by Cesar Navas
November 6, 2019
Cyber Exposure requires data collected by the vulnerability scanner to be trusted and verifiable. Nessus provides several plugins that assist in understanding the scan status and provides a level of trust to risk managers. This report brings together all the plugins used to determine if an asset was successfully authenticated against during the vulnerability scan.
Authentication is connecting to a system and providing credentials in order to gain access to the system. Nessus scans systems by using different network protocols (SSH, SMB, HTTPS, SNMP, etc.) in order to gain access to the remote target asset. For example, logging in to a remote host via SSH using a username and password is a method of authentication. Each remote asset can authenticate using several protocols. Assets with more than one authenticatable protocol, for example Windows server running a SQL server, could report both authentication success and failure. Understanding this fact during analysis is key to understanding if the system was successfully scanned or not. While in many cases the successful authentication of an asset may seem binary, there are many examples of successfully scanning systems with authentication failures. The system administrator should review all the failures and determine the services that are enabled on the asset for a complete analysis.
Local checks are a feature in Nessus scans, which enable the scanner to perform security checks on the target asset. Different authentication protocols may allow for general checks to be performed locally, but when all possible checks are completed, Nessus does a more detailed local check. The Local Check always requires authentication and often requires elevated privileges. Local checks for major operating systems with security advisories numbering in the thousands are often grouped into their own plugin family, but local checks plugins also exist in other families such as Firewalls or Misc.
Enabling local checks is much more complex than authentication and occurs after successfully establishing authentication. In order to enable local checks, the following criteria must be satisfied:
- The target device or operating system must be identified
- Local checks must be available in Nessus plugins for the identified device or operating system
- The information needed to enable local checks for that particular device or operating system must be obtained from the remote host
- Except in particular circumstances, such as scanning localhost, remote authentication must first be successful before local checks can be enabled. However, the threshold for enabling local checks is higher than the threshold for successful authentication.
To ensure the scans report the most complete and accurate information, local checks are a required. Users can enable local checks but providing credentials with elevated privileges, or deploying Nessus Agent, and/or administrative access. . Without elevated access, the ability for Nessus to successfully identify risk on a system is diminished. The more access to a system Nessus has, the more complete the risk analysis is.
The report and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The report can be easily located in the Tenable.sc Feed under the category, Monitoring.
The report requirements are:
- Tenable.sc 5.12.0
- Nessus 8.7.2
This report provides the organization with a clear and simplified method to track and troubleshoot authentication related problems. By grouping authentication plugins into diagnostic context, the report allows administrators to apply focus to areas of concern. The data helps to facilitate the Fix and Measuring steps to the Cyber Exposure Lifecycle. Tenable.sc is the on-prem solution for understanding a comprehensive picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.