SANS 2007 Top 20 Scanning and Report Policies
Tenable has produced a variety of report templates and scanning polices for both the NessusClient 3.0 and the Security Center. This blog entry discusses coverage of the SANS Top 20 2007 Annual Update in Nessus as well as the Passive Vulnerability Scanner and instructs users how to obtain and use these policies.
SANS 2007 Annual Update
As with previous annual updates, the SANS 2007 update classifies vulnerabilities into several categories including "client-side", "server-side" and "zero day attacks". CVE numbers were used in each of the sections to map to the relevant Nessus and PVS plugin IDs.
Several sections did not identify specific CVE entries, but did identify general guidelines for security and auditing your systems. For each session, Tenable suggests the following solutions:
H1 - Excessive User Rights and Unauthorized Devices
With Nessus credentialed checks, a wide variety of configuration auditing polices can be used by Direct Feed and Security Center users to audit Windows and Unix systems. Many of the policies available have been generated from a variety of "best practices" guidelines including NIST SCAP content and the Center for Internet Security.
To detect unauthorized devices, a variety of methods can be used. The simplest is to scan with Nessus and see what is on your network. In larger enterprise networks, analyzing raw scan results is cumbersome. Continuous network monitoring with the Passive Vulnerability Scanner as well as automatic classification of systems into one or more asset categories by the Security Center is recommended.
H2 - Phishing/Spear Phishing
The Passive Vulnerability Scanner can tell you which hosts on your network connect to the Internet and the Log Correlation Engine can perform a variety of black list analysis to see if your users are connecting to potentially hostile sites.
The intent of this section is to prevent and educate your users from being "socialed" but an interesting feature of the Passive Vulnerability Scanner is its ability to recognize when a web page claiming to be from a bank or credit union appears on your local network.
H3 - Unencrypted Laptops and Removable Devices
Although Nessus does not test for "encryption", it can test for the presence of specific encryption software and to also test if the software is installed and configured correctly. End users would need to develop a Nessus configuration audit policy that identifies if the corporate standard for encryption is installed and configured to policy.
Nessus credential checks can also itemize all USB devices that have been attached to an audited Windows computer. The Security Center can use the output of this audit to classify systems based on the type of detected USB device.
A2 - Peer-to-Peer Programs
The 2007 update did not specify any particular vulnerabilities in any particular P2P applications. I feel this is an oversight, as there have been many severe vulnerabilities in a variety of P2P applications. From a corporate point of view though, the simple presence of a P2P application may have a variety of issues other than security such as the potential sharing or corporate data or the act of obtaining copy written material.
Both Nessus and the Passive Vulnerability Scanner have entire families of plugins dedicated to the detection of P2P applications and identifying any known security issues with them.
Passive Vulnerability Scanner Coverage
The PVS is able to detect relevant SANS 2007 Top 20 vulnerabilities in many of the different sections, especially the client-side vulnerabilities.
Overall, there were more than 60 unique PVS plugins which were directly attributable to the SANS Top 20 2007 audit. There are many more generic plugins (such as simply identifying older browsers or the presence of a certain type of network applications) that also help an organization to removing or mitigating harmful applications.
The relevant plugin IDs for the PVS are enabled in the SANS 2007 report for the Security Center two sections below.
NessusClient 3.0 Scanning Policy
Below are .gz and .zip files which can be used by the NessusClient 3.0.
The scan policy only enables the relevant Nessus plugins for the SANS 2007 list of identified CVE entries. The policy also includes individual scan policies for each section (such as C1, C2, S3, and so on) such that a quick scan of just that specific section can be performed.
To use this policy, download the .gz or .zip file to your system and uncompress it. Then, after launching the NessusClient, choose 'File', then 'Open' and select the SANS-2007.nessus policy. After loading, your NessusClient should look something like this screen shot below:
The policy does not include the required credentials to perform patch audits. Once you have loaded the SANS 2007 policy, if you wish to perform a patch audit, you should add in the Unix or Windows administrator credentials of the system(s) you wish to audit. If you are auditing multiple sites with different credentials, you should add in your scan targets and save the entire configuration as a new scan policy.
Security Center Reporting Templates and Scanning Polices
The following two downloads enable the Security Center to perform SANS 2007 Top 20 scans as well as generate relevant SANS 2007 Top 20 reports from existing Nessus and PVS scanning data.
Download sans-2007-sc3-scanpolicy.tar.gz
Download sans-2007-sc3-reportpolicy.tar.gz
To install these two files, perform the following steps:
- Download both files to your Security Center in a temporary location
- unzip and untar the sans-2007-sc3-reportpolicy.tar.gz file
- chown each of the .xml files to user 'tns'
- move all of the .xml files to the /opt/sc3/admin/report_templates directory
- unzip and untar the sans-2007-sc3-scanpolicy.tar.gz file
- chown each of the files new files to user 'tns'
- move these files to /opt/sc3/admin/vpolicy
- edit the /opt/sc3/admin/vpolicy/vpolicy.txt file and add the value "0033" to the list on the line before the "***END" designator.
Once these files are installed, the are immediately available for use within the Security Center.
If you have existing data from Nessus scans or the Passive Vulnerability Scanner, you can create or schedule a SANS 2007 Top 20 report by choosing one of the new report templates. There are three new templates which summarize vulnerabilities, summarize the effected network and assets and also provide full detail of the vulnerabilities in question.
Also, immediately from within the screens for browsing and analyzing vulnerability and configuration data, if the SANS 2007 policy is chosen, only the vulnerabilities relevant to that policy will be displayed.
To schedule a new scan for just SANS 2007 issues, Security Center users can choose the new policy and launch a scan. As with the NessusClient, if credentials are in question to perform host-based audits, the SANS 2007 scan policy should be cloned and in the new policy, have its credentials specified. If a network asset with known credentials is scanned, the Security Center will automatically use those as well.
For More Information
Nessus is available to end users as a complimentary download. Tenable offers a variety of commercial and no-charge methods to update Nessus to check for recent vulnerabilities. For more information, please visit http://www.nessus.org.
The Security Center, Passive Vulnerability Scanner and the Log Correlation Engine are all commercial products offered by Tenable Network Security. For 500 servers, the Security Center costs less than most commercial vulnerability scanner licenses, yet has the power of and functionality of leading SIM and vulnerability management solutions. For more information on these products, please read about them online or email our sales staff.