As our networks, systems, devices, and apps proliferate, the potential attack surfaces available for malicious threat actors are also growing.
Vulnerability scanning is an essential tool in any organization's cybersecurity plan. The Nessus Scanner is one of the most popular tools for comprehensive vuln scans and is used extensively by pen testers, cybersecurity consultants and IT teams across industries.
However, getting the most out of the technology requires expertise and experience with report analysis and integration with other cybersecurity strategies. It's also essential for testers to follow the recommended best practices to avoid errors and missteps during the scans.
In this article, we review some known common issues in using the Nessus Scanner and best practices to follow to maximize vuln scan efficiency. Finally, we discuss RedLegg's vulnerability scanning and managed security services offerings for organizations that want to strengthen their cybersecurity and fortify their defenses against bad actors.
Understanding Nessus Scanner: Features and Usage
Nessus is a powerful tool to diagnose weak points in your organization's networks, systems and apps. It highlights any misconfigurations of the network or systems that may lead to potential security gaps. For this, the Nessus Vulnerability Scanner relies on a vast database of vulnerability scan templates and security plugins.
Let's delve into some more details on how to use the Nessus Scanner.
Configuring Nessus
You can configure its settings and define the IP ranges, systems, and assets that have to be scanned. Nessus can also use algorithms to prioritize vulnerabilities by severity, allowing administrators to address the most urgent or significant threats first and take remediation steps immediately to prevent attacks.
How Nessus scans are run
Once Nessus gathers data after a scan, the data is exported and organized into a tailored database. RedLegg's expert testers study it to assess the network and its vulnerabilities and strategize intrusion tactics.
A list of target systems is prepared, and the administrator can then configure and initiate scans through the Nessus web application. A command line interface is integrated into the software for more advanced adjustments.
While the Nessus Scanner (also known as the Nessus Security Scanner) has over 450 different templates for various types of vuln scans, at RedLegg we use the Advanced Network Scan as a template for all our scans. It allows testers to customize and configure the scan through an easy-to-use web GUI and control various aspects of the scan, including plugins and modules used, port listings, and CRL checking, to name a few.
Common Issues with Nessus Scanner
While the Nessus Scanner is a proven and popular tool for vulnerability scanning, there are some commonly encountered issues that we have discovered due to our extensive experience with testing for a variety of targeted environments.
Here are some such key issues:
Optimizing Nessus Scanner for Ports
We have seen Nessus report every port as open, usually when scanning a target list that is for a web application. These results can be caused by a firewall or content delivery network (CDN) accepting connections on all ports and then forwarding that traffic based on access control rules. When using this against an external target list, the issue is usually caused by a CDN or another web-based target. However, when used against an internal target set, this issue can arise from scanning a VMWare-based client.
REDLEGG'S PRO TIP: Configure the Nessus appliance properly by turning off "Ping the Remote Host." Disabling this function will prevent ICMP packets being sent through the firewall. ICMP may be passed through a firewall and will return an "ICMP Unreachable" message. This is a false positive in Nessus by saturating the scan results with thousands of informational findings.
Managing the Nessus Scanner in Sensitive Networks
Sensitive networks can also prove to be troublesome during vulnerability scanning. While many issues do not progress beyond simple IP whitelisting and access control, some can cause network congestion.
REDLEGG'S PRO TIP: Network congestion can be managed through the Performance options. Options for rate limiting a scan are under Advanced > Performance Options. Adjust the “Max Concurrent Checks Per Host” if the target is a web application or service that may be under a heavy load. Adjusting this option will limit the number of plugins simultaneously scanning the host. Limiting the number of concurrent plugins scanning a target, as well as concurrent TCP sessions, can reduce the load on a production server or help obscure packets being sent to the host.
Overcoming Legacy Hardware Challenges with Nessus Scanner
Using Nessus to scan legacy hardware can cause problems. For example, legacy printers have been known to receive malformed packets from scanning software such as Nessus and nmap, which will spool the printer, making it print blank pages. Other sensitive devices include remote terminal units (RTUs) and programmable logic controllers (PLCs), which could cause malfunctions with industrial equipment.
REDLEGG'S PRO TIP: This issue can be addressed by keeping the default options set to 'Disabled'—this is usually enough to avoid sensitive equipment.
However, in some cases, configuration files can be used to blacklist hosts. Nessus web GUI does not have an option for blacklisting of hosts.
If IP blacklisting is needed, create a nessusd.rules file to exclude hosts from the scan. The instructions for creating the nessusd.rules file can be found on the Tenable Community pages.
Best Practices for Nessus Scanner Usage
Establish a process to execute a systematic vuln scan program, incorporating the best practices recommended for the Nessus Scanner and for vulnerability testing in general.
- Scan every device that touches your ecosystem. Failing to do so may leave security gaps in some assets and expose all interconnected apps and devices to risk.
- Scan frequently—because a large gap between scans leaves your systems open to new vulnerabilities that have cropped up in the ever-evolving threat landscape.
- Use credentialed scanning. A credentialed scan is a vuln scan in which the scanning tool is provided with valid credentials, such as usernames and passwords, to access the target systems or devices. Credentialed scans yield more accurate results as testers can gain authorized access to internal systems and information.
- Assign owners to critical assets. Articulate accountability for each device to a specific owner (try to pick someone who is affected if that device is compromised.) and make the owner responsible for keeping that device patched and secured.
- Prioritize the patching process. Patch internet-facing devices for all discovered vulnerabilities, focusing first on assets with the highest risk levels.
- Document all scans and their results. Run each vulnerability scan according to a management-approved schedule. Provide detailed reports, ensuring that they are actionable for technology teams as well as insightful for non-technical business teams, top management or stakeholders.
- Establish and implement a remediation process based on the scan results and an in-depth study of the findings by experienced security teams or penetration testers. Categorize each vulnerability by its risk severity and the urgency to remediate, and estimate the required time for remediation.
RedLegg: Maximizing Nessus Scanner Effectiveness
The Nessus Scanner is one of the most widely used vulnerability scanning tools. It has more than 100,000 plugins, covering over 76,000 Common Vulnerabilities and Exposures (CVEs), with over 50 pre-configured templates for commonly used vulnerability scans.
It has numerous valuable features and benefits, such as a low false-positive rate, highly configurable reports, and configuration compliance.
It's vital to follow vuln scan best practices to leverage the features of the Nessus Scanner efficiently.
Once you implement these best practices in your organizations, you start reaping the real value of this powerful testing and scanning tool to enhance your company's vulnerability management processes.
RedLegg offers you managed cybersecurity services and expertly handled vulnerability scanning services from a security team you can trust.
Connect with RedLegg's cybersecurity experts for a comprehensive, measurable, and proven vulnerability scanning process using the Nessus Scanner tool.