securityboulevard.com
5 Best Practices for Credentialed Scanning
Performing vulnerability scans with or without credentials has been a hotly debated issue: On one hand, uncredentialed scans provide security teams with a hacker’s view of the organization, with a small subset of vulnerabilities to fix. And on the other, credentialed scans provide a complete view of all known vulnerabilities – which may or may not be immediately important, but can end up overwhelming teams. Moreover, uncredentialed scans can overwhelm the network infrastructure due to the unpredictable nature of the scan (credentialed scans, if done well, could hardly bother network infrastructure). Uncredentialed scans are less accurate due to a higher number of false positives (credentialed scans are more accurate due to the nature of the scan). Last but not least, uncredentialed scans, as the name suggests, don’t require credentials, while credentialed scans do. The last part, in some cases, invokes deep concerns within IT teams. And it’s partly driven by the idea of trusting a piece of software or person(s) with credentials (typically root/admin) for the organization. In this post, I’ll discuss tips to alleviate these fears and share five best practices for credentialed scanning within your organization. Who needs to know? Security managers and engineers What do you need to know? Vulnerability scanning without credentials provides limited visibility into critical vulnerabilities and increases false positives and false negatives. Yet, over 55% of scans are run without credentials. Why should you care? The majority of exploit kits, malware and ransomware target client-side vulnerabilities and are delivered via social attacks such as phishing and drive-by exploitation that require credentialed scanning to fully assess true Cyber Exposure. What can you do? Follow the best practices outlined in this blog post. Why should you scan with credentials? Credentialed scans, if done well with appropriate privileges, provide the most accurate view of cyber risk within your organization. They bypass the usual downsides associated with uncredentialed scans, such as high false positives and high network bandwidth usage. In some cases, they even finish faster due to reduced back-and-forth between the scanner and target. If your organization’s goal is to understand your true risk, then credentialed scans will provide the most accurate insight. It's always better to make vulnerability prioritization decisions based on all available information, rather than restricting it to a small subset of vulnerabilities discovered by uncredentialed scans. Credentialed scanning best practices Here are five best practices to perform credentialed scans within your organization: Best practice #1: Use a dedicated scanning account Set up a dedicated scanner account for credentialed scans rather than using existing accounts. The dedicated account should be fine-tuned to execute only those actions authorized by the IT team. Some organizations take this practice a step further and temporarily disable the scanning account once the weekly or monthly scans are finished. Best practice #2: Use public key authentication or complex passwords When possible, especially with SSH-based scans, use public key authentication over password-based authentication. The risk with password-based authentication is that a malicious insider or attacker could set up a rogue SSH server within the organization and collect the password from the scan during the next scan run. You should also supply the "known_hosts" file containing the fingerprints of the hosts to connect to the scanner, so as to avoid connecting to a rogue host. If you must go with password-based authentication, use complex passwords at a minimum. Best practice #3: Leverage credentials managers If your organization leverages credential managers such as Thycotic or CyberArk, you can use existing Tenable integrations with these products to quickly transition to credentialed scans without having to set up the credentials in Tenable products all over again. At a high level, this requires setting up scan policies to authenticate to a credential manager, which on successful authentication provides credentials to perform credentialed scans. See below for specific instructions: Thycotic CyberArk Best practice #4: Use “least privilege” scanning For *nix-based systems, you can now review which commands are run by the scanner and the privileges they were run with. This information can be used to restrict the scanning account to only the least set of privileges required for the scan. Tenable recently released a feature for SSH-based scans that would allow you to do just that. The process involves setting up an account with sudo privileges and then modifying ‘/etc/sudoers’ file to include the authorized list of commands based on results from plugin IDs 102094 and 102095. The plugins provide insight into two critical aspects of a credentialed scan: Which plugins ran with elevated privileges, and which specific commands did they run? Which plugins tried to run with elevated privileges and failed due to lack of privileges? The plugin output is in machine readable YAML format, so it’s possible to parse the output and take automated actions to update relevant files. Best practice #5: Assess authentication failures Finally, what good are credentials if they don’t work? At Tenable, we’ve observed scanners fail to log into systems due to a variety of reasons, such as: Credentials are revoked Scanning accounts are deleted Credentials are updated or expired When these changes occur, the scanning solution isn’t always in the loop. To help address this issue, we released a new plugin to summarize authentication failures across all *nix, Windows, databases and a variety of other systems supported by Nessus. Please review the output of the plugin and set up automated processes to trigger action events if scans return with a positive hit for Plugin ID 104410. Wrap-up Credentialed scans help provide the most accurate snapshot of your organization. They’ll help find vulnerabilities that would never be discovered by uncredentialed scans (e.g., client-side vulnerabilities). You should therefore perform credentialed scans whenever possible. The information provided by a credentialed scan will help fill the gaps in your security architecture and provide insight into how to improve your information security program.
Mehul Revankar