Tenable Blog

The video below is part 4 in our series of the top ten things you didn't know about Nessus and covers Nessus licensing and usage:

Further Reading:

• Tenable Charitable Organization Subscription Program

Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3.

In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled "SCADA Network Monitoring" and the original release for Nessus titled "SCADA Checks For Nessus 3"). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more).

Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security.

Below is a sample of some of the new SCADA plugins:

Nessus has several different plugins and techniques for helping you with the fight against malware. The video below is part 7 in our series of the top ten things you didn't know about Nessus and covers 3 different ways Nessus can be used to help detect malware:

Below are a few more examples of how Nessus can detect malware:

1. Nessus Network Checks

Nessus plugins in the "Backdoor" plugin family detect certain types of generic behavior on listening services that are indicative of malware. For example, plugin #35322 detects the presence of an HTTP backdoor. Nessus detects the web server remotely and identifies a condition where the web server, regardless of the request, returns a Windows executable:

This is the first post in a two-part series that will cover how to configure Nessus and/or SecurityCenter to integrate with Microsoft's patch management software.

WSUS Patch Management Integration

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. WSUS server 3.0 SP2 supports management of patches for the products listed here, as well as Windows 7 and Windows server 2003 SP2 patches. If you are not familiar with WSUS it is freely available to Microsoft customers as part of your Windows server licensing agreement. A great article that covers all aspects of planning, deployment, and configuration is Windows Server Update Services Learning Roadmap Community Edition.

Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter. When performing scans with the WSUS patch management plugins enabled and configured please note the following:

• Credentials entered into the policy take priority - If you've entered credentials into the scan policy and they are valid for a target system, Nessus will login and perform credentialed scanning without querying the WSUS server data.

• WSUS is queried when credentials fail - If credentials are not valid for a target system, or credentials are not entered at all into the policy at all, the WSUS server will be queried to obtain patch information for those targets. This also applies to other policy settings that may cause a credentialed scan to fail, such as the remote registry or administrative shares settings.
• The WSUS plugin communicates only with the WSUS server - The WSUS plugin makes a connection to the WSUS server IP/hostname and port specified in the policy configuration (see below in the "Patch Management WSUS Preferences"). This is an important point, as the Nessus server(s) will require access to your WSUS server, which could mean making firewall rule changes to allow the connections. However, this is a significant advantage as your target systems do not need to communicate with the Nessus server directly, which means host firewalls and remote registry settings will not get in the way of a patch audit.
• Patch information is only as up-to-date as your WSUS server - The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

Do you know how many mobile devices reside on your network? Is your security architecture designed to secure the mobile platform and protect your users and the network from the threats they pose?

Mobile devices are a security concern for many reasons. Mobile devices are typically unmanaged – meaning they may or may not be running AV software, a firewall, or conform to enforceable security policies. Yet, whether they are provided to your employees as part of your operations or not, they are likely accessing resources on your network. To compound the problem, many mobile devices connect to your local network and the Internet directly on two separate mediums. For example, the device may associate to a wireless belonging to your organization and a 3G/4G connection to the Internet.

In a perfect world, there would be no vulnerabilities.  In a perfect patching world there would be a patch for every vulnerability and we would always be able to patch all of our systems as soon as a patch was available. In the real world we do the best we can and struggle with testing cycles, incompatibilities, and legacy applications which means sometimes we have to leave insecure and unpatched systems in production.

There are a variety of situations that can cause exposure:

• Some patches break needed applications or cause compatibility problems
• Patches may not yet be available for a vulnerability but the systems must stay online and exposed Legacy applications or operating systems may still be required (for example Internet Explorer 6 may be required to access a legacy web application, probably running on a legacy web server)
• A maintenance window may not be immediately available when patches are released
• Systems in development environments may be vulnerable during development and testing phases

We are pleased to announce the release of four new Nessus Auditor Bundles to our product lineup. These bundles package together Nessus On-Demand Training & Certification with a ProfessionalFeed Subscription, a Perimeter Service Subscription or both, with savings up to $800!

Be among the first to take advantage of this great cost-saving option.

During the past few weeks, the Tenable R&D team has created several plugins to enhance SSL certificate auditing capability. Nessus will identify SSL certificates regardless of port and launch dozens of plugins to check for a variety of weaknesses and vulnerabilities. Three new plugins expand that auditing capability to more effectively audit your organization.

SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions

Tenable has released a plugin titled “SSL Certificate Fails to Adhere to Basic Constraints / Key Usage Extensions” (ID# 56284) to help users verify X.509 / SSL certificate chains. Based on RFC 3280 guidelines, Nessus will examine an SSL certificate found on any port to verify that it adheres to all basic constraints and key usage extensions. If an X.509 certificate in a chain fails to adhere to constraints and usage extensions, Nessus will report that violations are present. This finding means that either a root or intermediate Certificate Authority (CA) signed a certificate incorrectly.

Next up on our Nessus top ten list is #9, which covers how to use Nessus configuration auditing to discover information about your system configurations. The following video presents use cases and examples, from PCI compliance to detecting viruses:

Please visit Tenable's YouTube channel for more Nessus and SecurityCenter videos!

Drum Roll Please...

Being the Product Evangelist for Tenable Network Security gives me some interesting insight into how the community views the features of our products. I meet some people who provide us with awesome suggestions for improvements and I also meet some people who scan their networks at semi-regular intervals using the default set of policies, unaware of the huge variety of features that Nessus includes.

Hence the project I have been working on: with help and support from the community and my fellow co-workers at Tenable, I have developed what we understand to be a list of the top ten things that people may not know about Nessus.

In part one, I want to explore the differences between traditional network-based scanning and scanning with credentials. So, in traditional David Letterman top ten fashion, we’ll start with number 10!

#10. There's More Than One Way To...