Next up on our Nessus top ten list is #9, which covers how to use Nessus configuration auditing to discover information about your system configurations. The following video presents use cases and examples, from PCI compliance to detecting viruses:

Please visit Tenable's YouTube channel for more Nessus and SecurityCenter videos!

The Now "Infamous" Sony Hack

It was reported late last month that attackers had penetrated Sony's PSN (PlayStation Network) platform. It has been rumored that reverse engineering the PlayStation firmware, coupled with vulnerabilities in Linux servers and unencrypted data traversing the network, led to the exposure of over 77 million users’ information being leaked, possibly including 2.2 million credit card numbers.

We are pleased to announce that four new Nessus policy templates will be distributed to Nessus ProfessionalFeed and HomeFeed users via the Nessus plugins feed. This is first time we've used "push" functionality to send down scan policy templates.

Click for larger image

The four new Nessus scan policy templates will appear in the "Policies" tab once your Nessus installation has updated the plugins:

• External Network Scan - This policy is tuned to scan externally facing hosts, which typically present fewer services to the network. The plugins associated with known web application vulnerabilities (CGI Abuses and CGI Abuses: XSS plugin families) are enabled in this policy. Also, all 65,535 ports are scanned for on each target.

Do you know where all of your organization’s SSL certificates are and if they are providing enough protection to you and your customers? Nessus can be used to identify all SSL certificates in use, test if they are expired and with the advent of plugin # 51192, test that they have been securely signed by a valid certificate authority. This blog entry will review Nessus’s SSL certificate auditing ability and describe how plugin #51192 can help monitor your network for untrustworthy SSL certificates.

Tenable’s Research Group has released three new beta plugins to all ProfessionalFeed and Security Center users that automate the process of preparing a PCI-DSS audit. The three new plugins available are:

• PCI DSS compliance: tests requirements
• PCI DSS compliance: passed
• PCI DSS compliance

These plugins evaluate the results of your scan and the actual configuration of your scanner to determine if the target server could be PCI compliant. The plugins don’t perform actual scanning – they just look at the results from other plugins.

Tenable chose to audit and report on the actual scan configuration so that Nessus users can still perform basic scans and get actionable results. This helps them understand if they have some glaring vulnerabilities that need to be fixed without performing a full audit, which can include onerous tasks such as full UDP and TCP port scans.

Configuring a Scan

A system will only be reported as being seemingly PCI-DSS compliant if the scan is compliant. PCI-DSS requires many different types of thorough testing. The PCI-DSS plugins report that your scan was not configured correctly if any of the following settings are not invoked:

• Enable all plugins
• Enable “thorough tests”
• Enable “experimental scripts”
• Enable TCP scanning of all 65535 ports

If these scan settings are not invoked, plugin 33931 will report the required settings. If this plugin reports anything, it will also prevent Nessus from actually designating a machine as being seemingly “PCI” compliant.

When configuring a port scan, please keep in mind that the credentialed method enables you to enumerate all ports, as well their listening processes, without actually scanning for all ports on the network. PCI-DSS requires that an audit of a web server be performed without any filtering. If there is no filtering between Nessus and the audited server, there is no reason to perform a full port scan. 

One last point for configuring port scans – if you want to use the credentialed scanning options, be sure to disable the network scan options. If you don’t, Nessus does not report anything  extra and the scans will only take longer. Tenable also provides a UDP port scanner for Nessus. This plugin is available for download from the Tenable Support Portal.

The PCI plugins are located under the Policy Compliance Nessus family as shown below:

To invoke the PCI-DSS compliance analysis, under the “Advanced” tab of your Nessus scan policy, there is a “PCI-DSS compliance” option with a single checkbox. Enabling this scan preference tells the three PCI plugins to perform their analysis as shown below:

Analyzing the Results

PCI-DSS audits will generally fail for three classes of items:

• Detection of any vulnerability with a CVSS score greater than or equal to 4
• Detection of any Cross Site Scripting or SQL Injection vulnerabilities
• Older versions and mis-configured SSL encryption

Because of the logic of our plugins, a scanned system will be in one of four states:

1. It should be ready to obtain PCI-DSS compliance.
2. The scan was good and we found information saying we were not compliant.
3. The scan was bad and we still found information saying we were not compliant.
4. The scan was bad and we didn’t find any information to prove we weren’t compliant.

Below is an example results output for plugin 33929:

The output shows the specific vulnerability IDs that determined that the system was not compliant. 

Enterprise PCI Auditing

Tenable has many different solutions that can help with PCI reporting and auditing requirements on an enterprise level. The following general PCI requirements can be easily managed, monitored and reported on with Tenable solutions:

• PCI Requirement 1 – Nessus, the Passive Vulnerability Scanner and the Log Correlation Engine can be used to monitor firewalls access control lists, activity and configurations.
• PCI Requirement 2 – Nessus and the Passive Vulnerability Scanner audit for hundreds of default vendor settings as well as best practice system configurations.
• PCI Requirement 3 – Nessus and the Passive Vulnerability Scanner can audit systems for data containing credit card or customer information. 
• PCI Requirement 4 – Nessus and the Passive Vulnerability Scanner can identify all SSL daemons and many different types of encrypted protocols.
• PCI Requirement 5 – Nessus can identify the running anti-virus solution and also identify if it has been disabled, mis-configured or has out-of-date signatures.
• PCI Requirement 6 – The Security Center is the premier tool to manage scanning data, patch audit data, configuration data and passively obtained network data. With the Security Center it is trivial to schedule scans, identify changes that impact PCI, find vulnerabilities older than 30 days and report on compliant and non-compliant systems.
• PCI Requirement 7 - The Log Correlation Engine can be used to analyze audit trails from servers to identify access to systems with cardholder data.
• PCI Requirement 8 – Nessus can be used to audit configuration settings required by PCI. Tenable offers several “audit” policies for Nessus which can be used to audit AIX, Solaris, Windows, FreeBSD, HP-UX and other operating systems.
• PCI Requirement 10 - The combination of the Security Center, Nessus, Passive Vulnerabiltiy Scanner and the Log Correlation Engine allows for tracking of all access to network resources and systems with cardholder data.
• PCI Requirement 11 - Nessus and the Passive Vulnerabiltiy Scanner can be used to regularly test systems for security issues and correct configurations. If the Log Correlation Engine is also deployed, it can be used to log the vulnerability scanning activity to prove that systems are being audited.

For More Information

During the beta period, customers are encouraged to provide feedback to Tenable by emailing us at beta@tenablesecurity.com. Support for scanning with these plugins is not currently available in the Security Center, but Nessus results can be manually imported.

The following blog entries will be of interest to anyone who uses Nessus or the Security Center to monitor a network for compliance and security issues:

• Network Process Auditing with Nessus
• How to perform a full 65,535 UDP and TCP port scan with just 784 packets
• Finding Vulnerabilities older than 30 Days
• Auditing Anti-Virus Software Without an Agent
• Reporting Vulnerabilities in an IT Managed Environment

Tenable's sales and support groups continue to get the following type of question:

"I'm considering purchasing a scanning service from vendor XYZ and they claim to use Nessus. Are they certified by Tenable to perform PCI scanning audits?"

There are several points to consider when such a question is posed and this blog entry will attempt to discuss many of the nuances involved with this issue.

Products are not Certified for PCI Audits

There is no product solution available on the market today that can be purchased and used to perform accredited PCI vulnerability audits. There are services which can be procured to perform vulnerability audits and some of the technology these services use is available in the form of a product.

For an organization attempting to navigate the requirements of PCI, the differences between buying a service and the product based on that service may not seem great. For example, many scanning services include an appliance which is deployed on a customer's network which gives the feeling of a product.

If an organization governed by the PCI regulation does buy a product solution to perform PCI scanning, that organization will still be required to procure a 3rd party service to perform certified PCI vulnerability scanning. These services must be acquired from an Approved Scanning Vendor.

The benefit of buying a product that can perform realistic PCI audits is that when your official quarterly PCI scan is performed, you won't be surprised and you will have had a chance to fix issues before your audit occurs. Also, if your scanning service makes an error or has inaccurate results, being able to compare their results with your own can help expedite any incorrectly reported issues.

90% of the Certified PCI Services use Nessus

The PCI organization does list more than 130 service providers that are authorized to perform PCI scans. Of those on the list, almost 90% (the actual percentage was 87%) actively use the Tenable Security Center, Nessus Direct Feed or Nessus Registered Feed. We performed this analysis by cross-referencing the published list of PCI scanning vendors with Tenable's list of customers and registered Nessus users that update their vulnerability checks at least weekly.

Does this mean that if you use Nessus to scan for vulnerabilities, you are on the path to PCI compliance? The short answer is yes, but you still need to get a 3rd party to officially audit you.

Does this mean that any service who bases their vulnerability scans off of Nessus is qualified for PCI audits? Absolutely not. To be certified for PCI scanning, the organization must submit to a rigorous process which analyzes how scans are administered and performed and most importantly, presented to the customer.

Through our Direct Feed support for Nessus and product support for MSPs that use our Security Center to perform scan scheduling and reporting, Tenable is in a unique position to work with a wide variety of solution providers which are certified to perform PCI audits. No two solution providers have the same exact solution. Many of them have different procedures and policies for performing scans and communicating with their customers. For example, some prefer to accomplish discovery with multiple tools, including direct customer input, and then perform vulnerability scanning with Nessus while others perform their audits entirely with Nessus.

Although many organizations do use Nessus to perform PCI scanning, the regulation is not tool specific and is focused on the actual vulnerabilities, policies and procedures of the organization being audited.

Differences between in-house and Remote Scanning

There are also some very stark differences between remote PCI vulnerability assessments and what can be done with an in-house tool.

For example, section 8.5.9 of the PCI Audit Procedures document specifies that user passwords should be changed every 90 days. This sort of setting is something that can be audited with the Nessus Direct Feed and Tenable has even written specific PCI audit polices to look for this setting on UNIX and Windows operating systems. However, section 8.5.9 also gives MSPs some latitude in performing these audits and there are allowances for manual review of polices.

There are many more examples of this sort of discrepancy. Searching for the term "For Service Providers Only" in the audit guidelines will show many examples where a full internal PCI audit can be replaced with manual procedural reviews.

If such a review only occurs manually and quarterly, then when violations are found, fixing them implies not only changing the settings on various servers, but also changing the procedures and policies which allowed these lapses to occur in the first place. Performing in-house automated checks allows for early detection of compliance violations.

Another advantage of in-house scanning is that you may chose to perform a credentialed patch audit with Nessus. Patch audits  are very accurate and work for Windows and UNIX operating systems. If your MSP or ASV is not using credentials to audit your systems, it is possible that their scans may be less accurate than ones with credentials. If this is the case, performing these scans in-house with credentials can help expedite any issues reported by your ASV that are not accurate.

Monitoring PCI Compliance with Nessus

No discussion of PCI Compliance issues is complete without considering the full ramifications of the regulation. Complying with the PCI is much more than keeping your many e-commerce systems free of critical vulnerabilities. It includes firewall reviews, searching for insecure wireless access points, hardening of your servers with strong auditing and account security, log analysis, patch auditing and much more.

Tenable offers the 'Real Time Compliance' paper which shows how Nessus, and other Tenable log analysis and network monitoring products, can be used to audit and monitor e-commerce systems for PCI compliance and violations. The paper also discusses other regulations and IT management procedures such as COBIT and ITIL. If you are interested in reading the comprehensive paper, please email us at sales@tenablesecurity.com.

Tenable also offers a 30 minute webinar which focuses on compliance monitoring. The webinar is free but requires registration and is available to watch on-demand here.