Nessus Scanning Strategies for Consultants

Nessus helps consultants perform a wide variety of security assessment services for their clients. This blog entry describes how many of the new features Tenable has added to Nessus over the past few years dramatically alter the types of services that can be provided during an assessment.

Nessus now provides the ability to audit which users run mobile devices and determine the patch level for your client. Any mobile device that interacts with ActiveSync can be enumerated, and its general patch level can be determined by pointing Nessus at the local Windows domain controller. 

This information helps consultants provide better advice for their clients and can lead to additional work such as the deployment of a NAC, a mobile device user policy, enforcing a certain type of mobile device, or even identification of rogue or unauthorized mobile devices.

Performing Patch Audits without Asking for the Admin Password!

Regardless of their security expertise, consultants are rarely given a domain login or passwords to their clients’ DNS servers and Exchange servers.  Without such a login though, you can’t find specific missing patches that shed light on client-side vulnerabilities. 

If your client has invested in a patch management system, Nessus can be configured to communicate with it and pool its scan results with the patch auditing results from the patch management system. Nessus supports many major Windows patch management systems, including SCCM and Tivoli (Bigfix).

Identifying Readily Exploitable Systems without Performing an In-depth Pen Test

A Nessus vulnerability scan can identify which services, clients or Internet facing devices are readily compromised with public exploits. If your client has any of these, performing a penetration test is likely not needed because you already know that such an attack will succeed. 

Nessus includes correlation with many different types of exploit platforms and can filter scan results against any of these technologies.

This technology can also help consultants recommend when a penetration test is appropriate. For example, if you’ve scanned a DMZ and see that there are no Internet facing vulnerabilities that are exploitable, but you see that there are Internet browsing users with vulnerable web browsers, you may recommend a social engineering penetration test.

Identifying Malware and Botnets

I’ve spoken with many consultants who use Nessus and were surprised to see Nessus identify botnets and malware running on their clients’ Windows systems.

Nessus’s botnet identification technology identifies systems that are listed on, communicating with, performing DNS lookups to, or hosting botnet content. The Windows malware identification technology identifies malicious processes that are running with an index of all leading anti-virus products.

If you find malware or botnets during a Nessus scan of your clients’ systems, you may be able to assist customers with their malicious software defenses. It’s possible you can help them remove the virus, perform an audit of their deployed anti-virus agents with Nessus or extend your consulting to help enhance their firewall, log analysis, email security or other types of malicious code protection.

Preparing for PCI Certification

Tenable is a PCI  Authorized Scanning Vendor (ASV) and achieved this certification with the Nessus Perimeter Service. The Nessus scanners and user interface to perform the scans are exactly the same as those that consultants have access to with the Nessus ProfessionalFeed. This means you can perform your network scans to prepare for a PCI audit with the same exact policies Tenable uses for PCI certification scanning from the Perimeter Service.  

It is important to note that an official PCI scan must be performed by an ASV, but it is helpful to use the Nessus PCI scan policy to identify non-compliant issues before an ASV is engaged. Identifying these issues before an official PCI scan from the Nessus Perimeter Service is performed is an excellent way to assist clients who attempt to obtain and maintain their PCI certifications.

Take Training And Be Certified

Tenable offers a wide variety of certification training programs. The training programs are entirely web-based, on demand and have built-in hands-on labs hosted at Tenable, which gives you direct experience running scans and performing audits of Linux, Windows and Cisco devices.

Having the Tenable Certified Nessus Auditor certification on your resume allows you to tell your clients that you’ve mastered the #1 network auditing tool in the world, in use throughout the Department of Defense, the PCI industry and more than 15,000 organizations world-wide.

For More Information

If you are a consultant who uses Nessus, you can join in with the rest of the community at the Nessus Discussions Forum where tips, techniques and announcements are discussed at length and often directly with the R&D staff from Tenable.

To sign up for Tenable’s training and certification, visit our e-commerce site or learn more about the programs here. There is also a tremendous amount of videos and information at the Tenable YouTube channel.