The market-leading Nessus vulnerability scanner from Tenable Network Security automatically identifies missing patches, security configuration errors and other weaknesses in host security. The product comes in three forms: Nessus Professional, Nessus Manager and Nessus Cloud.
Nessus helps organizations identify security problems quickly and efficiently and fix them before they can be used to compromise the network. Tenable maintains a vast library of software plug-ins to perform the checks.
To conduct a scan, organizations must specify which vulnerability checks to use and the settings for each. Manually specifying hundreds of checks and the acceptable values for each type of scan would be time-consuming and error-prone. Because many organizations are subject to the same sets of security requirements and compliance initiatives, Tenable provides more than 400 templates. The following tips can help organizations take advantage of these templates to improve enterprise vulnerability scanning.
Configuration templates can automatically identify vulnerabilities in host software security configurations, such as operating systems and applications. Nessus uses a configuration template to compare a host’s current settings with the desired security settings specified in a particular configuration.
Typically, an IT manager selects one configuration template for each major piece of software on a host, such as Microsoft Windows 7 and the Mozilla Firefox web browser on a notebook.
Nessus templates capture common host software security configurations, including the Center for Internet Security benchmarks and Defense Information Systems Agency Security Technical Implementation Guides.
In addition to configuration templates, Nessus also provides compliance templates that are designed to verify that a host meets a set of security compliance requirements.
Examples of common compliance requirements include the Health Insurance Portability and Accountability Act, the Payment Card Industry Data Security Standard and the North American Electric Reliability Corporation standards.
While both configuration and compliance templates are important, always use configuration templates first. The requirements in configuration templates are typically much more detailed and rigorous than in compliance templates, so focusing mitigation efforts there at the onset yields strong security.
Although security benchmarks and other configuration standards should ideally be fully implemented, most organizations will have a small number of settings that they can’t use. These settings might break critical functionality for users of a particular application, for example.
Organizations should have a formal process for reviewing and granting exceptions to their adopted configuration standards, and then customize their configuration templates to factor in those exceptions.
But the same isn’t true of compliance templates, which for the most part should rarely be altered. Instead, document justification for any deviations from compliance requirements. If a formal process for configuration exceptions is in place, then justification should already be documented and can be easily reused for compliance purposes.