SlideShare a Scribd company logo
Enterprise
Vulnerability
Management
Alexander Leonov, Ekaterina Pukhareva,
Alex Smirnoff
1. A variety of Vulnerability Scanners
2. Experience in the use of Tenable SecurityCenter and Nessus
3. How to make an efficient vulnerability management?
4. Vulnerability Scanner as a valuable asset
5. Beyond scanners
Content
A variety of Vulnerability Scanners
•When the scan is finished, the results may already be outdated
•False positives
•Per-host licensing
Knowledge base
•How quickly vendor adds new vulnerability checks?
•No scanners will find all vulnerabilities of any software
•Some vulnerabilities may be found only with authorization or
correct service banner
•You will never know real limitations of the product
A variety of Vulnerability Scanners
Some problems
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus:
3787;25453;9579
A variety of Vulnerability Scanners
Nessus vs. Openvas
All CVEs: 80196
Nessus CVE links: 35032
OpenVAS CVE links: 29240
OpenVAS vs. Nessus:
3787;25453;9579
2673 OpenVAS plugins
6639 Nessus plugins
38207 OpenVAS plugins and
50896 Nessus plugins
All NASL plugins:
OpenVAS: 49747
Nessus: 81349
•“Old” vulnerabilities
•Vendor forgot to add links to CVE id
•Vulnerabilities in plugins (N: WordPress VideoWhisper)
•Don’t support “Local” software (N: openMairie)
•Stopped adding new vulnerabilities (N: vBulletin, O: Solaris)
Why?
In other words
•Vulnerability Scanner is a necessity
•Don't depend too much on them
•Scanner does not detect some vulnerability —
it’s YOUR problem not your VM vendor
•Choose VM solution you can control
•Have alternative sources of Vulnerability Data (vulners.com, vFeed)
Sometimes a free service detects better
•Linux OS vulnerability scan
•Immediate results
•Dramatically simple
https://vulners.com/#audit
Vulners Linux Audit GUI
•RedHat
•CentOS
•Fedora
•Oracle Linux
•Ubuntu
•Debian
Vulners Linux Audit GUI
Vulners Linux Audit API
curl -H "Accept: application/json" -H "Content-Type: application/json" -X
POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64",
"samba-common-4.2.3-11.el7_2.noarch",
"gnu-free-fonts-common-20120503-8.el7.noarch",
"libreport-centos-2.1.11-32.el7.centos.x86_64",
"libacl-2.2.51-12.el7.x86_64"],"version":"7"}'
https://vulners.com/api/v3/audit/audit
+ Agent Scanner
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
Experience in the use of Tenable SecurityCenter and Nessus
Architecture
Experience in the use of Tenable
SecurityCenter and Nessus
Discovery
Finding a live host
Assessment
What assets?
Analysis
What to fix first?
Remediation
Fix the problem
• What time for fixing?
• Risks?
Scan:
• External and Internal
perimeters
Scan for specific assets:
• Workstations, Network
Servers
• What CVSS score?
• Fixing
• Accepting risks
Experience in the use of Tenable SecurityCenter and Nessus
Reporting and dashboards
Nessus .audit files (built-in or highly
customized plug-ins)
- Operation systems (SSH, password policy, local
accounts, audit, etc.)
- Databases (privileges, login expiration check,
etc.)
- Network devices (SSH, SNMP, service finger is
disable, etc.)
- Etc.
Experience in the use of Tenable SecurityCenter and Nessus
Compliance checks
Checking the PCI DSS requirements and others
Experience in the use of Tenable SecurityCenter and Nessus
Homemade Reporting
Graphs:
• MS Critical + Exploitable
• MS Critical
• MS Other
• Windows Software
Tables:
• Legend
• Top vulnerable hosts
• Top vulnerabilities
Experience in the use of Tenable SecurityCenter and Nessus
Homemade Ticketing
● Scanners updating by scripts
● New plugins
● Log-management and monitoring
● Harmless pentest
● FalsePositive
● Authentication Failure
Experience in the use of Tenable SecurityCenter and Nessus
Usage Problems
Nessus Agents
Vulnerability Scanner as a valuable asset
Dangerous audit file
Domain + two-factor
authentication
Role model in SecCenter
Monitoring of using nessus account
Vulnerability Scanner as a valuable asset
Monitoring
Restricting Nessus
permissions
Defaults:scanaccount !requiretty
Cmnd_Alias NESSUSAA = /bin/sh -c echo nessus_su_`echo
[0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]`
Cmnd_Alias NESSUSXA = ! /bin/sh -c echo nessus_su_`echo
[0-9]*[0-9]` ; *;*; echo nessus_su_`echo [0-9]*[0-9]`
Cmnd_Alias NESSUSXB = ! /bin/sh -c echo nessus_su_`echo
[0-9]*;*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]`
Cmnd_Alias NESSUSXC = ! /bin/sh -c echo nessus_su_`echo
[0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*;*[0-9]`
scanaccount ALL = (root) NESSUSAA, NESSUSXA, NESSUSXB,
NESSUSXC
Not officially supported
May stop working anytime
More like security through obscurity rather
than efficient protection
What is still wrong
(from NopSec “2016 Outlook: Vulnerability Risk Management and Remediation Trends”)
Risk management?
Asset management?
Threat intelligence?
Detecting scanning gaps?
Do you really need expensive “state of the art” solution?
..and what’s beyond vulnerability scanning?
For pentesters
For splunk, big data and fancy tech HUBBLESTACK.IO
For the rest of us
There is an alternative
Import all you scans data to the database
..do anything you want!
Monitor changes, create scopes, custom reports, whatever
Avoid VM vendor lock-in
Simple as that
We do not have critical asset inventory!
Wait.. we do. It is called “monitoring”
Use zabbix data to create asset lists
Push back alerts to zabbix
Use case: asset management
Create exploit capabilities description (CVSS sucks!)
Add environment data (internal and external scans at least)
Add anything you want (threat intel)
No part is mandatory!
Use case: advanced risk management

More Related Content

What's hot

Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
Puppet
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
Puma Security, LLC
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
MohammadSaif904342
 
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesLes principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
Xavier Kress
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Comprehensive Terraform Training
Comprehensive Terraform TrainingComprehensive Terraform Training
Comprehensive Terraform Training
Yevgeniy Brikman
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
James Wickett
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
Maxime ALAY-EDDINE
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
abhimanyubhogwan
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
Marco Morana
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
Prashanth BS
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
Puma Security, LLC
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Lance Peterman
 

What's hot (20)

Continuous Compliance and DevSecOps
Continuous Compliance and DevSecOpsContinuous Compliance and DevSecOps
Continuous Compliance and DevSecOps
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptx
 
Les principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuellesLes principales failles de sécurité des applications Web actuelles
Les principales failles de sécurité des applications Web actuelles
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Comprehensive Terraform Training
Comprehensive Terraform TrainingComprehensive Terraform Training
Comprehensive Terraform Training
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
DevSecOps and the CI/CD Pipeline
 DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Identity and Access Management
Identity and Access ManagementIdentity and Access Management
Identity and Access Management
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 

Similar to Enterprise Vulnerability Management - ZeroNights16

Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
Michael Man
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
Nathen Harvey
 
20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsx20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsx
Suman Garai
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
Matt Ray
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
Ajit Dadresa
 
nessus
nessusnessus
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
Nebulaworks
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Sysdig
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
Amazon Web Services
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
The Nix project
The Nix projectThe Nix project
The Nix project
Sander van der Burg
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Security workflow with ansible
Security  workflow with ansibleSecurity  workflow with ansible
Security workflow with ansible
devanshdubey7
 
資安控管實務技術
資安控管實務技術資安控管實務技術
資安控管實務技術
bv8af4
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
Jimmy Mesta
 
Superb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with SensuSuperb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with Sensu
Paul O'Connor
 

Similar to Enterprise Vulnerability Management - ZeroNights16 (20)

Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Testing Terraform
Testing TerraformTesting Terraform
Testing Terraform
 
20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsx20210906-Nessus-FundamentalInfoSec.ppsx
20210906-Nessus-FundamentalInfoSec.ppsx
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
Automating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore MeetupAutomating Compliance with InSpec - Chef Singapore Meetup
Automating Compliance with InSpec - Chef Singapore Meetup
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
nessus
nessusnessus
nessus
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Embacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CDEmbacing service-level-objectives of your microservices in your Cl/CD
Embacing service-level-objectives of your microservices in your Cl/CD
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
(ARC402) Deployment Automation: From Developers' Keyboards to End Users' Scre...
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
The Nix project
The Nix projectThe Nix project
The Nix project
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
 
CI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in KubernetesCI / CD / CS - Continuous Security in Kubernetes
CI / CD / CS - Continuous Security in Kubernetes
 
Security workflow with ansible
Security  workflow with ansibleSecurity  workflow with ansible
Security workflow with ansible
 
資安控管實務技術
資安控管實務技術資安控管實務技術
資安控管實務技術
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations Center
 
Superb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with SensuSuperb Supervision of Short-lived Servers with Sensu
Superb Supervision of Short-lived Servers with Sensu
 

Recently uploaded

Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and MoreManyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
narinav14
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
campbellclarkson
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
Luigi Fugaro
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
OnePlan Solutions
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
widenerjobeyrl638
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
aeeva
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 

Recently uploaded (20)

Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and MoreManyata Tech Park Bangalore_ Infrastructure, Facilities and More
Manyata Tech Park Bangalore_ Infrastructure, Facilities and More
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
🏎️Tech Transformation: DevOps Insights from the Experts 👩‍💻
 
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
WMF 2024 - Unlocking the Future of Data Powering Next-Gen AI with Vector Data...
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...Transforming Product Development using OnePlan To Boost Efficiency and Innova...
Transforming Product Development using OnePlan To Boost Efficiency and Innova...
 
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
美洲杯赔率投注网【​网址​🎉3977·EE​🎉】
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 

Enterprise Vulnerability Management - ZeroNights16

  • 2. 1. A variety of Vulnerability Scanners 2. Experience in the use of Tenable SecurityCenter and Nessus 3. How to make an efficient vulnerability management? 4. Vulnerability Scanner as a valuable asset 5. Beyond scanners Content
  • 3. A variety of Vulnerability Scanners
  • 4. •When the scan is finished, the results may already be outdated •False positives •Per-host licensing Knowledge base •How quickly vendor adds new vulnerability checks? •No scanners will find all vulnerabilities of any software •Some vulnerabilities may be found only with authorization or correct service banner •You will never know real limitations of the product A variety of Vulnerability Scanners Some problems
  • 5. A variety of Vulnerability Scanners Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579
  • 6. A variety of Vulnerability Scanners Nessus vs. Openvas All CVEs: 80196 Nessus CVE links: 35032 OpenVAS CVE links: 29240 OpenVAS vs. Nessus: 3787;25453;9579 2673 OpenVAS plugins 6639 Nessus plugins 38207 OpenVAS plugins and 50896 Nessus plugins All NASL plugins: OpenVAS: 49747 Nessus: 81349
  • 7. •“Old” vulnerabilities •Vendor forgot to add links to CVE id •Vulnerabilities in plugins (N: WordPress VideoWhisper) •Don’t support “Local” software (N: openMairie) •Stopped adding new vulnerabilities (N: vBulletin, O: Solaris) Why?
  • 8. In other words •Vulnerability Scanner is a necessity •Don't depend too much on them •Scanner does not detect some vulnerability — it’s YOUR problem not your VM vendor •Choose VM solution you can control •Have alternative sources of Vulnerability Data (vulners.com, vFeed)
  • 9. Sometimes a free service detects better
  • 10. •Linux OS vulnerability scan •Immediate results •Dramatically simple https://vulners.com/#audit Vulners Linux Audit GUI
  • 12. Vulners Linux Audit API curl -H "Accept: application/json" -H "Content-Type: application/json" -X POST -d '{"os":"centos","package":["pcre-8.32-15.el7.x86_64", "samba-common-4.2.3-11.el7_2.noarch", "gnu-free-fonts-common-20120503-8.el7.noarch", "libreport-centos-2.1.11-32.el7.centos.x86_64", "libacl-2.2.51-12.el7.x86_64"],"version":"7"}' https://vulners.com/api/v3/audit/audit + Agent Scanner
  • 13. Experience in the use of Tenable SecurityCenter and Nessus Architecture
  • 14. Experience in the use of Tenable SecurityCenter and Nessus Architecture
  • 15. Experience in the use of Tenable SecurityCenter and Nessus Discovery Finding a live host Assessment What assets? Analysis What to fix first? Remediation Fix the problem • What time for fixing? • Risks? Scan: • External and Internal perimeters Scan for specific assets: • Workstations, Network Servers • What CVSS score? • Fixing • Accepting risks
  • 16. Experience in the use of Tenable SecurityCenter and Nessus Reporting and dashboards
  • 17. Nessus .audit files (built-in or highly customized plug-ins) - Operation systems (SSH, password policy, local accounts, audit, etc.) - Databases (privileges, login expiration check, etc.) - Network devices (SSH, SNMP, service finger is disable, etc.) - Etc. Experience in the use of Tenable SecurityCenter and Nessus Compliance checks Checking the PCI DSS requirements and others
  • 18. Experience in the use of Tenable SecurityCenter and Nessus Homemade Reporting Graphs: • MS Critical + Exploitable • MS Critical • MS Other • Windows Software Tables: • Legend • Top vulnerable hosts • Top vulnerabilities
  • 19. Experience in the use of Tenable SecurityCenter and Nessus Homemade Ticketing
  • 20. ● Scanners updating by scripts ● New plugins ● Log-management and monitoring ● Harmless pentest ● FalsePositive ● Authentication Failure Experience in the use of Tenable SecurityCenter and Nessus Usage Problems
  • 22. Vulnerability Scanner as a valuable asset Dangerous audit file
  • 23. Domain + two-factor authentication Role model in SecCenter Monitoring of using nessus account Vulnerability Scanner as a valuable asset Monitoring
  • 24. Restricting Nessus permissions Defaults:scanaccount !requiretty Cmnd_Alias NESSUSAA = /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXA = ! /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *;*; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXB = ! /bin/sh -c echo nessus_su_`echo [0-9]*;*[0-9]` ; *; echo nessus_su_`echo [0-9]*[0-9]` Cmnd_Alias NESSUSXC = ! /bin/sh -c echo nessus_su_`echo [0-9]*[0-9]` ; *; echo nessus_su_`echo [0-9]*;*[0-9]` scanaccount ALL = (root) NESSUSAA, NESSUSXA, NESSUSXB, NESSUSXC Not officially supported May stop working anytime More like security through obscurity rather than efficient protection
  • 25. What is still wrong (from NopSec “2016 Outlook: Vulnerability Risk Management and Remediation Trends”)
  • 26. Risk management? Asset management? Threat intelligence? Detecting scanning gaps? Do you really need expensive “state of the art” solution? ..and what’s beyond vulnerability scanning?
  • 27. For pentesters For splunk, big data and fancy tech HUBBLESTACK.IO For the rest of us There is an alternative
  • 28. Import all you scans data to the database ..do anything you want! Monitor changes, create scopes, custom reports, whatever Avoid VM vendor lock-in Simple as that
  • 29. We do not have critical asset inventory! Wait.. we do. It is called “monitoring” Use zabbix data to create asset lists Push back alerts to zabbix Use case: asset management
  • 30. Create exploit capabilities description (CVSS sucks!) Add environment data (internal and external scans at least) Add anything you want (threat intel) No part is mandatory! Use case: advanced risk management