Scaner-VS is a Vulnerability Assessment system developed by Moscow-based NPO Echelon. It’s pretty popular in Russian government organizations, especially in Russian Army, because it comply all government requirements, has all necessary certificates and is relatively cheap.
As for requirements and certificates, NPO Echelon itself is an important certification authority, so they know how to do the things right. It’s not a secret product or something. You can request trial version freely at http://scaner-vs.ru/version-for-testing/. But note, that it is only available in Russian. I am also sorry, but screenshots in this post will be also in Russian. I will try to do my best to describe them properly.
When you fill the form on Echelon website, you will soon get a link to 3.3 gb .iso file by email. Run it in VirtualBox virtual machine (choose Debian 64 or Debian 32).
Here is a boot menu. Choose first default option.
Some seconds later you will see Linux desktop environment with Scaner-VS web-GUI opened in Firefox.
It’s the third part of our talk with Daniil Svetlov at his radio show “Safe Environment” recorded 29.03.2017. In this part we talk about Vulnerability Prioritization and Detection:
Common Vulnerability Scoring System (CVSS)
Environmental factor
Manual and automated vulnerability detection
Unauthenticated and authenticated scanning
Why vulnerability scanners are so expensive and why the can’t detect everything
Video with manually transcribed Russian/English subtitles:
Prioritization
– Here also the question how to prioritize vulnerabilities properly. Because if you have, as you said, two Linux servers and 20 workstations running Windows, then in principle, you may not need to do prioritization. But if you have fifteen hundred servers: some of them are on perimeter, some are in your DMZ, some are in the internal network. It is still necessary, probably, to understand correctly which vulnerabilities and where should be patched in in the first place.
Yes, this is absolutely true and it’s a very good question. How to prioritize?
Common Vulnerability Scoring System
A natural way. If we look at vulnerabilities with a CVE identifier, for them in the US National Vulnerability Database we can find CVSS Base Score. It is an assessment of vulnerability criticality level.
How is it calculated?
Some person fills the questionnaire: can it be remotely exploited – no, is there public exploit – no, etc.
The result is a CVSS vector – this is a line in which you can see the main characteristics of this vulnerability and CVSS Base score is the score from 0 to 10 depending on criticality.
This is a natural way of prioritization. But sometimes this method does not give very good results.
I’ve already mentioned in “Petya the Great and why *they* don’t patch vulnerabilities“, that NotPetya ransomware seems trivial from Vulnerability Management point of view. It uses known Windows vulnerabilities, that were patched by Microsoft long time ago.
Despite of this, I was really interested in M.E.Doc(servers were confiscated by Ukrainian police and website is not operational) role in the initial phase of malware spreading. In my opinion, we have a pretty interesting example of an attack vector, that will be very hard to detect and mitigate. And moreover, it’s once again shows that protected perimeter won’t be a panacea anymore.
M.E.Doc – My Electronic Document Circulation System. “m.e.doc” sounds like the word, that mean “honey” in Russian and Ukrainian. That’s why all these bees in promo materials.
M.E.Doc is an Document Circulation System very popular in Ukraine. It makes possible to send reports to the government authorities in electronic form. It can be used in any organization. I can even imagine situation when usage of this kind of software may be even mandatory. Now the researchers [Eset, Dr.Web] say that M.E.Doc servers sent updates with backdoors to the customers.
This backdoor has abilities:
Data collection for accessing mail servers
Arbitrary commands execution in the infected system
Running any executables
Downloading arbitrary files to the infected computer
Uploading arbitrary files to a remote server
Identify the exact organization using EDRPOU number.
I don’t really care about technical details about this backdoor. For me it’s enough that malicious code was on official server of the vendor and was spread to legitimate customers. Boom!
I really like this. Just imagine. Quiet, routine, everyday Vulnerability Management process in organizations: scanning-patching, scanning-patching, scanning-patching… And then. Suddenly! PEEETYYA!!!
And at very same moment everything changes. People from different companies start to communicate with each other actively, reverse this new malware, share the data, write and share tools for detection and recovery. Security professional is a friend, a brother and a source of useful information for security professional. Real movement! Real community! =)
For example, my friends from Vulners.com created pretty popular gist about Petya (petrWrap, notPetya, GoldenEye) and updated in real time for several hours.
My former colleagues from Positive Technologies released detailed technical review of this ransomware (in Russian) few hours since the outbreak started, at 01:00 am . They also found a local kill switch, and probably were the first one. Simultaneously with Amit Serper from Cybereason.
It’s the second part of our talk with Daniil Svetlov at his radio show “Safe Environment” recorded 29.03.2017. In this part we talk about vulnerabilities in Linux and proprietary software, problems of patch an vulnerability management, and mention some related compliance requirements.
Video with manually transcribed Russian/English subtitles:
Taking about the fact that if you use fully updated software and do not use some self-written scripts, programs, then in theory everything will be safe.
But recently there was some statistics that critical vulnerabilities stay in Linux kernel about 7 years from the moment they appeared as a result of a programmer’s error till the moment they were found by our white hat researcher.
But it is not clear during these seven years if cybercriminals have found them, used them and how many systems were broken using this vulnerabilities. Not to mention that some special government services may use it too.
For example: The latest Linux kernel flaw (CVE-2017-2636), which existed in the Linux kernel for the past seven years, allows a local unprivileged user to gain root privileges on affected systems or cause a denial of service (system crash). The Hacker News
Well yes. There is such a statistic. There is also some criticism from proprietary software developers. Like you say “many eyes that looks in code will find any error.” This is a quote from Linus Torvalds, if I’m not mistaken.
Not exactly. Linus’s Law is a claim about software development, named in honor of Linus Torvalds and formulated by Eric S. Raymond in his essay and book The Cathedral and the Bazaar (1999).[1][2] The law states that “given enough eyeballs, all bugs are shallow”; or more formally: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone.” Wikipedia
But in practice, yes, there are really old vulnerabilities that come up after many many years. Because apparently they did not looking for this vulnerabilities well enough.But we still don’t have anything else, except Linux kernel. Therefore, they can say anything, but they will use it anyway. It is in the first place.
It is strange to even talk about custom reports based on vulnerability scans from Tenable products.
Just look at the variety of report templates available for SecurityCenter. For every taste and need! Why may you ever need to make any custom reports?
The thing is, if you want to use SecurityCenter reports you need to have all the scans of all your hosts in SecurityCenter and, as you know, SecurityCenter is licensed by IPs. What if you have tens of thousands of hosts? Price may be extremely high. In the other hand, you can take Nessus or SecurityCenter scan results via API (read how to do it in “Retrieving scan results through Nessus API” and “Tenable SecurityCenter and its API“) and process it with your own scripts for free.
In this post I would like to share my experience with Tenable Nessus Manager. And especially how to manage agented scans with it.
First of all, I will, once again, briefly describe main editions of Nessus vulnerability management solution. Three of them, that you can deploy in your infrastructure, and one is cloud based (Nessus Cloud).
It’s of course well known Nessus Home edition, that is free for home users. Nessus Home is strictly limited by amount of IP addresses you can scan. If you try to use it in some commercial environment you might have some problems with Tenable. But for scanning some home servers and desktops, or perhaps study how vulnerability scanners work it is a really great option. You can get home license automatically after filling the registration form. I described how to register Nessus Home, configure and use it in my earlier post.
The other Nessus Professional edition is for cybersecurity professionals/individuals, who may use this product for security assessment. It is most popular version of Nessus. There is no limit in IP addresses, so you can purchase one license for Nessus Professional scanner and theoretically scan everything in your organization. The cost of the scanner is just about $2,000. Very reasonable price comparing with other competitors. It also supports multiple user accounts.
If Nessus professional does such a beautiful job, why should anybody want something else? The answer is managing multiple connected vulnerability scanners and local agents. You can configure another edition, Nessus Manager, to run scan tasks from remote connected Nessus Professional scanners. You can also configure Nessus Manager to run audit and compliance scan tasks with locally installed Nessus agents. And it is the only way to do it. Even if you’ve already purchased some expensive Enterprise Vulnerability Management product from Tenable, such as Tenable Security Center or Tenable Security Center Continuous View you still will need to pay extra ~$3,000 – $5,000 for Nessus Manager if you want to use local agents.
Nessus Cloud is like Nessus Manager but it is hosted on remote Tenable servers.
Why may you need to use local agents for scanning? The most of obvious reasons is that in this case you won’t need to manage accounts for authenticated scan. You can also check how Qualys made Agented Scanning and compare it with Tenable approach bellow.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.
