Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

  • Twitter
  • Facebook
  • LinkedIn

SANS 2007 Top 20 Scanning and Report Policies

Tenable has produced a variety of report templates and scanning polices for both the NessusClient 3.0 and the Security Center. This blog entry discusses coverage of the SANS Top 20 2007 Annual Update in Nessus as well as the Passive Vulnerability Scanner and instructs users how to obtain and use these policies.

SANS 2007 Annual Update

As with previous annual updates, the SANS 2007 update classifies vulnerabilities into several categories including "client-side", "server-side" and "zero day attacks". CVE numbers were used in each of the sections to map to the relevant Nessus and PVS plugin IDs.

Several sections did not identify specific CVE entries, but did identify general guidelines for security and auditing your systems. For each session, Tenable suggests the following solutions:

H1 - Excessive User Rights and Unauthorized Devices

With Nessus credentialed checks, a wide variety of configuration auditing polices can be used by Direct Feed and Security Center users to  audit Windows and Unix systems. Many of the policies available have been generated from a variety of "best practices" guidelines including NIST SCAP content and the Center for Internet Security.

To detect unauthorized devices, a variety of methods can be used. The simplest is to scan with Nessus and see what is on your network. In larger enterprise networks, analyzing raw scan results is cumbersome. Continuous network monitoring with the Passive Vulnerability Scanner as well as automatic classification of systems into one or more asset categories by the Security Center is recommended.

H2 - Phishing/Spear Phishing

The Passive Vulnerability Scanner can tell you which hosts on your network connect to the Internet and the Log Correlation Engine can perform a variety of black list analysis to see if your users are connecting to potentially hostile sites.

The intent of this section is to prevent and educate your users from being "socialed" but an interesting feature of the Passive Vulnerability Scanner is its ability to recognize when a web page claiming to be from a bank or credit union appears on your local network.

H3 - Unencrypted Laptops and Removable Devices

Although Nessus does not test for "encryption", it can test for the presence of specific encryption software and to also test if the software is installed and configured correctly. End users would need to develop a Nessus configuration audit policy that identifies if the corporate standard for encryption is installed and configured to policy.

Nessus credential checks can also itemize all USB devices that have been attached to an audited Windows computer. The Security Center can use the output of this audit to classify systems based on the type of detected USB device.

A2 - Peer-to-Peer Programs

The 2007 update did not specify any particular vulnerabilities in any particular P2P applications. I feel this is an oversight, as there have been many severe vulnerabilities in a variety of P2P applications. From a corporate point of view though, the simple presence of a P2P application may have a variety of issues other than security such as the potential sharing or corporate data or the act of obtaining copy written material.

Both Nessus and the Passive Vulnerability Scanner have entire families of plugins dedicated to the detection of P2P applications and identifying any known security issues with them.

Passive Vulnerability Scanner Coverage

The PVS is able to detect relevant SANS 2007 Top 20 vulnerabilities in many of the different sections, especially the client-side vulnerabilities.

Overall, there were more than 60 unique PVS plugins which were directly attributable to the SANS Top 20 2007 audit. There are many more generic plugins (such as simply identifying older browsers or the presence of a certain type of network applications) that also help an organization to removing or mitigating harmful applications.

The relevant plugin IDs for the PVS are enabled in the SANS 2007 report for the Security Center two sections below.

NessusClient 3.0 Scanning Policy

Below are .gz and .zip files which can be used by the NessusClient 3.0.

Download SANS-2007.nessus.gz

Download SANS-2007.zip

The scan policy only enables the relevant Nessus plugins for the SANS 2007 list of identified CVE entries. The policy also includes individual scan policies for each section (such as C1, C2, S3, and so on) such that a quick scan of just that specific section can be performed.

To use this policy, download the .gz or .zip file to your system and uncompress it. Then, after launching the NessusClient, choose 'File', then 'Open' and select the SANS-2007.nessus policy. After loading, your NessusClient should look something like this screen shot below:


The policy does not include the required credentials to perform patch audits. Once you have loaded the SANS 2007 policy, if you wish to perform a patch audit, you should add in the Unix or Windows administrator credentials of the system(s) you wish to audit. If you are auditing multiple sites with different credentials, you should add in your scan targets and save the entire configuration as a new scan policy.

Security Center Reporting Templates and Scanning Polices

The following two downloads enable the Security Center to perform SANS 2007 Top 20 scans as well as generate relevant SANS 2007 Top 20 reports from existing Nessus and PVS scanning data.

Download sans-2007-sc3-scanpolicy.tar.gz

Download sans-2007-sc3-reportpolicy.tar.gz

To install these two files, perform the following steps:

  1. Download both files to your Security Center in a temporary location
  2. unzip and untar the sans-2007-sc3-reportpolicy.tar.gz file
  3. chown each of the .xml files to user 'tns'
  4. move all of the .xml files to the /opt/sc3/admin/report_templates directory
  5. unzip and untar the sans-2007-sc3-scanpolicy.tar.gz file
  6. chown each of the files new files to user 'tns'
  7. move these files to /opt/sc3/admin/vpolicy
  8. edit the /opt/sc3/admin/vpolicy/vpolicy.txt file and add the value "0033" to the list on the line before the "***END" designator.

Once these files are installed, the are immediately available for use within the Security Center.

If you have existing data from Nessus scans or the Passive Vulnerability Scanner, you can create or schedule a SANS 2007 Top 20 report by choosing one of the new report templates. There are three new templates which summarize vulnerabilities, summarize the effected network and assets and also provide full detail of the vulnerabilities in question.

Also, immediately from within the screens for browsing and analyzing vulnerability and configuration data, if the SANS 2007 policy is chosen, only the vulnerabilities relevant to that policy will be displayed.

To schedule a new scan for just SANS 2007 issues, Security Center users can choose the new policy and launch a scan. As with the NessusClient, if credentials are in question to perform host-based audits, the SANS 2007 scan policy should be cloned and in the new policy, have its credentials specified. If a network asset with known credentials is scanned, the Security Center will automatically use those as well.

For More Information

Nessus is available to end users as a complimentary download. Tenable offers a variety of commercial and no-charge methods to update Nessus to check for recent vulnerabilities. For more information, please visit http://www.nessus.org.

The Security Center, Passive Vulnerability Scanner and the Log Correlation Engine are all commercial products offered by Tenable Network Security. For 500 servers, the Security Center costs less than most commercial vulnerability scanner licenses, yet has the power of and functionality of leading SIM and vulnerability management solutions. For more information on these products, please read about them online or email our sales staff.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning


Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.



Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security


Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin


Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.