All Collections
S2ORG
Other
Nessus Scanning Guidance
Nessus Scanning Guidance

Vulnerability Scanning Guidance

Caitlin Fox avatar
Written by Caitlin Fox
Updated over a week ago

Within the S2Org assessment, there’s the option to ingest and process vulnerability scanning data from your network. The scan requirement can be disabled; however, you are highly encouraged to perform the scan to ensure the most accurate and complete S2Score.

Index

About Tenable Vulnerability Scanners

Tenable was the first vulnerability scanning solution integrated into SecurityStudio, starting in 2010, and is still the preferred option for the S2Org assessment. Tenable has several products, but there are three that are most relevant to vulnerability scanning: Nessus, Tenable.io, and Tenable.sc. All three of these products use the Nessus scanning engine and produce the necessary data for ingestion into the S2 platform.

Nessus Professional

Nessus is the vulnerability scanning program as well as the engine used by other Tenable products. Nessus can be installed on a client system (workstation or server, physical or virtual) and run locally on a network or remotely through a virtual private network (VPN).

The primary advantage with Nessus is that it can be run against an unlimited number of IP addresses/hosts.

Tenable.io

Tenable.io uses Nessus from a cloud instance and comes with several additional data visualizations. Scans can be run and managed from the cloud and the vulnerability scanning results are essentially the same as a Nessus client installation.

The primary advantage with Tenable.io is convenience; however, it is much more expensive for active consultants or large organizations because pricing is based upon the number of IP addresses/hosts scanned.

Tenable.sc

The “sc” stands for “Security Center”. It’s essentially a centrally managed enterprise version of distributed Nessus with many additional features. Tenable.sc also uses the Nessus scanning engine and the vulnerability scanning results are the same.

PLEASE NOTE: Most organizations use Nessus Professional, and the Nessus scanning engine is common throughout the Tenable products; therefore, this guide will focus on Nessus Professional use and requirements.

Nessus Professional

Nessus can be downloaded from Tenable’s website at https://www.tenable.com/products/nessus. Purchase of the necessary license, usage instructions, and support can all be obtained from Tenable and are outside the scope of this article.

Once Nessus is successfully installed, a login page such as the one below will be presented.

After logging in, the My Scans dashboard will show next.

How scans are performed is a matter of preference and convenience.

Methods of Scanning

There are two common methods for scanning with Nessus Professional, both with several variations according to capabilities and preference.

Local Onsite

Local onsite scanning consists of Nessus running on a system that is local, on the network being scanned (or on a subnet that is physically connected).

These scans can be done in several ways, including from a Nessus installation running on a consultant’s laptop connected to a customer’s network, or from a Nessus installation on a customer system (physical or virtual) connected to the network. In the latter instance, it’s not uncommon for the customer to provide remote access into the customer system, allowing the consultant to scan the network locally while being at a remote location.

For larger networks, it may be more advantageous to use multiple Nessus scanning clients. When using multiple Nessus clients, it might make the most sense to break the network into smaller segments, feeding separate segments into separate Nessus scanners. A large network can be time consuming to scan with Nessus, so using multiple scanners will significantly improve time performance.

Over a VPN

Nessus can be used to scan remotely over a VPN, meaning the Nessus installation is on a computer in a remote location, there’s a VPN between locations, and the vulnerability scan is run from this remote location.

Vulnerability scanning over a VPN or from a remote location is a low performance method of scanning and should only be used with small networks/scans (Class C, 254 hosts or less).

Vulnerability Scan

First, determine how you will perform your vulnerability scan, whether on premise or remotely.

Check Scanner Status

After logging into Nessus, the first thing to check is the status of the scanner. Do this by logging in and navigating to Settings.

There are (at least) two things to note in Settings > About > Overview. Check to make sure the version of Nessus is current (Version 8.13.1 as of the time of this writing), and that the Plugins are up to date. The date the Nessus Plugins were last updated is noted on this page:

Other items of note might include License Expiration, Policy Template Version, and Activation Code. These are important settings, but not necessarily specific or relevant for performing a correct and true vulnerability scan.

Plugins must be no older than 14 days (from the date of the vulnerability scan) for a validated S2Score, meaning the Last Updated status must reflect a date more recent than 14 days from the time a scan is run.

Other Nessus settings can be updated according to preference, but the only setting required for a validated S2Score is a current Nessus version and current Plugins. If there’s interest in tweaking Nessus’ other settings, mostly for performance gains, please review Tenable’s documentation and/or support information available online.

Policies

Once the status of Nessus has been validated, navigate to Policies then scan templates.

There are more than 20 scan policy templates provided with the default installation of Nessus. For information about each of the scan policies, please visit Tenable’s website (https://tenable.com).

A Nessus Policy controls how the Nessus scanner will operate and what it will scan for on systems. There are three scan policy options for conducting a vulnerability scan that will produce a validated S2Score, the Basic Network Scan, the S2_Default_Phase3Internal Scan, and a custom scan configured by you from the built-in Nessus Advanced Scan policy. The custom-built policy option, if chosen, must be configured according to SecurityStudio’s requirements (see Minimum Scan Policy Requirements).

  • Basic Network: The default Nessus scan policy provided with the default installation of Nessus

  • S2_Default_Phase3Internal: A pre-configured policy provided by SecurityStudio (preferred)

The preferred scan policy for a validated S2Score is the S2_Default_Phase3Internal Scan policy provided by SecurityStudio.

Using the Basic Network Scan Policy

The Basic Network Scan policy is sufficient to meet the requirements for a validated S2Score. To use the Basic Network Scan policy:

  1. Log in to Nessus

  2. Click the Policies link in the left-hand menu

  3. From the Policies screen, click New Policy in the upper left portion of the page

    This brings up the Policy Templates page where all the default Nessus policy templates are accessible.

  4. Choose the Basic Network Scan template by clicking on the appropriately named tile

    This opens the New Policy / Basic Network Scan window.

  5. Give the new policy a name of your choosing

  6. Nessus must be configured to authenticate with scanned systems (whenever possible). Click the Credentials tab. REQUIRED STEP

    PLEASE NOTE: Authenticated vulnerability scans are important because they allow the entire system to be scanned, including applications, registry settings, etc.

  7. Enter SSH authentication after clicking the SSH link.
    PLEASE NOTE: SSH authentication is a REQUIRED STEP if more than 20% of systems/hosts are non-windows systems, otherwise Windows authentication only is sufficient.

  8. Enter Windows authentication information after clicking the Windows link.

    PLEASE NOTE: Windows authentication is a REQUIRED STEP if there are “critical” windows systems in the environment and/or whenever 20% or more of systems/hosts are Windows. Use your professional discretion if necessary and error on the side of authentication versus not.

    1. Make sure the Never send credentials in the clear is checked

    2. Make sure Do not use NTLMv1 authentication is checked

    3. Check the Start the Remote Registry service during the scan option (unchecked by default)

    4. Make sure Enable administrative shares during the scan is unchecked

    5. Make sure Start the Server service during the scan is unchecked

  9. Click Save. This will take you back to the Policies screen, and your new scan policy should be displayed

That’s it. You are ready to begin your vulnerability scan. Please proceed to the Start Scan section of this document.

Using the S2_Default_Phase3Internal Scan Policy

The S2_Default_Phase3Internal scan policy is a Nessus scan policy that has been customized by SecurityStudio for use by customers and consultants to produce optimal S2Scores. Using this scan policy is the safest way to ensure that you’re using the correct scan settings for the most accurate and validatable S2Score.

The scan policy can be downloaded here:

Internal - Phase 3

External - Phase 4

To use the S2_Default_Phase3Internal scan policy:

  1. Log in to Nessus

  2. Click the Policies link in the left-hand menu

  3. From the Policies screen/window, click the Import button in the top left corner

  4. Navigate to the policy file downloaded/provided by SecurityStudio and click Open button

    The scan policy will show up in the Policies screen

  5. Click the newly imported policy to configure authentication. Nessus must be configured to authenticate with scanned systems (whenever possible)

  6. Click the Credentials tab. REQUIRED STEP Click the Credentials tab

    PLEASE NOTE: Authenticated vulnerability scans are important because they allow the entire system to be scanned, including applications, registry settings, etc

  7. Enter SSH authentication after clicking the SSH link
    PLEASE NOTE: SSH authentication is a REQUIRED STEP if more than 20% of systems/hosts are non-windows systems, otherwise Windows authentication only is sufficient.

  8. Enter Windows authentication information after clicking the Windows link

    PLEASE NOTE: Windows authentication is a REQUIRED STEP if there are “critical” windows systems in the environment and/or whenever 20% or more of systems/hosts are Windows. Use your professional discretion if necessary and error on the side of authentication versus not.

    1. Make sure the Never send credentials in the clear is checked

    2. Make sure Do not use NTLMv1 authentication is checked

    3. Check the Start the Remote Registry service during the scan option (unchecked by default)

    4. Make sure Enable administrative shares during the scan is unchecked

    5. Make sure Start the Server service during the scan is unchecked

  9. Click Save. This will take you back to the Policies screen, and your new scan policy should be displayed

  10. Change the policy name to fit with your preference/naming convention if you would like. This has no impact to the scan policy configuration.

That’s it. You are ready to begin your vulnerability scan. Please proceed to the Start Scan section of this document.

Minimum Scan Policy Requirements

If you wish to configure your scan policy from scratch using the Advanced Scan template, these requirements must be met for the resulting scan to qualify for an official and/or validated S2Score:

  • Required: Name (choose your own name that makes sense)

  • Guidance: Description (enter whatever text you’d like in the description of your policy)

  • Required: Discovery > Host Discovery > Remote Host Ping (On)

  • Guidance: Discovery > Host Discovery > General Settings:

    • Test the local Nessus host (disabled)

    • Use fast network discovery (disabled)

  • Required: Discovery > Host Discovery > Ping Methods:

    • ARP (enabled)

    • TCP (enabled with “built-in” or more ports, assuming the ping_host4.inc file has not been manually altered).

    • ICMP (with Assume ICMP unreachable from the gateway means the host is down unchecked).

  • Guidance: Discovery > Host Discovery > Fragile Devices:

    • Scan Network Printers (disabled)

    • Scan Novell Netware hosts (disabled)

    • Scan Operational Technology devices (disabled)

  • Guidance: Discovery > Host Discovery > Wake-on-LAN:

    • List of MAC addresses (not configured)

    • Boot time wait (in minutes) (empty or default “5”)

  • Required: Discovery > Port Scanning à Ports:

    • Consider unscanned ports as closed (disabled)

    • Port scan range: default or more

  • Required: Discovery > Port Scanning > Local Port Enumerators:

    • SSH (enabled)

    • WMI (enabled)

    • SNMP (enabled)

    • Only run network port scanners is local port enumeration failed (enabled)

    • Verify open TCP ports found by local port enumerators (disabled)

  • Required: Discovery > Network Port Scanners:

    • SYN (enabled)

    • UDP (disabled)

  • Guidance: Discovery > Network Port Scanners > SYN > Override automatic firewall detection (disabled)

  • Required: Discovery > Service Discovery > General Settings:

    • Probe all ports to find services (enabled)

    • Search for SSL/TLS/DTLS services (ON):

      • Search for SSL/TLS on (Known SSL/TLS ports)

      • Search for DTLS on (None)

      • Identify certificates expiring within x days (60)

      • Enumerate all SSL/TLS ciphers (enabled)

  • Guidance: Discovery > Service Discovery > General Settings > Search for SSL/TLS/DTLS > Enable CRL checking (connect to the Internet) (disabled)

  • Required: Assessment > General > Accuracy > Override normal accuracy (disabled)

  • Guidance: Assessment > General v Accuracy > Perform thorough tests (may disrupt your network or impact scan speed) (disabled)

  • Required: Assessment > General > Antivirus v Antivirus definition grace period (in days) (0)

  • Guidance: Assessment > General v SMTP:

    • Third party domain (blank or default “example.com”)

    • From address (blank or default “nobody@example.com”)

    • To address (blank or default “postmaster@[AUTO_REPLACED_IP]”)

  • Guidance: Assessment > Brute Force:

    • General Settings > Only use credentials provided by the user (enabled)

    • Oracle Database > Test default accounts (slow)(disabled)

  • Guidance: Assessment > SCADA

    • Modbus/TCP Coil Access:

      • Start at register (0)

      • End at register (16)

    • ICCP/COTP TSAP Addressing Weakness

      • Start COTP TSAP (8)

      • Stop COTP TSAP (8)

  • Guidance: Assessment > Web Application Settings (OFF)

  • Required: Assessment > Windows:

    • General Settings > Request information about the SMB Domain (enabled)

    • User Enumeration Methods:

      • SAM Registry (enabled)

      • ADSI Query (enabled)

      • WMI Query (enabled)

  • Guidance: Assessment > Windows > User Enumeration Methods > RID Brute Forcing (OFF)

  • Guidance: Assessment > Malware v Malware Settings v Scan for malware (OFF)

  • Guidance: Assessment > Databases > Oracle Database > Use detected SIDs (disabled)

  • Required: Report:

    • Processing:

      • Override normal verbosity (disabled)

      • Show missing patches that have been superseded (enabled)

      • Hide results from plugins initiated as a dependency (enabled)

    • Output:

      • Display hosts that respond to ping (disabled)

      • Display unreachable hosts (disabled)

  • Guidance: Report > Output:

    • Allow users to edit scan results (enabled)

    • Designate hosts by their DNS name (enabled)

    • Display Unicode characters (disabled)

  • Guidance: Advanced:

    • General Settings:

      • Enable safe checks (enabled)

      • Stop scanning hosts that become unresponsive during the scan (disabled)

      • Scan IP addresses in a random order (disabled)

      • Automatically accept detected SSH disclaimer prompts (disabled)

      • Scan targets with multiple domain names in parallel (disabled)

    • Performance Options:

      • Slow down the scan when network congestion is detected (disabled)

      • Network timeout (in seconds) (5)

      • Max simultaneous checks per host (5)

      • Max simultaneous hosts per scan (30)

      • Max number of concurrent TCP sessions per host (blank)

      • Max number of concurrent TCP sessions per scan (blank)

    • Unix find command Options:

      • Exclude Filepath (leave unconfigured)

      • Exclude Filesystem (leave unconfigured)

      • Include Filepath (leave unconfigured)

    • Debug Settings:

      • Log scan details (disabled)

      • Enable plugin debugging (disabled)

      • Audit Trail Verbosity (“Default”)

      • Include the KB (“Default”)

      • Enumerate launched plugins (disabled)

  • Required: Credentials (See “Required – If Using the S2_Default_Phase3Internal Scan Policy” starting with step 12).

  • Required: Plugins, by default all Nessus plugins are enabled. Nessus will only run the plugins that are relevant to each detected host and no changes should be made to this section of the policy.

Start Scan

Scans are configured and managed in the My Scans window.

  1. Click the New Scan button in the top right

  2. The Scan Templates window appears. Choose the User Defined tab

  3. All user defined scan policy templates are displayed (in this example, the only user defined scan policy is the S2_Default_Phase3Internal policy)

  4. Click the proper scan policy, in this case the S2_Default_Phase3Internal policy

  5. The New Scan / S2_Default_Phase3Internal window appears

    This is where scan targets are entered, either by typing them into the Targets field manually or by uploading a file using the Add File link.

    1. Entering targets manually – Ranges of IP addresses can be entered, individual IP addresses, network ranges in CIDR notation, and/or by domain. Separate entries with commas (comma notation) or by entering them on a new line

    2. Uploading a targets file – A text file can be uploaded into Nessus containing the hosts/IP addresses to be scanned. The formatting of the text file is the same as it is for entering targets manually
      PLEASE NOTE: Pay special attention to the scope of the scan and ensure it incorporates all IP addresses/hosts that correspond with the scope of the S2Org assessment. If the S2Org assessment scope is the entire organization, the scope of the vulnerability scan should also be the entire organization, meaning all IP addresses/hosts used by the organization on all networks.

  6. If you prefer to watch the scan results as they are gathered, click the Live Results checkbox GUIDANCE

  7. Change the name of the scan from S2_Default_Phase3Internal or the name of your scan policy to something descriptive for this scan

  8. Click Save to be taken back to the My Scans screen, where you can start the scan

Scans can be scheduled by using the Schedule option. Clicking “Save” after using the schedule function will schedule the scan to start when you configured it to.

Click the Save button at the bottom of the screen.

CAUTION: Use care in scheduling a scan when you’re not present.

Once you are ready to begin your scan, click the play button (unless scheduled).

The scan will begin. To check the status of the scan, click the scan. If things are working correctly, you should see the green circular icon next to the word Running. If the scan is not running correctly, please refer to Tenable’s support documentation online.

If you chose to view Live Results, you will see the vulnerability scanning results as they are collected. Continue to let the vulnerability scan run until it is complete or stopped.

Stop Scan

There are times when a vulnerability scan will need to be stopped. The most common reasons for stopping a scan are because it was configured incorrectly or because the scan is causing issues with the network (or systems on the network).

To stop a running vulnerability scan:

  1. Log in to Nessus

  2. Click the My Scans link to open access to configured, running, and completed vulnerability scans

  3. Find the Stop button that corresponds with the scan you wish to stop and click it

This will force the vulnerability scan to stop.

PLEASE NOTE: A stopped vulnerability scan is complete, meaning it cannot be restarted from where it ended. A stopped vulnerability scan must be restarted from the beginning.

Pause a Scan

Occasionally, it becomes necessary to pause vulnerability scan. Pausing a scan forces Nessus to checkmark the status of the scan and stop it. When the scan is started again, it starts from where it left off instead of starting from scratch (as in “stopping” a scan).

To pause a scan:

  1. Log in to Nessus

  2. Click the My Scans link to open access to configured, running, and completed vulnerability scans

  3. Find the Pause button that corresponds with the scan you wish to stop and click it

The scan can easily be restarted by clicking the Play button associated with the scan (just as it was when starting the scan manually).

Once a scan is complete, it will display as “Completed” within Nessus.

After the scan is completed, it can be checked for completeness before exporting for SecurityStudio processing/scoring.

Export Results

Once a vulnerability scan has been completed, it may be exported out of Nessus for further processing. Before exporting the results, it’s a good idea to check two things:

  1. Did the vulnerability scan account for the number of systems expected?

  2. Did the vulnerability scan appropriately authenticate with most (if not all) systems?

Exporting results out of Nessus that don’t adequately meet these criteria will result in incomplete vulnerability scanning and an inaccurate S2Score.

Scope – Number of Systems

Scans can be checked for completeness manually by clicking the scan itself from the My Scans window. The number of hosts displayed should correspond with the number of hosts that were expected.

If there are discrepancies, work with knowledgeable personnel and Tenable support to troubleshoot the issue. Troubleshoot and reconcile this issue before exporting for use in SecurityStudio. Failure to do so will reflect poor quality results.

Appropriate Authentication

Click the Vulnerabilities tab. Check to see how successful authentication was performed during the vulnerability scan by looking for the number of failed authentication plugins. The two most important plugins to look for are:

  • 21745 - Authentication Failure - Local Checks Not Run

  • 24786 - Nessus Windows Scan Not Performed with Admin Privileges

To search for these plugin messages:

  1. Click the Filter link

    This will open the Filters dialog box.

  2. Choose Plugin ID from the left-most drop down

  3. Ensure that is equal to is displayed in the middle drop down

  4. Type 21745 in the right-most dialog box

  5. Click Apply

  6. The most ideal situation is No records found; however, this is unusual in larger networks. There are almost always a certain percentage of systems that were not authenticated against. If these systems exceed 10-15% of the scan population, additional authentication may be required

  7. Repeat Steps 4-6 for Plugin ID 24786

    IMPORTANT: Clear all filters before exporting the results of the scan. This can easily be done by clicking the Clear Filters link on the Filters dialog box.

Export the Results from Nessus

Start with opening the scan you want to export.

  1. Click the Export dropdown in the top right

  2. Choose Nessus from the drop down and save the file to your computer

  3. If the scan exported successfully, you won’t get any error messages

Sometimes, it makes sense to scan large networks with thousands of systems in chunks. This is a good idea for many reasons, one of which is scan failure. If your vulnerability scan fails in the middle of a 5,000-system scan, you may need to start over from scratch. If you break the 5,000-system scan into 10-500 system scans, if a scan fails, you only need to restart the one scan affecting 500 (or fewer) system versus the one scan of 5,000 that may have been hours in.

In cases where a large scan has been broken into multiple smaller scans, export each of the scans the same way. SecurityStudio has the capability of ingesting multiple scans and combining them back into one. Save upload time by creating a ZIP file.

Upload to S2Org

Uploading vulnerability scans is simple with SecurityStudio. First, login to SecurityStudio and find the organization’s assessment corresponding to your vulnerability scan.

  1. Navigate to S2Org > Assessment > Current

  2. Click the Assessment tab and scroll down to Phase 3 - Internal Technical Controls

  3. Click the Internal Scan Data button

  4. Click Add button

  5. Locate the file(s) exported from your Nessus vulnerability scan and click Open button. The file(s) will upload, and a % complete indicator will display

  6. Once the file(s) upload is complete, the status will change to Processing

  7. Once the scan has completed processing in SecurityStudio, the status will change to Processed and you can review the results

  8. Click Mark As Complete and the results of SecurityStudio’s processing will be displayed

  9. Click Close button

PLEASE NOTE: If you need to edit the scan file processing, you can do so by clicking the Edit button. This will enable you to add more scan files, download the existing scan file, or delete the scan file altogether (if the wrong scan file was used or the scan needs to be replaced for some reason.

Changes to Scan Files

In general, changes to scan files are strongly discouraged and may result in the invalidation of an S2Score; however, there are times when a change is warranted (before processing). The most common reason is to remove a vulnerability that isn’t entirely applicable to the organization. One such example is the removal of vulnerabilities associated with self-signed certificates:

These three plugins are often found associated with each other in scan results. Although these vulnerabilities are relatively easy to fix, if you’ve determined that the hosts associated with these vulnerabilities are 1) internal use only and 2) adequately segregated/isolated from public networks, you may choose to remove these from the scan results.

If you are unsure whether to remove certain vulnerabilities, please contact SecurityStudio. If vulnerabilities are removed without justification, it may invalidate an organization’s S2Score.

To remove a vulnerability from a scan, you must do so within Nessus before export.

  1. Within Nessus, locate the scan results you wish to modify

  2. Determine if you want to remove the vulnerability globally or from a specific host:

    1. If globally, click the Vulnerabilities tab and locate the vulnerability you wish to change

      1. Click the checkbox next to the vulnerability, then click Modify

      2. In the Modify Vulnerabilities dialog box, choose the appropriate action to apply. Choose whether to apply this change to all future scans or just this one

        CAUTION: SecurityStudio strongly advises against vulnerability modification for all scans

      3. Your options include changing the severity of the vulnerability or hiding the result. Choosing to hide the result will remove the vulnerability in all places within the scan and exempt the vulnerability from processing by SecurityStudio

      4. Click Save button

      5. Once the appropriate actions are taken, export the vulnerability scan normally

    2. If locally, meaning only related to one system, click the Hosts tab from the vulnerability can results

      1. Locate the system you wish to modify

      2. Choose the vulnerability you wish to modify by clicking the correct corresponding checkbox, then click Modify

      3. Make the necessary adjustment using the Modify Vulnerability dialog box

      4. Click Save button

      5. Export the vulnerability scan as normal and upload into SecurityStudio for processing

Again, please make sure you use the vulnerability modification ability sparingly.

Attachment icon
S2_Default_Phase3Internal_Scan.nessus
Attachment icon
S2_Default_Phase4External_Scan.nessus
Did this answer your question?