Join Mike Chapple for an in-depth discussion in this video Scan configuration, part of CompTIA CySA+ (CS0-002) Cert Prep: 2 Vulnerability Management.
- [Presenter] We've already run a couple of simple vulnerability scans in this course, but now let's explore the process of setting up a vulnerability scan in more detail. I'm back in Nessus, and I'm going to set up a new scan from scratch. After I click the New Scan button, I'm presented with a series of templates to choose from. These are pre-configured scan settings that I can choose if I don't want to set everything myself. I'd like to look at all of the options, so I'm going to select Advanced Scan. This allows me to choose my own scan settings. The initial screen that I see lets me enter some basic information about the scan. I can give it a name. I'm going to go ahead and call this "Mike's Scan". I could fill in a description here if I wanted to but I'm going to leave that blank for now. The most important part of this page of settings is the Targets box. That where I configure the scope of the scan. In this box, I can enter system names, IP addresses, or network ranges that contain the systems that I'd like to scan. I'm going to set my scan to run on a local network. I'd like to scan all the systems in the address range 172 dot 30 dot zero dot zero slash 24. That's 255 IP addresses that Nessus will scan, first to see if systems are active, and then it will perform vulnerability scans on those systems that are up and running. Notice there's also an Upload Targets section of this page with a link to add a file. This is useful if your organization has a separate asset management tool. You can export a list of systems from that tool and import it here so that you don't have to retype or cut and paste the entire list of systems. When I'm creating a scan program, I generally want to organize it into a series of scans that each include systems that will be scanned at the same time. For example, if I decided that I wanted to set the scanning frequency based upon the types of data that the system processes, I might create different scans for systems that process confidential, sensitive, and highly sensitive information. This allows me to set different schedules for each of these system groups. We've already taken a look at the Schedule tab. I'm going to go ahead and configure this scan to run every day. And then I'd like the scanner to email me a report when it's finished, so I'll go to the Notifications tab and type in my email address. And then tell Nessus to actually attach the scan report to the email message so that I can read it right in my email. Now let's take a look at the discovery options. This is where I can provide Nessus with instructions about how to decide if a system is alive on the network. I can configure the types of network pings and how Nessus should handle devices like printers and netware systems that might react negatively to a scan. On the Port Scanning tab, I can set the specific network ports that I'd like Nessus to scan, and also tell it which protocols to use when scanning for open ports. The default settings for Nessus include all commonly used ports, so I'm going to leave that setting alone. But if your network uses custom ports, you can configure those here. In the Assessment section of the scan configuration, I can set the scan sensitivity level. This is an important setting. When you're performing any type of scan, you run the risk of false alarms. These can waste the time of cybersecurity analysts. By default, Nessus uses what it calls "normal accuracy". Think of this as a medium setting that seeks to balance the risk of a false alarm with the risk of missing a real vulnerability. If you'd like you can change this setting to air on the side of reporting a vulnerability. This will give you more false alarms. You can do this by checking the Override Normal Accuracy box, and then choosing the Show Potential False Alarms option underneath that. I'm going to go ahead and switch back to normal accuracy for this scan. The last settings page that we'll look at is the Advanced page. This has a few important settings. First, notice the first box that's checked here, "Enable safe checks". This setting tells Nessus to avoid performing scans that might disrupt a system. It's probably best to leave this box checked when you're working in a production environment. You may wish to uncheck this box if you're scanning systems prior to their deployment in production to get the most thorough scan results. There are also some other settings on this page that allow you to alter the performance of the scan. You can stop scanning hosts that become unresponsive during a scan. This is important because it stops wasting bandwidth, and if the scan is actually disabling a host unintentionally, continuing the scan will increase the amount of time that that host might be unresponsive. So it minimizes the impact on production systems. You can also, under the Performance options, slow down the scan when network congestion is detected, and there are plenty of settings here to customize how that works. This allows your scan to accommodate other traffic on the network, so if the network is busy, the scan will slow down and use less bandwidth. Now finally, let's take a look at the Plugins tab for this scan. Nessus uses plugins to perform vulnerability checks. Each plugin is designed to check for one specific vulnerability, and plugins are organized into families by the types of systems that they affect. You see the settings for plugins here on this tab. I can go ahead and customize my scan for my own environment. For example, I know that there are not any AIX systems on this network, so I'm going to disable those 11,392 plugins. I'm going to do the same thing for Cisco, because there aren't any Cisco network devices here, and I know there's not any Debian Linux, and there also aren't any F5 devices or Fedora systems. And I could continue down this list, disabling any of the plugin families that I know won't be necessary on my network. Disabling plugins that are not relevant to your scan improves your performance by reducing the amount of time that the scan takes. Vulnerability scanners offer a wide variety of configuration options that allow you to customize those scanners' performance. If you find yourself tweaking these settings, be sure to create your own custom templates so that you can easily reuse those settings across many scans.
We are a CompTIA Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Configuring vulnerability scans
- Reporting scan results
- Barriers to vulnerability remediation
- Analyzing scan reports
- Common server, endpoint, and network vulnerabilities
- Software security issues, such as SQL injection
- Access control vulnerabilities