Want to get a lot more value out of your vulnerability scans? Start doing authenticated scanning.
Performing authenticated scans of your environment offers essential benefits and is a practice widely recognized as valuable. However, it's interesting to note that a significant number of Tenable Nessus users tend towards unauthenticated scans. The scan configurations we observe in Tenable’s SaaS products are telling: our customers run unauthenticated scans 20 times more than authenticated ones. Why the substantial gap?
Through customer interactions, we've learned that, often, users simply overlook the possibility of authenticated scanning amidst the urgency to initiate scans. It doesn’t cross their minds that they can add several different types of credentials fairly quickly, especially if a Privileged Access Management solution is in use in their enterprise.
We also find some customers are looking to have an “attacker’s perspective” on their assets — assuming the attackers have not obtained valid credentials to their machines, they want to see what those attackers would see by probing remotely.
And there are certainly users who are unclear about how credentials work in the product. What types of credentials can I use? Is it insecure to place these secrets inside this scanning tool? How will Nessus use them, or log their use? The best resource to find this kind of detailed information is the Nessus documentation on credentialed scanning.
It is important to understand some fundamentals and the advantages of credentialed scanning, though. Nessus Attack Scripting Language (NASL) plugins operate in a scan context, and a scan context is defined by the scan configuration settings. Think of the scan context as the atmosphere in which the plugins grow. The richer the environment, the greater the yield of the plugin scan results.
In a standard Nessus scan, the scanner will first attempt to identify the scan target with which it is communicating, and the first set of plugins run will perform that operating system and service fingerprinting. Once that interrogation is complete, the scanner can then use that information to determine which vulnerabilities are present on the target.
More detail about your assets
If a set of credentials are present for some remote management services (such as SSH or SMB), Nessus will attempt first to connect to the scan target using these credentials, so that the scanner can use this access to perform a more comprehensive scan of the machine. And here we have one of the primary benefits of using credentials to scan systems with Nessus: a much more detailed view of the scan targets.
Imagine buying a house you’d only seen from the outside — you’d never do it! You’d need to see the interior and check out all the rooms. An unauthenticated scan provides only the view from “outside the house.” With credentialed scans, you’re not simply guessing what kind of machine you’re talking with, based on the responses from listening ports. Instead, you can collect tons of details about the configuration of a machine, its installed software, users, network interfaces, and much more. Most organizations are hungry for more data about their assets, and Nessus has some of the most complete asset profiling capabilities in the market.
Using credentials also gives you the ability to perform audits against your assets, using a set of benchmarks that define best practices for configuring certain OS platforms and applications. These benchmarks, from organizations like the Center for Internet Security, or the U.S. Department of Defense, describe an ideal configuration for a high level of security, and can help you determine which of your assets are compliant with your organization’s hardening policies.
Higher confidence results
Providing credentials to gather internal attributes of your assets, of course, results in a far higher confidence in the exposure data that is collected. If your certainty about the state of an asset is higher, then the certainty about the associated vulnerabilities will also increase. If you find more applications installed on a machine, you will have a more complete picture of that machine’s weaknesses. If you’re profiling your assets, you’d much rather get an inventory of everything it’s got from the OS itself, through a package manager or installed app registry.
There are entire classes of applications that cannot be found via remote, unauthenticated scans. Client applications, like web browsers, productivity apps and messaging tools, typically do not have listening services, and as a result go undiscovered unless the scanner can log into a target. For instance, identifying vulnerable software libraries and components, such as libwebp or OpenSSL, is notably more challenging without credentialed scanning.
Uncover hidden vulnerabilities
Often, an application will expose a lesser amount of data through an unauthenticated interface. You’ll get less granular version information, in some cases, by probing a service remotely, than you’d get by looking at the same application via a local install. Sometimes this is unintentional. A snippet of code in a file available via a web-based management interface may be your only clue to the version of an application, and it may only be accessible due to an oversight by the developer.
At Tenable, we are observing a trend by enterprise technology vendors to restrict any data that aids attackers behind authenticated interfaces, including the name, version and configuration of their products. This is a smart move, in general; it also happens to make the lives of folks like us, in the vulnerability management business, substantially tougher.
There are some products that have had critical vulnerabilities announced this year that have been impossible to identify remotely without authenticating to the target.
One example is CVE-2023-2868, a vulnerability discovered in Barracuda’s Email Security Gateway product. The vulnerability happened to only affect the physical appliance, not the virtual. So what if you couldn’t distinguish between the two? That’s actually the case in this situation — the only way to determine if the appliance you’re probing is physical or virtual is by authenticating to the device and pulling a data point from the administrative console.
We are seeing more and more examples of this problem as time goes on, and we anticipate that more vendors — especially those who control the entire product from the hardware up — will begin to hide these details behind a login page. Your organization may come to a point where authenticated scans are not just a good idea, but necessary, to be comprehensive in your asset inventory and vulnerability management practices.
PCI-DSS v4 requirements
Are you subject to Payment Card Industry Data Security Standard (PCI-DSS)? If so, you may already be aware that the upcoming fourth version of the standard will require your PCI-specific vulnerability scans to be authenticated. If that’s the case, your decision about whether or not to run credentialed scans just got a whole lot easier! You’ll want to move to that kind of setup — or, ask your PCI approved scanning vendor (ASV) to perform them for you.
Conclusion
A good first step in adopting the practice of credentialed scanning is to set up a dedicated account, with administrative privileges, just to use for scanning. Use your centralized authentication system to get the best reach to all of your assets, or connect a PAM solution to pull credentials. Then, make sure your scanners can reach your scan targets on the appropriate services. You can add multiple credentials to reach a variety of devices — in your scan config, open the Credentials tab and click the dropdown box next to Categories to find more options. Rotating credentials on these service scanning accounts and updating the scan configuration settings in lockstep is a great practice to keep these accounts secure. Using your PAM solution and feeding scan credentials from your vault makes managing their lifecycle even more seamless.
In conclusion, the shift towards more secure enterprise technologies necessitates a parallel shift in vulnerability management practices, with credentialed scanning becoming not just beneficial but essential. By creating a dedicated administrative account for scanning purposes and ensuring proper access to all assets, organizations can significantly enhance their security posture. The accuracy and depth of insights gained from credentialed scans will lead to a more robust defense against potential threats. The future of vulnerability management is in authenticated scans, and the sooner organizations adapt, the better equipped they will be to identify and mitigate exposure.