Tag Archives: CIS

.audit-based Compliance Management in Nessus

In this post I will briefly describe how Nessus .audit-based Compliance Management works, why I like it, what could be improved and why I suppose Tenable won’t do it soon. šŸ˜‰

Nessus compliance checks are mainly presented in a form of special .audit scripts. This scripting language is very different from familiar NASL (Nessus Attack Scripting Language).

Basically, it is a collection of universal checks for various objects (e.g. existence of the line or parameter in the file, access permissions of the file,Ā  service status, etc.). Of course, nowadays Š”ompliance Management is not only aboutĀ Operating System and software (mis)configuration. We have different network devices, databases, cloud services, etc. but originally it was the main case.

By combining the universal checksĀ  any requirement of low-level configuration standard (CIS, DISA, etc.) can be implemented. The similar principles are used in OVAL/SCAP content.

Continue reading

QSC16: from Vulnerability Management to IT Visibility

I want to share my impressions of QSC16 conference, where recently I had pleasure to attend. This yearly conference is held in Munich for ten years already. I was there before only one time, in 2012. It made a great impression and this year was no worse.

My photo QSC16

First of all, I should write some words about the conference itself. QSC is an acronym for Qualys Security Conference. It is clear from the name that it is fully dedicated to Qualys products.

Who might be interested in such event?

Mainly, of course, current and potential users of Qualys products, partners, competitors (from own experience, they are not welcomed there ;-)) and, I think it is the smallest group, analysts of Vulnerability Management market and Vulnerability Assessment geeks, like me. For people, who are sincerely interested in VM market changes, road show of the global VM vendor with the biggest market share (is it right, Gartner?) is a precious information source. Here you can learn about real experiences in the use of Qualys products and hear about the company’s future plans.

BTW, if you are one of those, and we do not know each other, we should definitely have a talk. šŸ˜‰

QSC Agenda

Why is this event important? Despite existing skepticism about mono-vendor conferences and roadshows, QSC is one of the few events in Europe dedicated to the VM, in the broad sense of the term, almost exclusively. All discussions are, of course, in the context of Qualys solutions and you won’t hear any real critics of the vendor, however questions raised there are relevant for the entire VM market.

Continue reading

Vulners – Google for hacker. How the best vulnerability search engine works and how to use it

Original article was published in Xakep Magazine #06/2016 (in Russian)

vulners.com logo

The common task. Š£ou need to find all information about some vulnerability: how critical the bug is, whether there is a public exploit, which vendors already released patches, which vulnerability scanner can detect this bug in the system. Previously, you had to search it all manually in dozens of sources (CVEDetails, SecurityFocus, Rapid7 DB, Exploit-DB, CVEs from MITRE / NIST, vendor newsletters, etc.) and analyze the collected data. Today, this routine can be (and should be!) automated with specialized services. One of these services – Vulners.com, the coolest search engine for bugs. And what is the most important – it’s free and has an open API. Let’s see how it can be useful for us.

What is it?

Vulners is a very large constantly updating database of Information Security content. This site lets you search for vulnerabilities, exploits, patches, bug bounty programs the same way a web search engine lets you search for websites. Vulners aggregates and presents in convenient form seven major types of data:

  • Popular vulnerability databases, containing general descriptions of vulnerabilities and links. For example, well-known NVD CVEs of MITRE US agency and NIST Institute. In addition to this, Vulners supports vulnerability descriptions from various research centers and response teams: Vulnerability Lab, XSSed, CERT, ICS, Zero Day Initiative, Positive Technologies, ERPScan.
  • Vendor’s security bulletins. This bug-reports are published by software vendors and contain information about vulnerabilities in their own products. At current moment Vulners supports various Linux distributions (Red Hat, CentOS, Oracle Linux, Arch Linux, Debian, Ubuntu, SUSE), FreeBSD, network devices (F5 Networks, Cisco, Huawei, Palo Alto Networks), popular and critical software (OpenSSL, Samba, nginx, Mozilla, Opera), including CMS (WordPress, Drupal).
  • Exploits from Exploit-DB, Metasploit and 0day.today. Exploits are parsed and stored in full-text form and you can read the sources in a convenient text editor.
  • Nessus plugins for vulnerability detection. It makes easy to find out whether a particular vulnerability can be detected using this popular network scanner. Why is it important? Read in my article “When a free scanning service detects vulnerabilities better“.
  • Bug disclousers for bug bounty programs. At current moment Vulners supports HackerOne and Open Bug Bounty.
  • Potential vulnerabilities of mobile applications and CMS. It is possible in cooperation with the static application security testing (SAST) vendors Hackapp and InfoWatch APPERCUT.
  • Posts from hacking resources. Vulners collects Threatpost and rdot.org publications, which often cover vulnerability related topics.

All this information is handled, cataloged, structured and is always available for the search.

Continue reading

Tenable Nessus: registration, installation, scanning and reporting

It’s a bit strange that I wrote in this blog about some relatively exotic vulnerability management solutions and not about the one I use every day. It is, of course, Nessus. The legend of vulnerability scanners. It would be fair to say that Nessus has become a synonym for vulnerability scan itself as Xerox for photocopy. First version of Nessus was developed by Renaud Deraison in 1998 as a free and open-source product. In October 2005 the license was changed to proprietary. The last version of GPL source codes became the base for the great open source vulnerability scanner – OpenVAS (btw, see my post “openvas_commander for OpenVAS installation and management”).

Nessus Vulnerability Scan Results

I am glad that Tenable still keeps Nessus mostly in UNIX-way. Nessus is a vulnerability scanner and makes one thing good – finds vulnerabilities on network hosts. If you need dashboards, advanced user management, advanced reporting capabilities, etc. use Tenable Security Center that works above the Tenable separate products: Nessus, Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE).

nessus download page

Continue reading

Hello!

My photo

Thanks for visiting my website. Glad to see you here. My name is Alexander and I’m an Information Security Automation specialist. For 6 years I have actively participated in development of MaxPatrol and XSpider – the best known Vulnerability and Compliance Management products in Russia and CIS. Nowadays I am working at the biggest Internet/Mobile Company in Russia. I am responsible for precise automated vulnerability assessment of a huge and diverse IT-infrastructure and vulnerability intelligence.

Enthusiast for NIST/MITRE/CIS and OWASP open security standards and initiatives.

Also the head of OpenVAS Russia project.

OpenVAS Russia banner

Feel free to follow me or add me to your friend list at facebook, twitter, linkedin. Sometimes I publish videos on my youtube channel.

My email: me@avleonov.com