by Cody Dumont
November 3, 2017
Credentialed scans provide comprehensive results that can help to detect outdated software, vulnerabilities, and compliance issues. Without proper credentials, analysts will not be able to obtain accurate information to properly assess an organization's risk posture. This report delivers lists of assets that have been scanned with incorrect or insufficient credentials, allowing for a quick resolution to scanning issues. Tenable.io has several plugins that track authentication or authorization failure.
- Authentication Failure - Local Checks Not Run (21745)
- Microsoft Windows SMB Registry : Nessus Cannot Access the Windows Registry (26917)
- Microsoft Windows SMB Registry Not Fully Accessible Detection (10428)
- Nessus Scan Information (19506)
- Nessus Windows Scan Not Performed with Admin Privileges (24786)
These plugins work together to track different aspect of scan authentication and authorization failure. The Nessus Scan Information plugin records if the scan was completed with credentials or not. If the scan was used with credentials, then the username is also recorded. The Authentication Failure - Local Checks Not Run plugin records the protocol used for authentication and reports if authentication is unsuccessful. This plugin also provides information about how authentication occurs and what failed during the authentication attempt. Both of these plugins are used in this report to provide information on which host are not using the supplied credentials. The IT administrators and security operations teams need to investigate these issues and determine which credentials are needed for a successful scan.
For Windows computers, there are several other plugins that will trigger if the supplied credentials are valid to login, but not for privilege escalation. Administrative rights are required to parse the registry and run many of the local checks needed to successfully assess the asset. Tenable.io supplies much of the information needed to ensure that your scans are successful, and provides helpful information when a scan is not successful.
Cyber Exposure provides a disciplined approach to an operational security lifecycle, which aims to provide common visibility to Security and IT teams to identify and remediate security issues quickly and efficiently. As a foundational step in the lifecycle the Discover step identifies and maps every asset across any environment. To successfully identify each asset and assess the cyber risk, a credentialed scan is required. Once the organization is successfully scanning all identified assets, the CISO and other business units can establish a common dialog for properly calculating the Cyber Exposure Gap, and reducing cyber risk across the modern attack surface.
Chapters
Executive Summary: This chapter provides a high level view of the credentialed scan failures from Tenable.sc on SMB Credential issues, SSH Credential Issues, Scans without Credentials and Windows-specific credential issues.
Credentialed Scan Failures by Protocol: This chapter provides a summary of failures associated with credentials broken down by SMB and SSH protocol and associated issues. The first three data sets leverage Nessus plugin 21745: ‘Authentication Failure - Local Checks Not Run’ and the resulting output to provide a granular view into SMB credentialed scan failures. The filtered data provides a more specific view, allowing deeper insight into a SMB credential failure. The final data group uses output from Nessus plugin 21745: ‘Authentication Failure - Local Checks Not Run’ to deliver SSH credential failures. The results are specific to login failures with supplied credentials only.
Hosts Scanned Without Credentials: This chapter provides a list of hosts scanned without credentials. The scans may have been run without credentials intentionally, or the credentials may have failed.
Windows Specific Credential Issues: This chapter contains details the on events related to specific issues with Windows credentials. Many of the solutions to issues presented in this section are covered in the Tenable.io documentation.