nessus scan, the scanner will first attempt to identify the scan target with which it is communicating, and the first set of plugins run will perform that operating system and service fingerprinting. Once that interrogation is complete, the scanner can then use that information to determine which vulnerabilities are present on the target.

More detail about your assets

If a set of credentials are present for some remote management services (such as SSH or SMB), Nessus will attempt first to connect to the scan target using these credentials, so that the scanner can use this access to perform a more comprehensive scan of the machine. And here we have one of the primary benefits of using credentials to scan systems with Nessus: a much more detailed view of the scan targets.

Imagine buying a house you’d only seen from the outside — you’d never do it! You’d need to see the interior and check out all the rooms. An unauthenticated scan provides only the view from “outside the house.” With credentialed scans, you’re not simply guessing what kind of machine you’re talking with, based on the responses from listening ports. Instead, you can collect tons of details about the configuration of a machine, its installed software, users, network interfaces, and much more. Most organizations are hungry for more data about their assets, and Nessus has some of the most complete asset profiling capabilities in the market.

Using credentials also gives you the ability to perform audits against your assets, using a set of benchmarks that define best practices for configuring certain OS platforms and applications. These benchmarks, from organizations like the Center for Internet Security, or the U.S. Department of Defense, describe an ideal configuration for a high level of security, and can help you determine which of your assets are compliant with your organization’s hardening policies.

Higher confidence results

Providing credentials to gather internal attributes of your assets, of course, results in a far higher confidence in the exposure data that is collected. If your certainty about the state of an asset is higher, then the certainty about the associated vulnerabilities will also increase. If you find more applications installed on a machine, you will have a more complete picture of that machine’s weaknesses. If you’re profiling your assets, you’d much rather get an inventory of everything it’s got from the OS itself, through a package manager or installed app registry.

There are entire classes of applications that cannot be found via remote, unauthenticated scans. Client applications, like web browsers, productivity apps and messaging tools, typically do not have listening services, and as a result go undiscovered unless the scanner can log into a target. For instance, identifying vulnerable software libraries and components, such as libwebp or OpenSSL, is notably more challenging without credentialed scanning.

Uncover hidden vulnerabilities

Often, an application will expose a lesser amount of data through an unauthenticated interface. You’ll get less granular version information, in some cases, by probing a service remotely, than you’d get by looking at the same application via a local install. Sometimes this is unintentional. A snippet of code in a file available via a web-based management interface may be your only clue to the version of an application, and it may only be accessible due to an oversight by the developer.

At Tenable, we are observing a trend by enterprise technology vendors to restrict any data that aids attackers behind authenticated interfaces, including the name, version and configuration of their products. This is a smart move, in general; it also happens to make the lives of folks like us, in the vulnerability management business, substantially tougher.

There are some products that have had critical vulnerabilities announced this year that have been impossible to identify remotely without authenticating to the target.

One example is CVE-2023-2868, a vulnerability discovered in Barracuda’s Email Security Gateway product. The vulnerability happened to only affect the physical appliance, not the virtual. So what if you couldn’t distinguish between the two? That’s actually the case in this situation — the only way to determine if the appliance you’re probing is physical or virtual is by authenticating to the device and pulling a data point from the administrative console.

We are seeing more and more examples of this problem as time goes on, and we anticipate that more vendors — especially those who control the entire product from the hardware up — will begin to hide these details behind a login page. Your organization may come to a point where authenticated scans are not just a good idea, but necessary, to be comprehensive in your asset inventory and vulnerability management practices.

PCI-DSS v4 requirements

Are you subject to Payment Card Industry Data Security Standard (PCI-DSS)? If so, you may already be aware that the upcoming fourth version of the standard will require your PCI-specific vulnerability scans to be authenticated. If that’s the case, your decision about whether or not to run credentialed scans just got a whole lot easier! You’ll want to move to that kind of setup — or, ask your PCI approved scanning vendor (ASV) to perform them for you.

Conclusion

A good first step in adopting the practice of credentialed scanning is to set up a dedicated account, with administrative privileges, just to use for scanning. Use your centralized authentication system to get the best reach to all of your assets, or connect a PAM solution to pull credentials. Then, make sure your scanners can reach your scan targets on the appropriate services. You can add multiple credentials to reach a variety of devices — in your scan config, open the Credentials tab and click the dropdown box next to Categories to find more options. Rotating credentials on these service scanning accounts and updating the scan configuration settings in lockstep is a great practice to keep these accounts secure. Using your PAM solution and feeding scan credentials from your vault makes managing their lifecycle even more seamless.

In conclusion, the shift towards more secure enterprise technologies necessitates a parallel shift in vulnerability management practices, with credentialed scanning becoming not just beneficial but essential. By creating a dedicated administrative account for scanning purposes and ensuring proper access to all assets, organizations can significantly enhance their security posture. The accuracy and depth of insights gained from credentialed scans will lead to a more robust defense against potential threats. The future of vulnerability management is in authenticated scans, and the sooner organizations adapt, the better equipped they will be to identify and mitigate exposure.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training