SecurityCenter 4.7 User Guide. September 2, 2014 (Revision 5)

Transcription

1 SecurityCenter 4.7 User Guide September 2, 2014 (Revision 5)

2 Table of Contents Introduction... 5 Standards and Conventions... 5 Abbreviations... 6 Changes in SecurityCenter New and Enhanced Features... 6 SecurityCenter Functional Overview... 6 System Status... 7 Configure the Dashboard... 7 Define Support Objects... 8 Assets... 8 Audit Files... 8 Credentials... 8 Queries... 9 Scan Policies... 9 Manage Users... 9 Repositories... 9 Roles... 9 Organization Head... 9 Manager... 9 End User User Visibility User Access Control Manage Scanning Active Vulnerability Scanning Credentialed Scanning Continuous Passive Discovery Analyze Data Generate Reports Manage Workflow Manage Plugins Getting Started SecurityCenter Web Interface System Functions Preferences Basic Notifications Logs Attribute Sets Feed SecurityCenter Functions Home/Dashboard Working with Dashboards Add Components Working with Custom Components Multiselect

3 Conditions Creating a Simple Matrix Component Copy Component Options Navigating the Dashboard Components Vulnerability Analysis Cumulative vs. Mitigated Filter History Right-Click Functionality Analysis Tools Add Risk Recast/Acceptance Rule Load Query Additional Vulnerability Analysis Options Save Query Save Asset Open Ticket More Options Export as CSV Create Report Vulnerability Filters Mobile Analysis Event Analysis Raw Syslog Events Filter History Date Selection Right-Click Functionality Active vs. Archived Analysis Tool Load Query Additional Event Analysis Options Save Query Save Asset Open Ticket More Options Save Watchlist Export as CSV Create Report Event Filters Scanning Scans Basic Options Policy and Credential Options Policy Options Plugin Preferences Post Scan Scan Progress Scan Results Blackout Windows Reporting Reports Report Results Report Images Report Import and Export Support

4 Assets Dynamic Asset Discovery Adding Assets Audit Files Credentials Queries Scan Policies Add a Scan Policy Basic Audit Files Plugins Preferences Additional Scan Policy Options Users Users Add User Edit Detail Delete Roles Add Role Edit Detail Delete Workflow Alerts Tickets Accept Risk Rules Recast Risk Rules Plugins Update Plugins Upload Plugins Other Plugin Options About Tenable Network Security

5 Introduction This document provides instructions for using Tenable Network Security s SecurityCenter 4.7 and related components. Since many of Tenable s customers have requirements to maintain separation of duties, the SecurityCenter 4.7 documentation has been separated into the following documents to better organize the material based on organizational roles. Note that there is some overlap in roles as well as content provided with each of the following guides: SecurityCenter 4.7 Installation Guide This document provides instructions for the installation of SecurityCenter 4.7. The target audience for this document is system administrators who need to install the SecurityCenter application. Included in this document are quick instructions for the admin user to add a Nessus scanner and create a user account to launch a test scan to ensure SecurityCenter is correctly installed. SecurityCenter 4.7 Upgrade Guide This document describes the process of upgrading to the latest version of SecurityCenter 4.7. SecurityCenter 4.7 Administration Guide This document provides instructions for the administration of SecurityCenter by the admin user. The admin user is the first user to log into the SecurityCenter after the initial installation and is responsible for configuration tasks such as defining organizations, repositories, Nessus scanners, LCE servers and PVS sensors. The admin user does not have the ability to create and launch Nessus scans. SecurityCenter 4.7 User Guide This document provides instructions for using SecurityCenter from an Organization Head user or lesser account. Please any comments and suggestions to support@tenable.com. A basic understanding of Linux/Unix, Windows, vulnerability scanning with Nessus, intrusion detection and log analysis is assumed. Standards and Conventions Throughout the documentation, filenames, daemons, and executables are indicated with a courier bold font such as gunzip, httpd, and /etc/passwd. Command line options and keywords are also indicated with the courier bold font. Command line examples may or may not include the command line prompt and output text from the results of the command. Command line examples will display the command being run in courier bold to indicate what the user typed while the sample output generated by the system will be indicated in courier (not bold). Following is an example running of the Unix pwd command: # pwd /opt/sc4/daemons # Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples, and best practices are highlighted with this symbol and white on blue text. 5

6 Abbreviations The following abbreviations are used throughout this documentation: LCE PVS SC SSH IDS Log Correlation Engine Passive Vulnerability Scanner SecurityCenter Secure Shell Intrusion Detection System Changes in SecurityCenter 4.7 This section provides an overview of some of the new features and changes that are of particular interest to current SecurityCenter 4 customers. For more details on these features and changes, please refer to the appropriate SecurityCenter 4.7 document as described in the Introduction. New and Enhanced Features Support for pulling mobile vulnerability information from Apple Profile Manager, ActiveSync, and Good MDM Mobile vulnerability data analysis and reporting Dashboard templates for components and collections of components Report templates for quick report creation Asset templates for dynamic asset list creation SecurityCenter feed for adding and updating templates, compliance plugins, and remediation tool information Blackout windows now stop active scans at the start time of the window and create a rollover scan (new behavior) Upload OVAL/XCCDF files to be used as audit files for SCAP scans Download raw OVAL/XCCDF results after a SCAP scan is complete Remediation reports to provide solutions and the solution s impact on discovered vulnerabilities New fonts and look and feel for reports Export dashboards to create reports Create reports from scan results via report templates Manage accepted and recast risks as a user Set an expiration time for an accepted risk First Discovered will use the most recent first discovery Matrices may be used in reports SecurityCenter Functional Overview This section provides a high-level overview of SecurityCenter (US Patent No. 7,926,113 B1, System and Method for Managing Network Vulnerability Analysis Systems ) user functions. The order in which these functions are described follows the logical order that tasks would typically be performed in, not necessarily the order in which the tabs are 6

7 displayed on the SecurityCenter dashboard. For example, in a new SecurityCenter deployment, the first step is usually to define asset lists, followed by reviewing available repositories. This information is then used in configuring users who are assigned assets, repositories, and other resources based on organizational needs. Once the users are configured, the daily SecurityCenter tasks can be performed: scanning, data analysis, reporting, workflow management, and plugin maintenance. These tasks are briefly described in this section for the benefit of users who are new to SecurityCenter. Details on how to configure and manage these functions are provided in the section titled SecurityCenter Functions. If you are already familiar with SecurityCenter functions, you may wish to proceed directly to the Getting Started section. System Status The Job Scheduler process is restarted by logging in as an admin user and using the Stop/Start options available to that user in this interface. The Stop/Start options are not available for non-admin users, but they are able to view the status. The SecurityCenter status is displayed from the web management interface. Simply click on the status circle in the lower right-hand corner of the web page. A pop-up similar to the one below is displayed: SecurityCenter Status Within the system status are the current plugin feed status, SecurityCenter (SC) feed status, license status, and Job Scheduler service state. Configure the Dashboard The dashboard is the first screen displayed when you login to the SecurityCenter user interface and displays vulnerability or event data using various predefined components. The dashboard can also be displayed by selecting Dashboard from the Home tab. The dashboard is configured with one or more tabs that contain different views and layouts populated with multiple components including tables and custom charts (e.g., bar, line, area, and pie). The dashboard tables and charts are fully 7

8 customizable and allow data to be retrieved from various sources using a wide variety of configurations. Dashboard elements can also be shared between users or exported/imported to another SecurityCenter as required. Dashboard templates are available in SecurityCenter to provide an easy starting point for creating dashboards. They are created and maintained by Tenable and are based on industry standards, trends, and customer requests. Templates are added and updated via the SecurityCenter feed. Define Support Objects SecurityCenter support objects (assets, audit files, credentials, queries, and scan policies) are defined from the Support tab on the dashboard. This section provides a brief description of these objects. Assets SecurityCenter supports a flexible dynamic asset discovery system that can also import static asset lists from many commercial and open source systems. This allows high level asset lists to be constructed as well as very detailed lists of specific items. Some examples of assets to be grouped together include, but are not limited to, hardware device types, particular service types, certain vulnerability types, machines with outdated software, OS types, and other lists based on discovered information. There are many Asset templates available by default in SecurityCenter and, if configured, templates are automatically updated and added to by Tenable. To create a static list of assets in SecurityCenter, users can either manually enter IP addresses into the Addresses field or upload a text file that contains IP addresses, ranges of IP addresses, or CIDR notation. Once uploaded, the asset list is named and can be immediately used. SecurityCenter can implement rules that consider discovered information for dynamic asset discovery. These rules are run against the vulnerability data and results in assigning an IP address to one or more asset lists. For example, SecurityCenter could create a rule stating that any Windows system that belongs to the CORPORATE-NY domain be placed on an asset list named New York Domain. Another example would be any host discovered to have LimeWire software running (Nessus plugin or PVS plugin 4110) could be assigned to a dynamic asset list for special review. Tenable also provides a variety of asset templates that may be used as is or may be customized for the local environment. Audit Files A configuration audit is one where the auditors verify that servers and devices are configured according to an established standard and maintained with an appropriate procedure. SecurityCenter can perform configuration audits on key assets through the use of Nessus local checks that can log directly onto a Unix or Windows server without an agent. SecurityCenter supports a variety of audit standards. Some of these come from best practice centers like the National Institute of Standards and Technology (NIST) and National Security Agency (NSA). Some of these are based on Tenable s interpretation of audit requirements to comply with specific industry standards such as PCI DSS, or legislation such as Sarbanes-Oxley. In addition to the base audits, it is easy to create customized audits for the particular requirements of any organization. These customized audits can be loaded into the SecurityCenter and made available to anyone performing configuration audits within an organization. NIST SCAP files can be uploaded and used in the same manner as an audit file. Navigate to NIST s SCAP website ( and under the SCAP Content section, download the desired SCAP security checklist zip file. The file may then be uploaded to SecurityCenter and selected for use in Nessus scan jobs. Once the audit policies have been configured in SecurityCenter, they can be repeatedly used with little effort. SecurityCenter can also perform audits intended for specific assets. Through the use of audit policies and asset lists, a SecurityCenter user can quickly determine the compliance posture for any specified asset. Credentials Credentials are reusable objects that facilitate a login to a scan target. Various types of credentials can be configured for use within scan policies. Credentials may be shared between users for scanning purposes. Available credential types include: Windows 8

9 SSH SNMP community string Kerberos SecurityCenter supports the use of one SSH credential set, one Kerberos credential set, up to four Windows credential sets, and four SNMP credential sets per scan configuration. Queries Queries allow SecurityCenter users to save custom views of vulnerability or event data for repeated access. This enables SecurityCenter users to quickly update data for a particular query type without having to configure complex query parameters each time. Scan Policies Scan policies consist of configuration options related to performing a vulnerability scan. These options include, but are not limited to: Parameters that control technical aspects of the scan such as timeouts, number of hosts, type of port scanner, and more Granular plugin family or individual plugin based scan specifications Compliance policy checks (Windows, Linux, Database, etc.), report verbosity, service detection scan settings, audit files, patch management systems, and more Manage Users The Users screen provides the ability to add, edit, delete, or view the details of SecurityCenter user accounts. Users are assigned roles to determine the level of access they have and are also assigned repositories and assets, depending on the level of access required. The list of users and actions is limited to the Organization and the permissions of the user viewing the list. Repositories SecurityCenter integrates repositories of vulnerability data that are shared as needed among users and organizations based on manager-defined assets. The use of repositories allows for scalable and configurable data storage for organizations. Repositories can also be shared between multiple SecurityCenters. Repositories are configured by the administrative user and made available to the Organization Head to assign to users as needed. Roles SecurityCenter users can be created with default or customized roles. Roles are adjustable and allow for user creation based on specific business/security models and needs. User accounts created by other users inherit the creating user s permissions or a subset of the permissions as desired while not exceeding the access or permissions of the creating user. This granular user control and customization enables large organizations to comply with regulations and standards that mandate separation of duties and layers of control. There are three basic pre-defined organizational roles: Organization Head The Organization Head is the primary user account for the organization and has full rights for the entire network space of an organization. The Organization Head is defined by the administrative (by default the admin ) user and cannot be deleted without removing the entire organization entry. The Organization Head may define additional users who may have rights to all, or only a portion of the organization s network address space and resources. Manager Managers can be created to have all the access rights of the creating user or only partial rights. The creating user can define which address space the manager has access to as well as which asset lists, repositories and LCE sources the manager can control. Managers can create users with a role that has a subset of their permissions. 9

10 End User An End User is typically a system administrator or network engineer who has responsibility for administrating security on a portion of the network. The access rights for an End User are defined by the Manager(s) for the defined network address space. The End User does not have the ability to change this. End Users may be segregated to a subset of the network address space defined for the organization, thereby restricting their ability to monitor network activity. User Visibility An important concept of SecurityCenter is that of visibility. Objects (scans, queries, etc.) can have one of four possible visibilities. The table below describes each of the available visibility options: Table 1 Visibility Options Type User Organizational Application Shared Objects created with User visibility are available only to their creator. These objects are not indicated by an icon as are other visibility options shown below. Objects created with Organizational visibility are available to any user within the current organization. Objects created with Application visibility apply to any user within any organization in SecurityCenter. Objects created by the administrator user automatically inherit Application visibility and only administrators can create objects with this visibility. Objects created with User or Organizational visibility can be converted to Shared visibility after being shared by a user with the required permissions. If you edit an object that has a shared visibility, you have the option to change it to User visibility, which would remove all existing shares. In addition, if an object is unshared from everyone it reverts to user visibility. User Access Control Within the defined user roles, granular permissions are defined that enable users to perform specific tasks. Custom roles can be created with any combination of desired roles based on enterprise needs. Role permissions are broken down based on user visibility. In all cases except policy roles, an Organizational designation indicates that the user with that role can create objects with either User or Organizational visibility. In the case of scan policy creation, users with the Create Policies permission can only create policies with User visibility. Users with Create Organizational Policies and Create Policies permissions can create policies with either User or Organizational visibility. Users with only the Create Organizational Policies permission cannot create any scan policies. The table below defines the various permissions available within the SecurityCenter architecture: Note that the default Manager and End User permissions may be changed by the Administrator user. 10

11 Table 2 Available Permissions Permission Organization Head Administrator Manager End User Accept Risks Accept the risk of vulnerabilities X X Create Alerts Create custom alerts X X X Create Audit Files Upload custom audit files X X X X Create Application Roles Create roles with application visibility. This is not a configurable role. X Create LDAP Query Roles Create Organization Roles Create roles with the ability to create asset lists based on a query to the configured LDAP server. Create roles with organizational visibility. This is not a configurable role. X X Create Organization Assets Create Organization Credentials Create assets X X X Create credentials X X X Create Organization Policies Create scan policies with organizational visibility. This option must be used in conjunction with the Create Policies permission. X X X Create Organization Queries Create queries X X X Create Policies Create scan policies with User visibility. X X X This option must be set for the Create Organizational Policies option to function. Use this option for users who will create policies for themselves, but, not shared policies. This can be useful for new users. Create Tickets Create tickets X X X Edit/Delete Organization Assets Edit or delete assets belonging to the user s organization regardless of what organizational user created it. X 11

12 Edit/Delete Organization Credentials Edit/Delete Organization Policy Edit/Delete Organization Query Edit or delete credentials belonging to the user s organization regardless of what organizational user created it. Edit or delete policies belonging to the user s organization regardless of what organizational user created it. Edit or delete queries belonging to the user s organization regardless of what organizational user created it. X X X Manage Applications Manage SecurityCenter applications and services. Any role with the Manage Applications permission is non-editable. The permission column is removed. X Manage Users Manage non-administrative users. X X Purge Tickets Purge tickets X X Recast Risk Recast the risk of vulnerabilities. X X Scan Privileges Perform Nessus scans. X X X Share Assets Share assets with other users. X X X Share Credentials Share credentials with other users. X X X Share Dashboard Tabs Share dashboard tabs with other users. X X X Share Policies Share policies with other users. X X X Share Queries Share queries with other users. X X X Update Plugins Update Active, Passive and Custom plugins. X X X Upload Nessus Scan Results Upload Nessus scan results. X X X View Event Data View event data. X X X View Organization Logs View organization logs. X X Manage Attribute Sets Create and manage CyberScope and ARF attribute sets for reports X X View Vulnerability Data View vulnerabilities within the organizational repository. X X X Manage Scanning Scans are managed from the Scanning tab on the dashboard. There are three basic categories of scans: active vulnerability scanning, credentialed scanning, and continuous passive discovery. Using all three types provides a 12

13 comprehensive view of the organization s security posture and reduces false positives. SecurityCenter can manage one or more Nessus vulnerability scanners. Scan policies that discover new hosts, new applications, and new vulnerabilities can be scheduled and automatically distributed to multiple scanners for load balancing. SecurityCenter manages which Nessus scanners are best suited to scan a particular host. There are a large number of scanning options, including the ability to specify the maximum length of time a scan is allowed to run. If a scan exceeds the limit, the un-scanned targets are captured in a rollover scan that can be run manually or scheduled for a later time. This feature is very useful for organizations that have a limited scanning window available, enabling them to pick up a scan where it left off. Active Vulnerability Scanning In active vulnerability scanning, the Nessus scanner sends packets to a remote target to provide a snapshot of network services and applications. These are compared to a plugin database to determine if any vulnerabilities are present. SecurityCenter can also use a Nessus scanner located outside the local network to simulate what an external entity might see. Credentialed Scanning Nessus credentialed scans can be leveraged to perform highly accurate and rapid patch, configuration, and vulnerability audits on Unix, Windows, Cisco, and database systems by actually logging in to the target system with provided credentials. Credentialed scans can also enumerate all UDP and TCP ports in just a few seconds. SecurityCenter can securely manage these credentials across thousands of different systems and also share the results of these audits only with users who have a need to know. For more information on Nessus credentialed scanning, please refer to the Nessus Credentialed Checks for Unix and Windows document available from Continuous Passive Discovery SecurityCenter can manage one or more Tenable Passive Vulnerability Scanners (PVS). The PVS provides continuous discovery of new hosts, new applications, and new vulnerabilities. It runs 24x7 and discovers highly accurate client and server vulnerability information. SecurityCenter fuses this information with the active or credentialed scan results from Nessus. Analyze Data The Analysis tab on the SecurityCenter dashboard provides a great many filters to analyze vulnerability, mobile, and event data. Generate Reports Tenable provides extremely flexible and simplified reporting through an assortment of report templates and a user-friendly report creation interface. Supported report types include the well-known standard formats of PDF, RTF, and CSV standards for a high level of compatibility and ease of use. For specialized needs, CyberScope, DISA ASR, and DISA ARF types are available as well. Reports can be run as part of a post-scan process, scheduled by time, or run on demand and the results automatically ed or shared to multiple recipients who have an interest in the report details. To see a list of templated and scheduled reports to be run, click on the Reporting tab from the dashboard and then Reports. To see a list of completed reports, click the Reporting tab from the dashboard and then Report Results. Manage Workflow The Workflow tab contains options for alerting, ticketing, and managing risk rules. These functions allow users to be notified of and properly handle vulnerabilities and events as they are identified. Manage Plugins The Plugins tab provides the ability to perform a wide variety of plugin-related functions including updating active, passive and event plugins, upload custom plugins, view plugin details/source, and search for specific plugins. Plugins are scripts used by Nessus, the Passive Vulnerability Scanner, and the Log Correlation Engine to collect and interpret vulnerability data. For ease of operation, active and passive plugins are managed centrally by SecurityCenter and pushed out to their respective scanners. 13

14 Getting Started New users to SecurityCenter may find the rich functionality a bit daunting at first. The first steps are to ensure you have the correct browser settings and to establish system settings specific to your account. SecurityCenter Web Interface To navigate within the SecurityCenter user interface, use the menu on the web interface screen, not the browser s back and forward buttons. Adobe Flash Player must be installed to use the SecurityCenter web interface. It can be obtained at The minimum recommended browser window size is 1024x580. Resizing the browser window below this size when viewing the SecurityCenter web interface causes some objects to display incorrectly. To launch SecurityCenter, bring up a web browser on a system that has access to the SecurityCenter s network address space and enter the URL in the following format: ADDRESS OR NAME>/ The SecurityCenter web interface must be accessed using a secure web connection (https). SecurityCenter does not listen on port 80 by default. TLS 1.0 must be enabled by the browser in order to complete the secure connection to SecurityCenter. This will present a SecurityCenter login screen: SecurityCenter Login Screen Log in using the credentials provided by the user who created your account. 14

15 System Functions System functions in SecurityCenter are managed from the System tab, displayed in the upper right-hand corner of the SecurityCenter user interface. This tab allows users to create custom preferences for their account. Preferences The Preferences option enables basic options and notifications to be modified to customize the user experience. Basic The Basic tab modifies several location and workflow options. First, it enables the user to modify the time zone displayed within the SecurityCenter user interface. This does not affect the underlying event or vulnerability time stamps, which are set by the server system time. The user can also configure the on Ticket Assignment option, which ensures that an is sent by the system to the currently logged in user for all newly assigned tickets. No additional configuration is required. Basic Preferences Notifications Notifications are a feature of SecurityCenter that allows specified events to display a pop-up in the lower right-hand corner of the SecurityCenter user interface. Sample Notifications 15

16 Current notifications can be viewed by clicking on the left-hand circle at the lower right-hand corner of the SecurityCenter web page. Unread notifications will have a blue circle to the left of the notification text. Clicking on Mark All as Read removes the blue circle from all displayed notifications. To view notification details, click on the highlighted title to expand the notification details. Notifications can also be deleted by clicking on the X to the right of the notification text or clicking on the Delete All command button within the Notification dialog box. User configurable notifications are shown in the screen capture below: Logs Notification Preferences The Logs menu is only available to users with the View Organizational Logs permission set. SecurityCenter logs contain detailed functionality to troubleshoot unusual system or user activity. The logs include filters that allow the user to search logs based on parameters such as date, user, module, severity and keywords. An example keyword and user search is displayed below: SecurityCenter Logging 16

17 Attribute Sets This section allows users with the appropriate permission to create and manage operational attribute sets to apply to CyberScope Lightweight Asset Summary Results Schema (LASR) reports and Defense Information Systems Agency (DISA) Asset Report Format (ARF) report types. Each operational attribute set contains a name and optional description of the set. Two options are available within the Type drop-down box: ARF and CyberScope. When DISA ARF is selected, there are six attribute sections displayed. These must be filled in to correctly populate certain fields in DISA ARF reports. These sections include owning unit, owning service, administration unit, administration POC, CND service provider, and location. When CyberScope is selected, attributes for ReportingComponent, ComponentBureau, and Enclaves are available. These fields are available to complete the CyberScope fields by entering the organization s name, FISMA reporting entity, and enclave within the FISMA reporting entity. Once saved, the Attribute Set will be available by its name in a drop-down menu for selection in CyberScope or DISA reports as appropriate to the format. Feed The Feed option allows the user to update the SecurityCenter feed will new templates for reports, assets, and dashboards from Tenable. A file may be selected for upload or a direct connection to Tenable s website may be made if the SecurityCenter has appropriate connectivity. SecurityCenter Functions The SecurityCenter task bar contains eight major elements: Home, Analysis, Scanning, Reporting, Support, Users, Workflow, and Plugins. Each of these elements provides a drop-down menu for subsections, which may also contain a number of options. The Table of Contents of this document provides a listing of the functions that may be helpful in searching for a particular capability. Home/Dashboard The dashboard is the first screen displayed when you login to the SecurityCenter user interface and displays vulnerability and event data using various predefined components. The Dashboard can also be displayed by selecting Dashboard from the Home tab. Because components draw from vulnerability, event, and other data sources, it is advisable to create and configure the data sources before adding any components. 17

18 Sample SecurityCenter Dashboard The dashboard is configured with one or more tabs that contain different views and layouts populated with multiple components including tables and custom charts (e.g., bar, line, area, pie, and matrix). The dashboard tables and charts are fully customizable and allow data to be retrieved from various sources using a wide variety of configurations. Each of these component types allows the user to view the vulnerability, event, ticket, user, and alert data in a way that provides instant analysis of the important data anomalies with the ability to drill into the underlying data set for further evaluation (vulnerability and event data only). SecurityCenter utilizes a matrix layout that provides for customizable displays based on the intersection of row and column data. These displays can integrate if-then-else logic to vary the display depending on the current state of the underlying data set. There are many dashboard templates provided with SecurityCenter. The SecurityCenter feed provides new and updated dashboard templates created by Tenable s team based on industry standards and customer requests. For some good examples of SecurityCenter dashboards, please visit the SecurityCenter Dashboard blog at Working with Dashboards Dashboards allow SecurityCenter users to organize and consolidate components by named collections. For example, instead of having twenty discrete dashboard components on the initial login display, it is helpful to create multiple dashboards grouped by function, each with a subset of the components. One dashboard could contain five components that are related to active scanning, a second one could contain seven more related to passive scanning, and so on. This collection of components allows for a more focused security analysis with the ability to drill into the desired data quickly and without confusion. To modify the default dashboard configuration, simply click on the arrow next to the Dashboard title in the upper left-hand corner of the dashboard screen and select the desired option from the drop-down items: 18

19 Add Components Click on Add Components to display the list of available dashboard template categories. The categories may be selected by clicking on the box, which displays a list of available components. Once chosen, a selection of individual and grouped template names and descriptions are listed and a choice of sub-categories is available to further narrow the list. Selection of an individual template will add the component to the currently selected dashboard. Selection of a group of components will create a new dashboard. If Create Custom Component is selected, the created component will appear on the current dashboard. 19

20 SecurityCenter Dashboard Component Selection Please refer to the Working with Components section below for how to create, edit, and delete custom dashboard components. The table below contains a detailed description of the available dashboard options. Table 3 Tab Options Tab Option Add Components Add Dashboard This option allows you to add individual components to the selected dashboard. Components may be added using available templates or creating a custom component. Use this option to create a new dashboard. Clicking the Add Dashboard option displays a dialog similar to this screen capture: 20

21 The selected layout will determine the number and width of components that can be displayed. Up to 1000 dashboards can be created and, if the number of dashboards exceeds the window space, a paginator is created that allows the user to choose from one or more pages of tab selections. Once submitted, the dashboard template selection window is displayed and individual components may be added to the new dashboard. If a component collection is selected, a new dashboard will be created using the defined dashboard parameters but discarding the entered name, description, and layout. Edit Dashboard Export Dashboard This option is identical to the Add Dashboard option above except that it allows the user to edit an existing dashboard based on the options available in the dashboard configuration. See the screen capture in the Add Dashboard section above for available options. Dashboards can be exported as XML files for use on other SecurityCenter systems. This is particularly useful where complex component definitions have been created and must be used in other locations. This function provides three options for component objects: 1. Remove All References all object references will be removed, altering the definitions of the components. Importing users will not need to make any changes for components to be useable. 2. Keep All References object references will be kept intact. Importing users must be in the same organization and have access to all relevant objects for the components to be useable. 3. Replace With Placeholders object references will be removed and replaced with their respective names. Importing users will see the name of the reference object, but will need to replace it with an applicable object within their organization before the component is useable. Due to changes in the dashboard XML file formats over SecurityCenter versions, exported dashboards are not always compatible for import between SecurityCenter versions. Import Dashboard Use this function to import a previously exported XML dashboard file. Some useful dashboard components are available for import at the Tenable SecurityCenter 21

22 Dashboards blog at: When importing tabs, if references or placeholders were created, underlying objects such as asset lists and repositories will need to be created to replace the previously referenced data set. Object references must be specified manually. Simply creating an object with the same name as the originally referenced object will not maintain the component relationship. Share Dashboard Send to Report Delete Tab Use this function to share a dashboard with any user in your current organization. User filters can be defined to determine the name, role, or manager applicable to the tab recipient. Revoking a previously shared tab may also be performed using this option. This option creates a report based on the dashboard components. When selected, a window offers options to customize the name and description, and define the schedule for when the report is run or if it is created as a report template. Delete the selected tab. Working with Custom Components Custom components can be created from the Add Component option. The components to be created are various types of charts; Table, Bar, Pie, Line, Area, and Matrix. After selecting the desired component, options for data source and display must be entered to complete the process. The tables below show available options for each component type: Table 4 Table Options Chart Option Name Chart name Chart description Update Frequency Frequency with which the component polls the data source to obtain updates. Available frequency options include: 15 minutes, 20 minutes, 30 minutes, hourly, 2 hours, 4 hours, 6 hours, 8 hours, 12 hours, daily (default), weekdays, weekends, once a week, once a month (by day or date), and never. Excessively frequent tab updates may cause the application to become less responsive due to the added processing load imposed on the host OS. Data Type Vulnerability, Mobile, Event, Ticket, Alert, or User Source (Vulnerability Data Type only) Sources include Cumulative or Mitigated depending on the desired data source. For event type, the source defaults to Active. The Source option is not available because only active event data is permitted for event-based components. 22

23 Query Filters Results Displayed Viewport Size Sort Column Predefined query used to further narrow down the data source options. If a query does not exist or is not desired, it may be left unselected. The query may be used as is or as a template on which to base the Filters option. Additional filters to use on the data source. For more information on these filters, see the Vulnerability Filters, Mobile Filters, Event Filters, Ticket Query, Alert Query, and User Query sections. The number of displayed results (Table Chart maximum: 999). If the Viewport Size setting is smaller than this setting, the results display is limited to the Viewport Size setting with a scrollbar to display the additional results. The number of records (maximum: 50) to display along with a scrollbar to handle additional records. For example, if Results Displayed is set to 100 and Viewport Size is 15, fifteen records are displayed with a scrollbar to view the additional 85 records. (Except Event Data Type) Column that the results are sorted by. Sort Direction (Except Event Data Type) Descending (default) or Ascending Display Columns Desired columns shown in the component output. Table 5 Bar Chart Options Chart Option Name Chart name Chart description Update Frequency Frequency with which the component polls the data source to obtain updates. Available frequency options include: 15 minutes, 20 minutes, 30 minutes, hourly, 2 hours, 4 hours, 6 hours, 8 hours, 12 hours, daily (default), weekdays, weekends, once a week, once a month (by day or date), and never. Excessively frequent tab updates may cause the application to become less responsive due to the added processing load imposed on the host OS. Data Type Vulnerability, Mobile, Event, or Ticket Source (Vulnerability Data Type only) Sources include Cumulative or Mitigated depending on the desired data source. For event type, the source defaults to Active. The Source option is not available because only active event data is permitted for event-based components. Query Predefined query used to further narrow down the data source options. If a query does not exist or is not desired, it may be left unselected. The query may be used as is or as a template on which to base the Filters option. 23

24 Filters Additional filters to use on the data source. For more information on these filters, see the Vulnerability Filters, Mobile Filters, Event Filters, Ticket Query, Alert Query, and User Query sections. Results Displayed The number of displayed results (Bar Chart maximum: 100). Sort Column (Vulnerability/Ticket Data Type only) Column that the results are sorted by. Sort Direction (Vulnerability/Ticket Data Type only) Descending (default) or Ascending Display Columns Desired columns shown in the component output. Table 6 Pie Chart Options Chart Option Name Pie chart name Pie chart description Update Frequency Frequency with which the component polls the data source to obtain updates. Available frequency options include: 15 minutes, 20 minutes, 30 minutes, hourly, 2 hours, 4 hours, 6 hours, 8 hours, 12 hours, daily (default), weekdays, weekends, once a week, once a month (by day or date), and never. Excessively frequent tab updates may cause the application to become less responsive due to the added processing load imposed on the host OS. Data Type Vulnerability, Event, or Ticket Source (Vulnerability Data Type only) If Data Type of Vulnerability is chosen, sources include: Cumulative or Mitigated depending on the desired data source. For even type, the source defaults to Active. The Source option is not available because only active event data is permitted for event-based components. Query Filters Predefined query used to further narrow down the data source options. If a query does not exist or is not desired, it may be left unselected. The query may be used as is or as a template on which to base the Filters option. Vulnerability, Event or Ticket filters used to narrow down the series source. For more information on these filters see the Vulnerability Filters, Mobile Filters, Event Filters, and Ticket Query sections. Results Displayed The number of displayed results (default: 10). 24

25 Sort Column Column that the results are sorted by. Sort Direction Descending (default) or Ascending Display Columns Desired columns shown in the component output. Table 7 Line/Area Chart Options Chart Option Name Chart name Chart description Update Frequency Frequency with which the component polls the data source to obtain updates. Available frequency options include: 15 minutes, 20 minutes, 30 minutes, hourly, 2 hours, 4 hours, 6 hours, 8 hours, 12 hours, daily (default), weekdays, weekends, once a week, once a month (by day or date), and never. Excessively frequent tab updates may cause the application to become less responsive due to the added processing load imposed on the host OS. Time (x-axis) Relative Includes time relative to the current time. Available options include: Last Minutes 15, 20, 30 Last Hours 1, 2, 4, 6, 12, 24 (default), 48, 72 Last Days 5, 7, 25, 50 Last Months 3, 6, 12 Absolute This option allows one to select a from and to date range. Add/Edit Series Label Series label Data Type For line/area charts, vulnerability data analysis often requires that the underlying repository be a trending repository. If the selected repository is not a trending repository, no historical analysis will be available. Vulnerability or Event Query Filters Predefined query used to further narrow down the data source options. If a query does not exist or is not desired, it may be left unselected. The query may be used as is or as a template on which to base the Filters option. Filters used to narrow down the series source. For more information on these filters see the Vulnerability Filters and Event Filters sections. 25

26 Series Data Data to display in the chart (Total, Info, Low, Medium, High, Critical). Table 8 Matrix Options Chart Option Name Matrix component name Matrix component description Add Column (max 10) Columns are normally used to define a group of vulnerability, mobile, event, ticket, user, or alert data. For example, five columns could be used in a matrix component, one each for critical, high, medium, low, and informational vulnerabilities. Hovering the cursor over the right-hand side of the top cell of a column enables a drop-down similar to the screen capture below: Click on Column Settings to set the column name and update frequency. The update frequency determines how often the underlying data set is refreshed. Refreshing the data more often is useful for seeing a more current view of the data; however, it can have a detrimental effect on system performance. Matrix columns are updated as clusters and not individually. For example if column A and C have an update frequency of Daily and column B has an update frequency of Every 12 Hours, columns A and C will be updated together and column B will be updated by itself. What this means is that if there is a missing query in column A, column C will not update. However, if there is a missing query in column B, columns A and C will update. When adding a column, an option called Intersect Settings is available for selection. When chosen, the new column will analyze the existing cells across the rows and populate the new cells with the information common to the existing cells. For example, if all of the previous columns have a severity of High but differing asset lists, the newly created column s cells will have a condition specifying the High severity level, but no asset list designation. This feature improves the speed with which matrix elements can be created by reusing previously used configuration options and eliminating repetitive manual steps. Add Row (max 10) Rows are another grouping element, used to define the operations being performed against each column element for that row. For example, if each column determines the vulnerability type (critical, high, medium, low, and informational), a row could be created labelled ratio. Each cell in that row could be used to calculate the ratio of the particular vulnerability type count against the total vulnerability count. Matrix Ratio Display 26

27 Hovering the cursor over the right-hand side of the first cell in a row entry enables a drop-down similar to the screen capture below: When adding a row, an option called Intersect Settings is available for selection. When chosen, the new column will analyze the existing cells across the columns and populate the new cells with the information common to the existing cells. For example, if all of the previous rows have a severity of High but differing asset lists, the newly created row s cells will have a condition specifying the High severity level, but no asset list designation. This feature improves the speed with which matrix elements can be created by reusing previously used configuration options and eliminating repetitive manual steps. Cells Cells contain the actual data operations. Cells are defined by query and condition options. The options are described below: Query Options Option Data Type Query Filters Available data types include vulnerability, mobile, event, ticket, alert, and user. The query value rules displayed in the condition section are dynamically defined by the data type used. For example, if a data type of Event is chosen, query value rules include Event Count, IP Count, or Port Count. Choose data based on a predefined query. All cell queries must be active for the matrix component to function. For example, if a component has ten underlying queries, and one is deleted, that query will need to be replaced for the entire component to update. Filter the data based on specific parameters Conditions Option Type Rule Available types include: Query Value, Static Text, Icon, Bar, and Ratio Bar and Ratio charts use ratios rather than counts in the lists below. Vulnerability: IP Count, Port Count, and Vulnerability Count Mobile: Vulnerability Count, Device Count Event: IP Count, Port Count, and Event Count Ticket: Ticket Count Alert: Alert Count 27

28 User: User Count Display Options The display options determine the background and foreground colors along with any custom text if applicable. Multiselect Cells in a matrix component can be edited across rows and columns by selecting a single cell, and then dragging the cursor over other cells until the entire range to be edited is highlighted. After doing this an Edit Cells dialog is displayed for the highlighted range. In the example below, the highlighted ranges all use the same repository, but differing vulnerability severity levels and asset lists. Edit the data type, query and filters as needed. Multiselect Options Conditions There are two basic types of conditions in a matrix cell definition: the default (or fallback) condition and conditions that are added. By default, a single editable condition is added to each cell definition. This condition cannot be deleted and describes what will be displayed in the cell if no other conditions have been defined or triggered. A default condition looks similar to the following: Default Query Value This condition can be edited to display any of the available display options. Added conditions may look similar to the following: 28

29 IP Count Query Value The first two buttons on the left hand side of the condition are up and down arrows that allow the conditions to be moved up or down in review order. These are followed by an edit button and a delete button. Conditions are reviewed from top to bottom and will trigger the display condition on the first condition match. Once a condition triggers, none of the subsequent conditions are reviewed. If none of the added conditions match, the default condition is automatically performed. Creating a Simple Matrix Component The matrix component has a great deal of power and functionality. The section below contains steps used to create the matrix display shown below: Matrix Component This display shows IPs grouped by operating system and displayed with three columns: Pass/Fail displays an icon that varies between red or green depending on the number of high vulnerabilities (> 1 in our sample). Failure IP Count Total number of IPs in the dynamic asset list that contain at least one high vulnerability. Total IP Count Total number of IPs in the dynamic asset list. Modify and use the steps below based on your dashboard needs. 29

30 1. Create a dynamic asset list for each operating system type desired. An example dynamic asset list is displayed below. This asset list captures only those hosts whose operating system is based on the Linux 2.6x kernel. This asset list is used for the Total IP Count fields and is used to generate the query created in step 2. Dynamic Asset OS Condition 2. Create a query based on each asset list that contains only those assets with a High vulnerability. Note that in the query below, we chose only those hosts that resided in the New IPv6 repository. Adjust the query to select hosts from the desired repository. High Severity Query for the Linux_2_6 Asset 30

31 3. Hover over the desired tab and click the arrow to display the drop-down containing the tab options. Select Add Component. Choose the Matrix component type. 4. Enter the desired name and description. The name is displayed as the component title, while the description is displayed as a tooltip when hovering the cursor over the component. 5. Click the first row and select Set Row Name to define the first row. Name the row Linux 2.6. This row will be copied in future row additions to save time. 6. Click the three columns and select Column Settings to define three columns: Pass/Fail, Failure IP Count, and Total IP Count. Matrix with Blank Cells 31

32 7. Hover over the cell below Pass/Fail and click Set Cell. Choose data type of Vulnerability and then the Linux_2_6 query under the query drop-down. Next, choose Add Condition and select values as shown in the screen capture below: Matrix High Condition This condition specifies that if at least one IP in the specified asset list has a vulnerability severity value of High, we will display the red icon. Next we will create a default condition ( else statement ) for cases where an IP has no High severity vulnerabilities: Matrix Low Condition 32

33 The complete cell condition statement looks like the screen capture below: Matrix Sample Conditions Submit the changes made so far. Click on the cell under Failure IP Count. In this cell we will display counts of IPs for the same query (Linux 2.6 kernel with High vulnerabilities). Select the desired query to populate the desired filters. Click Add Condition and choose Query Value with a rule of IP Count. Leave the background and foreground options at default values for this example. Matrix Display Conditions 33

34 The resulting cell values will look like the screen capture below: Matrix Sample Conditions Submit the changes made so far. 8. Click Set Cell under the Total IP Count column. Under the query options, we are choosing the desired Repository and Asset list options. Note: these parameters could have easily been configured under an additional query and selected that way if desired: Matrix Filter Options 34

35 Under condition options, choose a type of Query Value and a rule of IP Count. Leave the background and foreground options at default values for this example. The resulting cell parameters will look similar to the screen capture below: Matrix Cell Conditions Submit the changes made so far. Add additional conditions as desired. For example, having a condition where a red icon is displayed if the IP count is >=1 and a second condition where a green icon is displayed where the IP count is zero would be a common condition configuration. 9. Add new rows for each operating system type. When adding the new rows, choose Intersect Settings to duplicate the previous row s parameters. Adjust the row name based on the asset list and adjust each column based on the new query and asset list. 35

36 10. Once completed, the matrix definitions will look similar to the screen capture below: Matrix Cell Display Click on the Submit button to submit all changes. In the display above, note that some of the cells have a green background with the label Cell Set, while some have a yellow background with the label Target Set. A third possibility is a yellow background with the words Query Set. Filter types include the following items: Query Filters: plugin, vulnerability and date Target Filters: asset list, IP address and repository Cell Set indicates that both target and query filters have been configured. Target Set indicates that only target filters (in this case the asset list IPs) have been configured. Query Set means that you have selected a query filter, but no target filters. Any one of these three settings is a valid cell configuration. The matrix element will display and refresh daily as configured. For more information about configuring matrix components and downloadable samples that you may find useful, please visit the Tenable SecurityCenter Dashboards blog at: Copy Component Options In addition to adding and editing components, components can be copied to the current or a new tab on the dashboard. Click on the arrow in the upper right-hand corner of the component and choose Copy Component to bring up an edit component tab similar to the one below: 36

37 Copy Table Component The Copy Component options are the same as the Edit Component tab except that the user is given the option of choosing the destination tab where the component will be copied. Navigating the Dashboard Components SecurityCenter users are presented with several icon options via the dashboard component display. The screen capture below displays the icon options shown in the upper right-hand corner of each component: The left-hand Browse Component Data icon gives the user the ability to drill into the dataset behind the dashboard view and display the data for further analysis. Various dashboards do not provide this option because their underlying data snapshot source does not support browse capability. For example, the screen capture below contains a vulnerability summary view displayed after clicking on the Browse Component Data icon: 37

38 Browse Component Data Notice the white arrow circled in red on the left-hand portion of this screen next to Load Query. Clicking this arrow or anywhere along the grey bar returns the user to the initial dashboard view. The center Refresh Component Data icon refreshes the component data based on the most recent underlying data. After first login, it may be necessary for the user to initially manually refresh the dashboard component to obtain the most current data set. There is a blue arrow icon to indicate when the component is updating, and a red exclamation mark icon to indicate when something has gone wrong. Hovering over the icon will show a tooltip with more details on what went wrong. For example, if the underlying query behind a dashboard component becomes disabled (e.g., asset lists that were shared with the user are no longer shared), the refresh will fail and the user will be presented with the tooltip notification of why it failed. The right-hand arrow icon gives the user more options that are described above including: Edit Component, Copy Component, Delete Component, and Export PNG. The Export PNG option allows for saving a PNG image of the dashboard element to facilitate the use of the element s displayed results outside of SecurityCenter. Vulnerability Analysis The Vulnerabilities display screen is the focal point for the display and analysis of vulnerabilities from either the cumulative or mitigated vulnerability database. Vulnerability data is displayed at varying levels and views ranging from the highest level summary down to a detailed vulnerability list data. Clicking through Analysis and Vulnerabilities displays a screen with information from the cumulative vulnerability database using the selected default filter. The Vulnerability Summary filter is shown here: 38

39 Vulnerability Data Screen Default View This screen displays vulnerabilities in both a table and graphical view for rapid analysis and mitigation. Cumulative vs. Mitigated At the top of the vulnerability display screen are two options: Cumulative and Mitigated. This selection determines which database to pull vulnerability data from, cumulative or mitigated. The Cumulative database contains current vulnerabilities, including those that have been recast, accepted, or mitigated and found vulnerable on rescan. The Mitigated database contains vulnerabilities that are no longer vulnerable based on scan information. 39

40 Filter History Below the Cumulative/Mitigated tabs is a listing of previously loaded filter options. Hover the cursor over a previously selected filter to display a white dot to the right of the analysis tool type name for each filter option along with a pop-up window to the right with the filter parameters. Notice in the example screen capture above, there are three white dots to the right of the highlighted filter, one for Address, one for Repository, and one for Plugin ID. Click on the desired filter to change the view to use the previously selected filter. Click on Clear to remove all previously loaded filters from the history panel. Right-Click Functionality Right-Click Options 40

41 Selecting and right-clicking on a particular vulnerability in the vulnerabilities screen gives the user additional options that are useful in the content of the highlighted vulnerability. Available options include: Copy To Clipboard, Add To Scratch Pad, Recast Risk, Accept Risk, and Launch Remediation Scan. These options are described in more detail in the table below: Table 9 Right-Click Options Type Copy To Clipboard Add To Scratch Pad Recast Risk Use this option to copy the vulnerability details to your clipboard for reuse elsewhere. For example, you could copy the vulnerability details to the clipboard and then paste them into an if so desired. The Scratch Pad allows users to store the current drilldown value as a filter option. For example, if the current view allows for a plugin drilldown, selecting a vulnerability with a particular plugin, right-clicking and choosing Add to Scratch Pad will add that plugin ID to the Scratch Pad. This allows the user to quickly switch back and forth between scratch pad items for rapid analysis. Scratch Pad filters also persist between different analysis tool views, allowing the user to apply the same Scratch Pad filter to more than one desired view. Apply a new risk level to the selected vulnerability. For example, a particular vulnerability may be rated as CVSS 7.5 (high) based on the overall scoring; however, due to local variables could be recast as a critical risk. This would impact the overall vulnerability scoring of hosts whose vulnerabilities have been recast. There can be a short delay between clicking on Add Rule and vulnerabilities showing the recast risk. Navigate away from the page and then back to it to view the applied changes. Deletion of recast risk rules is performed only by a SecurityCenter admin user and is described in detail in the SecurityCenter 4.7 Administration Guide available on the Tenable Support Portal. Accept Risk Any vulnerabilities that match the chosen criteria will be automatically accepted and not show in a vulnerability search unless the Accepted Risk filter flag is set. There can be a short delay between clicking on Add Rule and vulnerabilities showing the new risk acceptance. Navigate away from the page and then back to it to view the applied changes. Deletion of accept risk rules is performed only by a SecurityCenter admin user and is described in detail in the SecurityCenter 4.7 Administration Guide available on the Tenable Support Portal. Launch Remediation Scan This option provides the user with the ability to launch a new remediation scan based on the selected vulnerability. This option is only available through the Vulnerability List and Vulnerability Summary analysis tools. 41

42 Remediation Scan Options The screen capture above contains available scan options. Based on the results of this remediation scan, the vulnerability will be either kept in the cumulative database or moved to the mitigated database. For more information on the available scan options, please refer to the Scanning section of this document. 42

43 Analysis Tools A wide variety of analysis tools are available for comprehensive vulnerability analysis. Clicking on the analysis tool dropdown displays a list of available tools. Vulnerability Analysis Tools Vulnerability filters can be reset at any time by clicking on the Clear link. If multiple filters are currently in use, filters can be individually removed without affecting other filters by clicking on the X next to the individual filter under the Active Filters section. The table below contains detailed descriptions of all available analysis tools: Table 10 Vulnerability Analysis Tools Analysis Tool IP Summary SecurityCenter has four tools for summarizing information by vulnerable IP addresses. These include summary by IP, Class 43

44 A, Class B, and Class C. Class A Summary Class B Summary Class C Summary The IP Summary tool lists the matching addresses, their vulnerability score, the repository the data is stored in, the OS Common Platform Enumeration (CPE) value, vulnerability count, and a breakdown of the individual severity counts. The IP Summary tool displays a list of IP addresses along with summary information. Clicking on an IP address displays a Host Detail window for that IP address. SecurityCenter 4.6 calculates and loads Host Detail assets incrementally to enhance system performance. The System Information box displays information about the NetBIOS Name (if known), DNS Name (if known), MAC address (if known), OS (if known), Score, Repository, Last Scan, Passive Data, Compliance Data, and Vulnerabilities. The Assets box displays which asset lists the IP address belongs to. The Useful Links box contains a list of resources that can be queried by IP address. Clicking on one of the Resource links causes the resource to be queried with the current IP address. For example, if the current IP address was a publicly registered address, clicking on the ARIN link causes the ARIN database to be queried for the registration information for that address. If custom resources have been added by the administrative user (via the Manage IP Address Information Links selection under the Customization tab), they will be displayed here. Starting out with a Class A or Class B summary can identify more active network ranges for networks with a large number of active IP addresses. The vulnerability score for an address is computed by adding up the number of vulnerabilities at each severity level and multiplying it with the organization s severity score. The default severity scores at each level are: Info - 0 Low 1 Medium 3 High 10 Critical 40 Severity scores for Low, Medium, High, and Critical are configured for each organization by the administrator user. The OS CPE value may be used to determine the operating system reported on the target host. All displayed columns can be sorted for more useful views. DNS Name Summary SecurityCenter 4.7 includes the ability to summarize information by vulnerable DNS name. The DNS Name Summary lists the matching hostnames, their vulnerability 44

45 score, vulnerability count, and a breakdown of the individual severity counts. Clicking on Total for a DNS name will display the complete list of discovered vulnerabilities for that particular host. Remediation Summary Severity Summary The Remediation Summary tool provides a list of remediation actions that may be taken to prioritize tasks that will have the greatest effect to reduce vulnerabilities in systems. This list provides a solution to resolve a particular CPE on a given OS platform. The data provided includes the risk reduction percentage, how many hosts are affected, and the number of vulnerabilities, CVEs, and MS Bulletins that will be resolved across the hosts, as applicable. This tool considers all of the matching vulnerabilities and then charts the total number of info, low, medium, high, and critical vulnerabilities. A pie chart is produced to represent the data. Clicking on any of the counts or severities in the chart will display the Class C Summary chart filtered with the matched vulnerabilities. Vulnerability Summary All matching vulnerabilities are sorted by plugin ID count and listed in a chart. Columns of plugin ID, Total, and Severity can be sorted by clicking on the column header. Clicking on the plugin ID will produce a pop-up window containing a description of the vulnerability check. CVE Summary This view groups vulnerabilities based on their CVE ID, Hosts Total, and vulnerability count. MS Bulletin Summary This tool filters vulnerabilities based on Microsoft Bulletin ID. Displayed are the IDs, Vulnerability Totals, Host Total, and Severity. This view is particularly useful in cases where Microsoft releases a new bulletin and a quick snapshot of vulnerable hosts is required. Asset Summary This tool summarizes the scores and counts of vulnerabilities for all dynamic or static asset lists. A breakdown of each asset s specific vulnerabilities and counts for each severity level is also included. Clicking on any of the counts displays a Vulnerability List screen with the corresponding filter. CCE Summary This displays a summary of hosts which have Common Configuration Enumeration (CCE) vulnerabilities. 45

46 Clicking on the count for any of CCE ID s hosts or vulnerability counts will display an appropriate summary page, which is used to further examine the data. Port Summary A summary of the top ports in use is displayed for all matched vulnerabilities. Each port has its count of vulnerabilities as well as a breakdown for each severity level. Clicking on any count displays the IP Summary screen with the corresponding filter. Plugin Family Summary This tool will chart each present the Nessus, PVS, or Event plugin family as well as their relative counts based on severity level for all matching vulnerabilities. Clicking on any of the counts will display a Vulnerability List page filtered by the selected plugin family. Protocol Summary This tool summarizes the detected IP protocols such as TCP, UDP, and ICMP. The tool also breaks out the different counts for each protocol s severity levels. Clicking on any of the counts will display the IP Summary screen with the corresponding filter. Vulnerability List This tool lists out the Plugin ID, Severity, NetBIOS Name, DNS Name, MAC Address, Repository Name, Vulnerability Name, and Family for each matching vulnerability. Clicking on any IP address will open a window that shows the Detailed Vulnerability List for that IP address. List OS SecurityCenter understands both actively and passively fingerprinted operating systems. This tool lists what has been discovered. The method (active, passive, or event) of discovery is also indicated. Clicking on the count displays the IP Summary screen with the corresponding filter. List Software The Nessus scanner plugins and attempt to fingerprint any software it encounters. SecurityCenter can process this information and create a summary of unique software packages discovered by Nessus. Clicking on the count displays the IP Summary screen with the corresponding filter. List Services The Nessus scanner plugin ID attempts to fingerprint any service it encounters. SecurityCenter can process this information and create a summary of unique services discovered by Nessus. 46

47 Clicking on the count displays the IP Summary screen with the corresponding filter. List Web Clients The SecurityCenter understands PVS plugin ID 1735, which passively detects the web client in use. This tool lists the unique web clients detected. Clicking on the count displays the IP Summary screen of matching addresses using that web client. List Web Servers This tool takes the passive output from PVS plugin ID 1442 and the active output from Nessus plugin ID and creates a unique list of known web servers. The method of discovery (active or passive) is also indicated in the tool. Clicking on the count displays the IP Summary screen of matching addresses using that web server. Not all web servers run on port 80 or 443. Do not be surprised if you encounter web servers running on unexpected ports. List Mail Clients If SecurityCenter is using a PVS scanner, this tool uses plugin ID 1100 to determine a unique list of clients. Each of these detections will be labeled as a PASSIVE detection. List SSH Servers This tool takes the passive output from PVS plugin ID 1967 and the active output from Nessus plugin ID and creates a unique list of known SSH servers. The method of discovery (active or passive) is also indicated in the tool. Clicking on the count displays the IP Summary screen of matching addresses using that SSH server. Not all SSH servers run on port 22. Do not be surprised if you encounter SSH servers running on unexpected ports. Detailed Vulnerability List This view shows the actual results of a vulnerability scan. Nessus, PVS, and LCE will often return very detailed results from their analysis of network systems. Important fields include CVSS score, CVSS temporal score, availability of public exploit, CVE/BID/other references, synopsis, description, and solution. 47

48 Scroll arrows are displayed on the right and left-hand sides of the screen for ease of browsing between vulnerabilities (similar to the Nessus 4.2.x and higher vulnerability display). In addition, clickable colored rectangles at the bottom of the screen indicate the vulnerability severity level of the corresponding vulnerabilities. Clicking on an IP address displays a Host Detail window for that IP address similar to that described in detail for the IP Summary view above. SecurityCenter 4.6 calculates and loads Host Detail assets incrementally to enhance system performance. If there are any Common Vulnerability Enumeration (CVE) or Bugtraq IDs (BIDs), they will be listed for further research as desired. In addition, hovering the cursor over the severity icon will display CVSS Base Score information relevant to the vulnerability. A pop-up similar to the following is displayed: CVSS Scoring As indicated by the text, clicking on the severity icon opens a CVSS calculator that links to the NIST web site with a more detailed breakdown of the CVSS scoring metrics. This display has links to accept this risk, open a ticket, recast it to a different severity level (cumulative database vulnerabilities only), and launch a remediation scan. If a particular vulnerability has been already recast, a box with the letter R in it is displayed to the right of the severity. Clicking on the R opens a pop-up that displays all applicable rules applied to the vulnerability. Recast Risk Option Similarly, if a risk has been accepted, a box with the letter A in it is displayed. Click on the A to display a pop-up with all applicable rules. 48

49 Add Risk Recast/Acceptance Rule Vulnerabilities can be recast or accepted based on situational requirements. To add a Risk Recast Rule, right click on the vulnerability within the Vulnerability Summary or Vulnerability List screens and choose Recast Risk or click Recast Risk in the upper right-hand corner of the Detailed Vulnerability List screen. A pop-up similar to the one below is displayed: Add Recast Risk Rule Choose the new risk to assign to the current vulnerability and the selected filter options (Repository, Targets, Ports, and Protocol). If any of the selected options are modified, they will filter what vulnerabilities will inherit the new risk rating. In addition, a comment can be added to describe why the risk is being recast. There can be a short delay between clicking on Add Rule and vulnerabilities showing the new risk. It may be necessary to reload the filters to view the applied changes. Similar to recasting risks, risk acceptance is performed from the same screens and displays a pop-up similar to the one below: 49

50 Add Risk Acceptance Rule The Acceptance Rule has the ability to have an expiration date added to it. This adds a method to accept a risk on a temporary basis. Any vulnerabilities that match the chosen criteria will be automatically accepted and not show in a vulnerability search unless the Accepted Risk filter flag is set. There can be a short delay between clicking on Add Rule and vulnerabilities showing the new risk acceptance. It may be necessary to reload the filters to view the applied changes. Deletion of both accept and recast risk rules is performed only by a SecurityCenter admin user and is described in detail in the SecurityCenter Administration Guide available on the Tenable Support Portal. 50

51 Load Query The Load Query option enables users to load a predefined query and display the current dataset against that query. Click on Load Query to display a box with all available queries. The first line is a text search box that will narrow the list of queries to the text entered. The query names are displayed with their associated group (if assigned to one) in blue. After clicking on an individual query, the vulnerability view is changed to match the query view for the current dataset. Additional Vulnerability Analysis Options The following options are available in the upper right-hand corner of the event analysis screen: Additional Vulnerability Analysis Options Save Query This option, available in the upper right-hand corner of the web interface, saves the current vulnerability view as a query for reuse. If this link is clicked, a dialog similar to the one below is displayed: Vulnerability Query Options The table below describes the available query options: 51

52 Table 11 Query Options Option Name Query name Group This option provides a logical grouping for created query objects. Group names can be reused as desired. This reduces lengthy lists of queries with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the organization head creates an organizational query and assigns it to the DMZ group, all users will now have a DMZ group containing that organizational query. This option enables users to provide a description of the query. Visibility Visibility may be specified as User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the organization have query access. Save Asset Vulnerability results can be saved to an asset list for later use by clicking on the Save Asset link in the upper right-hand side of the screen. Save as Asset Options The table below describes the available asset options: Table 12 Asset Options Option Name Asset name Group A logical grouping for created asset objects. Group names can be reused as desired. This reduces lengthy lists of assets with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the Organization Head creates an Organizational asset and assigns it to the DMZ group, all users will 52

53 now have a DMZ group containing that Organizational asset. Asset description Visibility User or Organizational. If User is specified, only the current user has access to the saved query; otherwise, all users within the organization have query access. Open Ticket Ticket Options Tickets are used within SecurityCenter to assist with the assessment and remediation of vulnerabilities and security events. Use this option to open a ticket based on the current event view. Click on the Open Ticket link and complete the relevant fields as described below: Table 13 Ticket Options Option Name Ticket name Ticket description Notes Notes to be used within the ticket and read by the ticket assignee. Assign To Ticket assignee Classification Information, Configuration, Patch, Disable, Firewall, Schedule, IDS, Accept Risk, Recast Risk, Re-scan Request, False Positive, System Probe, External Probe, 53

54 Investigation Needed, Compromised System, Virus Incident, Bad Credentials, Unauthorized Software, Unauthorized System, Unauthorized User, or Other. More Options Export as CSV Vulnerability results can be exported to a comma-separated file for detailed analysis by clicking on the More link and then the Export as CSV option. If the record count (rows displayed) of any CSV export is greater than 1,000 records, a pop-up is displayed that prompts for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results screen. Create Report This option is used to create a report based on the existing vulnerability view. Report Launch Dialog More information about SecurityCenter reports is available in this document in the Reporting section of this document. Vulnerability Filters Filters limit the results of the vulnerability display and can be added, modified or reset as desired. The screen capture below shows a search based on a Cumulative database filtering on vulnerabilities from the selected repositories with an available exploit and High and Critical severity levels. 54

55 Cumulative Database Filter Options The Mitigated database filter does not contain the Accepted Risk or Recast Risk options under the Workflow Filters tab. The screen capture below displays results from the previous Cumulative database search: Filtered Vulnerability Results 55

56 The Severity (set to High and Critical in this example) and Exploit Available filters are displayed in the lower left-hand corner of the screen and can be reset by clicking the X icon next to the filter name. In addition, clicking on the view title (Detailed Vulnerability List) in the upper left-hand corner of the screen navigates to the previously used Detailed Vulnerability List view and filters. The table below describes the options available with the Edit Filters command button. Table 14 Vulnerability Filter Options Filters Analysis Tool Filter Analysis Tool Active Filters This drop-down is used to choose the analysis tool used by the filter. This is the same as selecting the desired analysis tool from the Analysis -> Vulnerabilities dialog. These tools are described in detail in the Analysis Tools section. This field displays the existing filters and allows the user to selectively remove filters as needed. In the example below, the Active Filters displayed are Severity and Exploit Available. Clicking the X next to any one of these filters will remove that filter from the displayed vulnerabilities and reset that field to its default options. Vulnerability Filter Options Target Filters Address DNS Name Repository This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit the viewed vulnerabilities. For example, entering /24 and/or 2001:DB8::/32 limits any of the web tools to only show vulnerability data from the selected network(s). Addresses can be comma separated or separate lines. This filter specifies a DNS name to limit the viewed vulnerabilities. For example, entering host.example.com limits any of the web tools to only show vulnerability data from that DNS name. Display vulnerabilities from the chosen repositories. 56

57 Asset Output Assets (only available in the Asset Summary analysis tool) Port This filter displays systems from the chosen asset list. If more than one asset list contains the systems from the primary asset list (i.e., there is an intersect between the asset lists), those asset lists are displayed as well. This filter displays only the desired asset list systems. This filter is in two parts. First the equality operator is specified to allow matching vulnerabilities with the same ports, different ports, all ports less than or all ports greater than the port filter. The port filter allows a comma separated list of ports. For the larger than or less than filters, only one port may be used. All host-based vulnerability checks are reported with a port of 0 (zero). Protocol This filter provides check boxes to select TCP, UDP, or ICMP-based vulnerabilities. Vulnerability Filters Plugin Family Plugin Name This filter chooses a Nessus or PVS plugin family. Only vulnerabilities from that family will be shown. Enter all or a portion of the actual plugin name. For example, entering MS in the plugin name filter will display vulnerabilities using the plugin named MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644)(uncredentialed check). Similarly, entering the string uncredentialed will display a list of vulnerabilities with that string in the plugin name. Vulnerability Text Displays vulnerabilities containing the entered text (e.g., php 5.3 ). Scan Policy This filter chooses a scan policy. Only vulnerabilities from that scan policy will be shown. Audit File Plugin Type Severity This filter displays vulnerabilities detected when a scan was performed using the chosen.audit file. Select whether to view all plugin types or passive, active, event, or compliance vulnerabilities. Displays vulnerabilities with the selected severity (Info, Low, Medium, High, Critical) CVSS Score Displays vulnerabilities within the chosen CVSS score range. Exploit Available If set to yes, displays only vulnerabilities for which a known public exploit exists. CPE Allows a text string search to match against available CPEs. The filter may be set to search based on a contains or is equal to filter. 57

58 ID Filters Plugin ID CVE ID CCE ID Enter the plugin ID desired or range based on a plugin ID. Available operators are equal to (=), not equal to (!=), greater than or equal (>=) and less than or equal to (<=). Displays vulnerabilities based on the chosen single CVE ID (e.g., CVE ) or multiple CVE IDs separated by commas (e.g., CVE ,CVE ,CVE ). Displays results based on the entered CCE ID. MS Bulletin ID IAVM ID Displays vulnerabilities based on the chosen Microsoft Bulletin ID (e.g., MS ) or multiple Microsoft Bulletin IDs separated by commas (e.g., MS10-012,MS10-054,MS ). Displays vulnerabilities based on the chosen IAVM ID (e.g., 2011-A-0007 ) or multiple IVAM IDs (e.g., 2011-A-0005,2011-A-0007,2012-A-0004 ). Date Filters Vulnerability Last Observed (Cumulative only) Vulnerability Mitigated (Mitigated only) Days To Mitigate (Mitigated only) Vulnerability Discovered This filter allows the user to see when the vulnerability was last observed by Nessus, LCE, or PVS. The observation date is based on when the vulnerability was most recently imported into SecurityCenter. For PVS, this will not match the exact vulnerability discovery as there is normally a lag between the time that PVS discovers a vulnerability and the import occurs. This filter allows the user to filter results based on when the vulnerability was mitigated. This filter allows the user to track the number of days since a vulnerability was moved to the mitigated database. SecurityCenter tracks when each vulnerability was first discovered. This filter allows the user to see when vulnerabilities were discovered less than, more than or within a specific count of days. The discovery date is based on when the vulnerability was first imported into SecurityCenter. For PVS, this will not match the exact vulnerability discovery time as there is normally a lag between the time that PVS discovers a vulnerability and the import occurs. Days are calculated based on 24-hour periods prior to the current time and not calendar days. For example, if the report run time was 1/8/2012 at 1 PM, using a 3-day count would include vulnerabilities starting 1/5/2012 at 1 PM and not from 12:00 AM. Plugin Published Tenable plugins contain information about when a plugin was first published. This filter allows users to search based on when a particular plugin was created; less than, more than, or within a specific count of days. 58

59 Plugin Modified Vulnerability Published Patch Published Tenable plugins contain information about when a plugin was last modified. This filter allows users to search based on when a particular plugin was modified; less than, more than, or within a specific count of days. When available, Tenable plugins contain information about when a vulnerability was published. This filter allows users to search based on when a particular vulnerability was published; less than, more than, or within a specific count of days. When available, Tenable plugins contain information about when a patch was published for a vulnerability. This filter allows the user to search based on when a patch became available; less than, more than, or within a specific count of days. Workflow Mitigated Status Accepted Risk Status (Cumulative Only) Recast Risk Status (Cumulative Only) Display vulnerabilities that were at one time mitigated, but have been discovered again in a subsequent scan. This option is not used in conjunction with other options unless all options within the selected combination are set (e.g., selecting the Was Mitigated checkbox will return no results if both the Was Mitigated and the Accepted Risk flags are set). Display vulnerabilities based on their Accepted Risk workflow status. Available choices include Accepted Risk or Non-Accepted Risk. Choosing both options displays all vulnerabilities regardless of acceptance status. Display vulnerabilities based on their Recast Risk workflow status. Available choices include Recast Risk or Non-Recast Risk. Choosing both options displays all vulnerabilities regardless of recast risk status. Mobile Analysis The Mobile analysis display screen contains a list of vulnerabilities discovered by scanning an Activesync, Apple Profile Manager, and/or Good MDM servers. The table below indicates the options available for mobile queries: Table 15 Mobile Filter Options Option Analysis Tool Filter Analysis Tool Active Filters This drop-down is used to choose the analysis tool used by the filter. This is the same as selecting the desired analysis tool from the Analysis -> Mobile dialog. This field displays the existing filters and allows the user to selectively remove filters as needed. In the example below, the Active Filters displayed are MDM Type, Model, Plugin Output, and Days Since Observation. Clicking the X next to any one of these filters will remove that filter from the filter list. 59

60 Mobile Filters Target Filters Repository Display vulnerabilities from the chosen repositories. Device Filters Identifier This is a text based search filter that looks at the Identifier field in the repository. Model This is a text based search filter that looks at the Model field in the repository. Operating System CPE Version This is a text based search filter that looks at the Operating System CPE field in the repository. This is a text based search filter that looks at the OS Version field in the repository. Serial Number This is a text based search filter that looks at the Serial Number field in the repository. MDM Type Username The MDM type field is a drop-down menu to select the MDM server type of ActiveSync, Apple Profile Manager, or Good MDM server. This is a text based search filter that looks at the User field in the repository. Vulnerability Filters Plugin ID Enter the Plugin ID to filter results on. Plugin Output Filter results based on a text search of plugin output. Severity Displays vulnerabilities with the selected severity (Info, Low, Medium, High, Critical). 60

61 Date Filters Vulnerability Last Observed (Cumulative only) This filter allows the user to see when the vulnerability was last observed. Event Analysis The Events display screen contains an aggregation of security events from a variety of sources including LCE, IDS/IPS, and syslog servers. Events can be viewed in a list format with options similar to the Vulnerability interface. Clicking through Analysis and Events displays a high-level view screen similar to the following: Event Analysis Type Summary Screen 61

62 Raw Syslog Events SecurityCenter includes a Search bar above the results of the Events display screen. The Search bar can be used to narrow down the scope of a set of events, and supports the use of keyword searches for active filters. In the example above, a mix of collapsed and expanded events are seen. Selecting the Collapse Logs or Expand Logs option from the top right will perform that action for all of the results en masse. By hovering over a particular event a + or - icon will be displayed on the right side of the event to expand or collapse that one event. A search for an IP address of with associated text of window has been used to narrow down the results of a Raw Syslog Events view. The text used to search is displayed in red within the results. If a specifier such as ip= or type= is not used, the Search bar will use text= as the default search method and display all results that match the exact string used in the search. If the text to search on contains a space, the text must be enclosed in quotes, such as PHP Warning. In order to create the search, the search criteria may be entered in different ways. Manually typing in the search is the first option. Once entered, clicking the check icon to the right of the search box will display the filtered results. 62

63 Another option to search the Raw Syslog Events is to highlight a term to search for in a currently displayed and expanded log entry. In the above screen capture the search has been narrowed down to the text of IP address That IP address has been selected from within one of the expanded results. When a text string from the results has been highlighted with a mouse, a magnifying glass icon is shown on the information line. When clicked, this provides one or both options as described in the following table. Table 16 Search Options Option Search Events View IP Information Performs a text search against the currently filtered results and returns the more narrowly filtered event results. When an IP address is highlighted in the results Host Detail, information may be viewed about the relevant IP address by selecting this option. Filter History Below the Active/Archived tabs is a listing of previously loaded filter options. Hovering the cursor over a previously selected filter displays a pop-up window to the right that contains the filter parameters. Notice in the example screen capture above, there are three white dots to the right of the highlighted filter, one for Type, one for Normalized Event and one for Timeframe. Click on the desired filter to change the view to use the previously selected filter. Click on Clear to remove all previously loaded filters from the history panel. Date Selection Clicking on the date field directly below the analysis tool (in the example above, List of Events ) opens up a dialog that allows the user to specify a new timeframe for the event view. When the user selects Explicit, depicted as E on the slider, as shown in the screen capture above, a checkmark and X icon are displayed to the right of the date selection. 63

64 Clicking the checkmark icon applies the specified timeframe. Clicking the X icon abandons the most recent changes that were not applied using the checkmark icon and closes the time frame window. If the slider is used, the user is presented with incremented date ranges from the Last 15 minutes to All, depicted as A on the slider. In this example, Last 72 Hours is selected. Closing this dialog allows the event view to be navigated and shows all events under the current filter that have been received in the last 72 hours. In addition, an Initial Timeframe checkbox is made available. This checkbox allows users to set a default time range based on the slider selection when navigating to the Raw Syslog page in the future. Right-Click Functionality Right-Click Options Selecting and right-clicking on a particular event in the events screen gives the user additional options that are useful in the content of the highlighted event. Available options include: Copy To Clipboard and Add To Scratch Pad. These options are described in more detail in the table below: Table 17 Right-Click Options Type Copy To Clipboard Add To Scratch Pad Use this option to copy the displayed event information to your clipboard for reuse elsewhere. For example, you could copy the event name to the clipboard and then paste it into an if so desired. The Scratch Pad allows users to store the current drilldown value as a filter option. For example, if the current view allows for an event drilldown, selecting an event with a particular normalized event, right-clicking and choosing Add to Scratch Pad will add that search to the Scratch Pad. This allows the user to quickly switch back and forth between Scratch Pad items for rapid analysis. Active vs. Archived At the top of the event display screen are two options: Active and Archived. This selection determines whether the displayed events are pulled from the active or an archived event database. The Active view is the default one that displays all currently active events. The Archived view prompts for an Archive Silo from which the event data will be displayed. In the screen capture below, the LCE and Silo date range are displayed to help the user choose the correct archive data for analysis. 64

65 The save-database and accompanying location options must be uncommented in the lce.conf file for the LCE to store archive data for future retrieval. Archive Silo Selection Analysis Tool A wide variety of analysis tools are available for comprehensive event analysis. Clicking on the current view ( Type Summary by default) displays an analysis tool: Analysis Tool Options Loading one of the analysis filters generates an event filter that may be reset at any time by clicking on the Clear link. The table below contains detailed descriptions of all available analysis tools: 65

66 Table 18 Event Analysis Tools Tool Type Summary The Type Summary tool displays the matching unique event types and the number of corresponding events for each. The unique event types are based on normalized logs or events such as firewall, system, correlated, network and IDS. These types are high-level types used to describe event types (e.g., login or lce). Clicking on any of the event counts displays a list of matching events. Normalized Event Summary This tool summarizes a listing of all normalized events and their count for the chosen time period. Normalized events are lowerlevel events that have been assigned a Tenable name based on LCE scripts parsing of the log records (e.g., Snort-HTTP_Inspect). Clicking on the event name displays the event information, including the script that fired to cause the event. Clicking on the event count displays a Normalized Event view for the selected category. Detailed Event Summary The Detailed Event Summary tool displays a summary of the various events based on their full event name and count. Clicking on either the count or timeline displays a Detailed Event view. List of Events This tool displays a line of data for each matching event. The line includes many pieces of information such as time, event name, number of correlated vulnerabilities and involved IP addresses and sensor. Two links of great use are available. First, if the IDS event correlates with a particular system s vulnerabilities, clicking on the number of vulnerabilities will switch the user to the cumulative vulnerability display for that host. This is very useful to determine a target system s profile. Second, if an LCE is present, links are generated that can take the user to a log analysis query based on the source or destination addresses of the IDS event. This filter is applied to all searched LCEs. These queries are available for the 30-minute window or 24-hour window surrounding the IDS event. This is a very efficient way to find an IDS event of interest and see if the target or the attacker has generated any other system logs of interest. 66

67 Other links of interest in the List of Events view include time, event name, and source/destination IP address Clicking on the event name adds a filter to only display events matching that event name. Finally, clicking on the source or destination IP address loads a system information summary of data available for the IP address in question. Sensor Summary The Sensor Summary displays the unique event counts for any query from unique sensor types. In Log Analysis mode, the LCE attempts to learn any system names of the remote devices through log analysis. Not all remote log sources will have detectable sensor names. Event Trend This analysis tool displays an event trend area graph with total events over the last 24 hours. Modify the filters for this graph to display the desired event trend view. Date Summary When analyzing large amounts of data, it is often useful to get a quick summary of how the data set manifests itself across several dates. For example, when analyzing a suspected attacker s IP address, creating a filter for that IP and looking at the type of events is simple enough. However, displaying that same data over the last few days or weeks can paint a much more interesting picture of a potential attacker s activity. Asset Summary This tool can be used to see how certain types of activity, remote attackers, or non-compliant events have occurred across different asset groups. Clicking on the Total count for the listed asset displays a Type Summary page that shows the event type, total number of each event, and a plot that displays the event occurrences over the queried time period. User Summary This tool displays the matching unique event types and the number of corresponding events for each user when user tracking is enabled in LCE. The unique event types are based on normalized logs such as 67

68 firewall, system, correlated, network, and IDS. Clicking on any of the event counts under the Total column will display a Type Summary of matching events. Port Summary A port summary can be invoked. This tool produces a table of the top used ports and combines counts for source and destination ports into one overall count. Clicking on the event count will display a Type Summary of events filtered for that port. Port 0 events are host-based events that are not specific to any particular TCP/UDP port. Protocol Summary This tool summarizes counts of events based on IP protocols. Clicking on the event total displays a Type Summary view of events filtered by the selected protocol. IP Summary Class A Summary Class B Summary Class C Summary SecurityCenter provides the ability to quickly summarize matching IP addresses by single IP, Class A, Class B and Class C addresses. The IP Summary tool displays the associated LCE server along with the IP address of the reporting system and about the event count for that system. For example, if an LCE system with the IPv4 address of has been named as Tier1LCE and is reporting on events from IPv4 address of , the information in the IP Address field will display Tier1LCE/ for that system. Clicking on an IP address displays a Host Detail window for that IP address. SecurityCenter 4.6 calculates and loads Host Detail assets incrementally to enhance system performance. The System Information box displays information about the NetBIOS Name (if known), DNS Name (if known), MAC address (if known), OS (if known), Score, Repository, Last Scan, Passive Data, Compliance Data, and Vulnerabilities. The Assets box displays which asset lists the IP address belongs to. The Useful Links box contains a list of resources that can be queried by IP address. Clicking on one of the Resource links causes the resource to be queried with the current IP address. For example, if the current IP address was a publicly registered address, clicking on the ARIN link causes the ARIN database to be queried for the registration information for that address. If custom resources have been added by the administrative user (via the Manage IP Address Information Links selection under the Customization tab), they 68

69 will be displayed here. The Sum by Class A, B, and C tools work by displaying matching addresses. Clicking on the number displayed in the Total column will display the Type Summary for that IP range. Raw Syslog Events Users can choose to view the original log message or IDS event for full forensic analysis. It is recommended that users attempt some sort of filtering match first before attempting to find their desired event. Users will typically sort their results and drill into the list until they find what they are looking for before attempting to view the raw data. Load Query This option loads a predefined query and displays the current dataset against that query. Click on Load Query to display a box with all available queries and their group name (if applicable) next to it. Entering text in the search box will narrow the list to the matching criteria. After clicking on an individual query, the event view is changed to match that query view for the current dataset. Additional Event Analysis Options The following options are available in the upper right-hand corner of the event analysis screen: Additional Event Analysis Options Save Query This option, available in the upper right-hand corner of the web interface, saves the current event view as a query for reuse. If this link is clicked, a dialog similar to the one below is displayed: Event Query Options 69

70 The table below describes the available query options: Table 19 Query Options Option Name Query name Group This option provides a logical grouping for created query objects. Group names can be reused as desired. This reduces lengthy lists of queries with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the organization head creates an organizational query and assigns it to the DMZ group, all users will now have a DMZ group containing that organizational query. This option enables users to provide a description of the query. Visibility Save as [Timeframe] Visibility may be specified as User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the organization have query access. When the query is run subsequently, use the relative event time frame currently in use rather than the explicit time frame in use. For example, the relative time frame ranges is set to the last 72 hours. The explicit time frame is 11/5/2012 at 1pm through 11/8/2012 at 1pm. Checking this box will save the query as the last 72 hours from the time it is selected. Leaving the box unchecked will save the query from 11/5/2012 at 1pm through 11/8/2012 at 1pm. Save Asset Event results can be saved to an asset list for later use by clicking on the Save Asset link in the upper right-hand side of the screen. Save as Asset Options 70

71 The table below describes the available asset options: Table 20 Asset Options Option Name Asset name Group A logical grouping for created asset objects. Group names can be reused as desired. This reduces lengthy lists of assets with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the organization head creates an organizational asset and assigns it to the DMZ group, all users will now have a DMZ group containing that organizational asset. Asset description Visibility User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the organization have query access. Open Ticket Ticket Options Tickets are used within SecurityCenter to assist with the assessment and remediation of vulnerabilities and security events. Use this option to open a ticket based on the current event view. Click on the Open Ticket link and complete the relevant fields as described below: 71

72 Table 21 Ticket Options Option Name Ticket name Ticket description Notes Notes to be used within the ticket and read by the ticket assignee. Assign To Ticket assignee Classification Information, Configuration, Patch, Disable, Firewall, Schedule, IDS, Accept Risk, Recast Risk, Re-scan Request, False Positive, System Probe, External Probe, Investigation Needed, Compromised System, Virus Incident, Bad Credentials, Unauthorized Software, Unauthorized System, Unauthorized User, or Other. More Options Save Watchlist A watchlist is an asset list that is used to maintain lists of IPs not in the user s managed range of IP addresses. The screen capture below demonstrates a sample watchlist configuration: Watchlist Options IPs from a watchlist can be filtered on regardless of your IP range configuration. This proves to be beneficial when analyzing event activity originating outside of the user s managed range. For example, if a block of IP addresses is a known source of malicious activity, it could be added to a watchlist called malicious IPs and added to a custom query. If Exclude Managed Ranges is selected, the watchlist will encompass the IPs within the current view, except those that are part of the organization s managed ranges. Otherwise, the watchlist will encompass all IPs within the current view. Export as CSV Event results can be exported to a comma-separated file for detailed analysis by clicking on the More link and then the Export as CSV option. 72

73 If the record count (rows displayed) of any CSV export is greater than 1,000 records, a pop-up is displayed that prompts for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results screen. For CSV exports of under 1,000 records, the browser s standard Save As dialog window is displayed. Save CSV Report Create Report This option is used to create a report based on the existing event view. Report Launch Dialog 73

74 Event Filters Clicking on Edit Filters displays a page similar to one available for searching vulnerability data: Event Filter Options See the table below for detailed descriptions of these options: All filter search fields are case-sensitive. For example, to search for the string Open Port, both words must be capitalized in the search string. Table 22 Event Filter Options Filter Analysis Tool Filter Analysis Tool Active Filters This drop-down is used to choose the analysis tool used by the filter. This is the same as selecting the desired analysis tool from the Analysis -> Events dialog. These tools are described in detail in the Analysis Tools section. This field displays the existing filters and allows the user to selectively remove filters as needed. In the example below, the Active Filters displayed are Timeframe, Type, and Targeted IDS Events. Clicking the X next to any one of these filters will remove that filter from the displayed events. 74

75 Event Filters Target Filters Address Port Specifies an IP address, range, or CIDR block to limit the displayed events. For example, entering /24 limits any of the web tools to only show event data from that network. Addresses can be entered on separate lines or comma separated. This filter is in two parts. First the type of filter can be specified to allow matching vulnerabilities with the specified ports (=) or excluding ports (!=). The port filter may specify a single port, comma separated list of ports, or range of ports (e.g., ). All host-based vulnerability checks are reported with a port of 0 (zero). Protocol Specify the protocol of the event (Any, TCP, UDP, ICMP, or Unknown). Direction Filter by event direction (Any, Inbound, Outbound, and Internal). Asset Output Assets (only available in the Asset Summary analysis tool) Filter the event by asset list. Select an asset list from those available. To narrow down the number of displayed asset lists, enter text to filter on in the search box. This filter displays only the desired asset list systems. Event Filters Timeframe A shortcut to this configuration item is available by clicking on the date field directly below the Analysis Tool as described in this document here. An explicit timeframe is displayed by default. Specify either an explicit or relative timeframe for the event filter. Choosing explicit opens up a calendar dialog allowing the user to select the from and to dates and times. Relative timeframes range from the last 15 minutes to the last 12 months and All. 75

76 Normalized Event Detailed Event Type Sensor The Normalized Event is the name given to the event by the LCE after the LCE runs its PRM and TASL scripts against it. This is the detailed event name given by the IDS vendor. For example, an event received from a Snort sensor can have a detailed event name of DOUBLE DECODING ATTACK, which means that HTTP_INSPECT 119:2:1 fired and was sent to the LCE. Clicking in this box generates a drop-down that allows one to select the event type (e.g., error, lce, login, intrusion, etc.). Filter the events by sensor using the equal (=) or not equal (!=) operators. User Specify only events tied to a particular username. Targeted IDS Events Syslog Text This filter checkbox selects IDS events that have targeted systems and ports with vulnerabilities likely to be exploited by the detected attack. This is determined by comparing the host s vulnerabilities (CVE, etc.) against those tied to the actual IDS event. (Raw Syslog Events Analysis Tool) String to search for within the filtered event. When using LCE server version and newer, the text search is case-insensitive and Boolean operators may be used. For example: text="(drive AND serial) OR utilization" This filter is case-sensitive when using LCE version and earlier. Advanced Filters LCEs Repositories Source Address Destination Address Source Port Destination Port Source Asset Specify the LCEs to obtain events from. Use <CTRL> or <Shift> + click to select more than one. Specify the Repositories to obtain events from. Use <CTRL> or <Shift> + click to select more than one. Specifies an IP address or CIDR block to limit the displayed events based on source. For example, entering /24 limits any of the web tools to only show event data with source IPs in that block. Addresses can be comma separated. Specifies an IP address or CIDR block to limit the displayed events based on destination. For example, entering /24 limits any of the web tools to only show event data with destination IPs in that block. Addresses can be comma separated. This filter is in two parts. First the type of filter can be specified to allow matching events with the same ports (=) or different ports (!=). The port filter may specify a single, comma separated list of ports or range of ports (e.g., ). This filter is in two parts. First the type of filter can be specified to allow matching events with the same ports (=) or different ports (!=). The port filter may specify a single, comma separated list of ports or range of ports (e.g., ). Events originating from the defined source asset list. 76

77 Destination Asset Events originating from the defined destination asset list. Clicking on Reset View causes the display to return to the default screen. Scanning The Scans function of the SecurityCenter provides the ability to create, view, configure, control, and schedule Nessus scans. Clicking on Scans under the Scanning tab displays a list of all available Nessus scans along with their associated Policy Name/Plugin ID, Start Time, Status, Owner, and Schedule: SecurityCenter Scan Listing Scans Authorized users can create a scan by clicking on Add under the Scans tab or by copying an existing scan template. A menu selection similar to the screen capture below is displayed showing five page tabs: Basic, Policy and Credential, Policy, Plugin Preferences, and Post Scan. While adding a new scan, if a required field is omitted, the user interface will display the omitted field with a red border and not allow for the page submission to occur until a valid entry has been added. Add Scan Dialog Box Basic Options The table below describes options available on the Basic tab. 77

78 Table 23 Basic Scan Options Parameter Name The scan name will be associated with the scan s results and may be any name or phrase (e.g., SystemA, DMZ Scan, Daily Scan of the Web Farm, etc.). Descriptive information related to the scan. Schedule Import Repository The drop down menu provides the ability to schedule a scan for Now, Once, Daily, Weekly, Monthly(Day), Monthly(Date), Template, or Dependent. The Template selection provides the ability to create a scan template that may be launched manually at any time. The Dependent selection enables the scan to be scheduled after the completion of a scan selected from the displayed drop down menu. Specifies the repository where the scan results will be imported. Select a repository to receive IPv4 or IPv6 results appropriate to the scan being conducted. When scanning one or more asset lists, the asset list must contain IPs in the repository IP ranges or the following error is displayed: Entered IPs and Assets are empty. Log in as the administrator user to view the contents and associated repositories of an asset list. Scan Targets The scan can target one or more of a user s Asset Lists or manually entered Targets. IPv4 or IPv6 addresses or hostnames entered into the Targets box must be complete IP addresses, network ranges, CIDR blocks, or DNS hostnames. The addresses or hostnames entered into the Targets box will be merged with any selected asset lists, preventing scanning of unauthorized targets. Scanning both IPv4 and IPv6 addresses in the same scan is not supported due to the ability to only select one Import Repository. 78

79 Policy and Credential Options From this tab the scan type, scan zone, and authentication settings are configured. Policy and Credentials Screen The scan policy contains plugin settings and advanced directives used during the course of the Nessus scan. Within the Scan Type section, two radio buttons are available, Policy and Plugin. If the Policy radio button is selected, the side tabs for Policy and Plugin Preferences are grayed out. If the Plugin radio tab is selected, both options are available for further configuration. If Scan Zone is set to Selectable for the user, a drop-down box will be available to allow for the selection of the scan zone to be used for the scan. If default is selected, the Scan Zone that most closely matches the host or range of hosts to be scanned will be selected from the zones available. When Scan Zone is set to forced, the Scan Zone box is greyed out and is not able to be modified. The Authentication section allows users to select pre-configured credential sets for authenticated scanning. SecurityCenter supports the use of up to four Windows credential sets, four SNMP credential sets, a SSH credential set, and a Kerberos credential set per scan. Policy Options This tab is only available if a single plugin scan was selected in the Policy and Credential tab. Scan policies are modified by navigating to Support -> Scan Policies. 79

80 Scan Policy Configuration Page The table below contains a description of all available options on the Policy configuration page. Table 24 Scan Options Option Safe Checks Silent Dependencies Consider Unscanned Ports as Closed Nessus can attempt to identify remote vulnerabilities by interpreting banner information and attempting to exercise a vulnerability. This is not as reliable as a full probe, but is less likely to negatively impact a targeted system. If this option is checked, the list of dependencies is not included in the report. To include the list of dependencies in the report, uncheck the box. With this setting enabled, ports that are not enumerated by the port scan will not be tested. For example, scanning ports 21, 22, and 23 will only test those ports and not any other port. The Port Scanners frame controls which methods of port scanning should be enabled for the scan: Table 25 Port Scanners Options Option TCP Scan Use Nessus built-in TCP scanner to identify open TCP ports on the targets. This scanner is optimized and has some self-tuning features. On some platforms (e.g., Windows and Mac OS X), if the operating system is causing serious performance issues using the TCP scanner, Nessus will launch the SYN scanner. 80

81 UDP Scan This option engages Nessus built-in UDP scanner to identify open UDP ports on the targets. UDP is a stateless protocol, meaning that communication is not done with handshake dialogues. UDP-based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable. Scans using the UDP scanner will take significantly longer to complete. SYN Scan SNMP Scan Netstat SSH Scan Netstat WMI Scan Ping Host Use Nessus built-in SYN scanner to identify open TCP ports on the targets. SYN scans are a popular method for conducting port scans and generally considered to be a bit less intrusive than TCP scans. The scanner sends a SYN packet to the port, waits for SYN-ACK reply and determines port state based on a reply, or lack of reply. Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP settings during a scan. If the settings are provided by the user under Preferences, this will allow Nessus to better test the remote host and produce more detailed audit results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits. This option uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a SSH connection to the target. This scan is intended for Unix-based systems and requires authentication credentials. This option uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a WMI connection to the target. This scan is intended for Windows-based systems and requires authentication credentials. This option enables the pinging of remote hosts on multiple ports to determine if they are alive. The Port Scan Options frame directs the scanner to target a specific range of ports. The following values are allowed for the Port Scan Range option: Table 26 Values for Port Scan Options Value default Custom List Using the keyword default, Nessus will scan approximately 4,789 common ports (found in the nessus-services file). A custom range of ports can be selected by using a comma delimited list of ports or port ranges. For example, 21,23,25,80,110 or ,8080, are allowed. Specifying will scan all ports. The range specified for a port scan will be applied to both TCP and UDP scans. The Performance frame provides two options that control how many scans will be launched. These options are perhaps the most important when configuring a scan as they have the biggest impact on scan times and network activity. 81

82 Table 27 Performance Options Option Max Checks Per Host Max Hosts Per Scanner Max Scan Time (hours) Max TCP Connections This setting limits the maximum number of checks a Nessus scanner will perform against a single host at one time. This setting limits the maximum number of hosts that a Nessus scanner will scan at the same time. If the scan is using a zone with multiple scanners, each scanner will accept up to the amount specified in the Max Hosts Per Scan option. For example, if the Max Hosts Per Scan is set to 5 and there are five scanners per zone, each scanner will accept five hosts to scan, allowing a total of 25 hosts to be scanned between the five scanners. This setting limits the length of time a scan is allowed to run. If a scan reaches this limit, the unscanned targets are captured in a new rollover scan that can be run manually or scheduled at a later time. This setting limits the maximum number of TCP sessions established by any of the active scanners while scanning a single host. Plugin Preferences The Plugin Preferences tab includes means for granular control over scan settings. Selecting an item from the dropdown menu will display further configuration items for the selected category. Note that this is a dynamic list of configuration options that is dependent on the plugin feed, audit policies and additional functionality that the connected Nessus scanner has access to. This list may also change as plugins are added or modified. Note that this is a dynamic list of configuration options that is dependent on the plugin feed, audit policies, and additional functionality to which the connected Nessus scanner has access. This list may also change as plugins are added or modified. Scan Plugin Preferences 82

83 The Cisco IOS Compliance Checks (plugin 46689) options determine the Cisco IOS configuration file to audit. The available options are Saved, Running, or Startup. Only one type of configuration file may be selected. If a secure method of performing credentialed checks is not available, users can force Nessus to attempt to perform checks over insecure protocols by configuring the Cleartext protocols settings (plugin 21744) drop-down menu item. The cleartext protocols supported for this option are telnet, rsh, and rexec. The unsafe! warning serves as a reminder that the information is being sent across the network in an unencrypted manner. Plugin 21744: Cleartext protocols settings The Database settings (plugin 33815) options apply to database compliance audits and are used to specify the type of database to be tested, relevant settings and credentials: Plugin 33815: Database settings 83

84 Table 28 Database Settings Option Login The username for the database. Password The password for the supplied username. DB Type Oracle, SQL Server, MySQL, DB2, Informix/DRDA, and PostgreSQL are supported. Database SID Database system ID to audit (Oracle Only). Database port to use TCP port the database listens on. If this field is not specified, the default port for the chosen database is used: Oracle: 1521 MySQL: 3306 SQL Server: 1433 Informix: 1526 DB2: Oracle auth type SQL Server auth type NORMAL, SYSOPER, and SYSDBA are supported. Depending on the privileges required by the.audit commands, enhanced privileges such as SYSOPER or SYSDBA may be required. In most cases, however, the NORMAL auth type will suffice. Windows or SQL are supported. Dell Force10 FTOS Compliance Checks (plugin 72461) allows for assigning up to 5 compliance policy files to check the configuration file uploaded after exporting from a Dell Force10 FTOS device. Do not scan fragile devices (plugin 22481) instructs the Nessus scanner to scan network printers or Novell Netware hosts if unselected. Since both of these technologies are more prone to denial of service conditions, Nessus can skip scanning them once identified. This is particularly recommended if scanning is performed on production networks. Plugin 22481: Do not scan fragile devices Global variable settings (plugin 12288) contains a wide variety of configuration options for the Nessus server. 84

85 Plugin 12288: Global variable settings Table 29 Global Variable Settings Option Probe services on every port Do not log in with user accounts not specified in the policy Enable CGI scanning Network type Enable experimental scripts Attempts to map each open port with the service that is running on that port. Note that in some rare cases, this might disrupt some services and cause unforeseen side effects. Used to prevent account lockouts if the password policy is set to lock out accounts after several invalid attempts. Activates CGI checking. Disabling this option will greatly speed up the audit of a local network. Specifies if the network type uses public routable IPs, private non-internet routable IPs or a mix of these. Select Mixed if using RFC 1918 addresses and there are multiple routers within the network. Causes plugins that are considered experimental to be used in the scan. Do not enable this setting while scanning a production network. Tenable does not release scripts flagged as experimental in either plugin feed. Thorough tests (slow) Causes various plugins to work harder. For example, when looking through SMB file shares, a plugin can analyze 3 levels deep instead of 1. This could cause much more network traffic and analysis in some cases. Note that by being more thorough, the scan will be more intrusive and is more likely to disrupt the network, while potentially 85

86 having better audit results. Report verbosity Report paranoia HTTP User-Agent Some plugins will try to capture output during a scan to prove that a vulnerability exists. The Normal setting (default) uses the plugin settings to determine how much output to capture. The Quiet setting disables capturing of most data. The Verbose setting removes most of the high limits of the data capture settings and reports the entire contents of the file. In some cases, Nessus cannot remotely determine whether a flaw is present or not. If the report paranoia is set to Paranoid (more false alarms) then a flaw will be reported every time, even when there is a doubt about the remote host being affected. Conversely, a paranoia setting of Avoid false alarm will cause Nessus to not report any flaw whenever there is a hint of uncertainty about the remote host. The default option (Normal) is a middle ground between these two settings. Specifies which type of web browser Nessus will impersonate while scanning. SSL certificate to use Allows Nessus to use a client-side SSL certificate for communicating with a remote host. SSL CA to trust Specifies a Certificate Authority (CA) that Nessus will trust. SSL key to use Specifies a local SSL key to use for communicating with the remote host. SSL password for SSL key The password for managing the SSL key specified. Hosts File Whitelisted Entries (plugin 73980) allows entries in a customized hosts file to be upload and whitelisted against plugins that check for abnormalities in the hosts file on scanned systems. HTTP cookies import (plugin 42893) facilitates web application testing. Nessus can import HTTP cookies from another piece of software (web browser, web proxy, etc.) with these settings. A cookie file can be uploaded so that Nessus uses the cookies when attempting to access a web application. The cookie file must be in Netscape format. The HTTP login page (plugin 11149) settings provide control over where authenticated testing of a custom web-based application begins. See this whitepaper for more details about configuring web applications that require authentication. 86

87 Plugin 11149: HTTP login page Table 30 HTTP Login Page Settings Option Login page The base URL to the login page of the application. Login form The action parameter for the form method. For example, the login form for <form method="post" name="auth_form" action="/login.php"> would be /login.php. This option is not required if the Automated login page search option specified below is used. Login form fields Specify the authentication parameters (e.g., login=%user%&password=%pass%). If the keywords %USER% and %PASS% are used, they will be substituted with values supplied on the Login configurations drop-down menu. This option is not required if the Automated login page search option specified below is used. Login form method Specify POST or GET based on the login form requirements. 87

88 This option is not required if the Automated login page search option specified below is used. Automated login page search Gives Nessus the option to parse the login page for form options and attempt to login based on detected fields. This option works in conjunction with the HTTP cookies import (plugin 42893) to simplify form-based authentication. If more than one form is available on a web page (uncommon), use the manual login form parameters specified above instead. Re-authenticate delay (seconds) Check authentication on page Follow 30x redirections (# of levels) Authenticated regex Invert test (disconnected if regex matches) Match regex on HTTP headers Case insensitive regex The time delay between authentication attempts. This is useful to avoid triggering brute force lockout mechanisms. The URL of a protected web page that requires authentication, to better assist Nessus in determining authentication status. If a 30x redirect code is received from a web server, this directs Nessus to follow the link provided or not. A regex pattern to look for on the login page. Simply receiving a 200 response code is not always sufficient to determine session state. Nessus can attempt to match a given string such as Authentication successful! A regex pattern to look for on the login page, that if found, tells Nessus authentication was not successful (e.g., Authentication failed! ). Rather than search the body of a response, Nessus can search the HTTP response headers for a given regex pattern to better determine authentication state. The regex searches are case sensitive by default. This instructs Nessus to ignore case. Abort web application tests if login fails If authentication fails to the web page, further actions by the plugin will be halted. Huawei VRP Compliance Checks (plugin 73157) allows for assigning up to 5 compliance policy files to check the configuration file uploaded after exporting from a Huawei VRP device. IBM iseries Credentials (plugin 57861) are used to specify the credentials for an IBM iseries system to be tested. The ICCP/COTP TSAP Addressing (plugin 23812) menu deals specifically with SCADA checks. It determines a Connection Oriented Transport Protocol (COTP) Transport Service Access Points (TSAP) value on an Inter-Control Center Communications Protocol (ICCP) server by trying possible values. The start and stop values are set to 8 by default. LDAP Domain Admins Group Membership Enumeration (plugin 58038) allows for the entry of an LDAP user and password to be used to attempt to enumerate the members of the Domain Admins group on an LDAP server search base, which is identified using the LDAP Crafted Search Request Server Information Disclosure plugin (25701). The Max Results setting limits the enumeration of users to the number entered (1,000 by default). Login configurations (plugin 10870) allows the Nessus scanner to use credentials when testing HTTP, NNTP, FTP, POP2, POP3 or IMAP. By supplying credentials, Nessus may have the ability to do more extensive checks to determine vulnerabilities. HTTP credentials supplied here will be used for Basic and Digest authentication only. For configuring credentials for a custom web application, use the HTTP login page pull-down menu. Two checkboxes are available on this page, Never send SMB credentials in clear text and Only use NTLMv2. Both of these settings affect the security of credentials sent out during Nessus scans. 88

89 Using cleartext credentials in any fashion is not recommended! If the credentials are sent remotely, via a Nessus scan or ing a policy to another administrator, the credentials could be intercepted by anyone with access to the network. Use encrypted authentication mechanisms whenever possible. Plugin 10870: Login configurations Malicious Process Detection (plugin 59275) allows you to upload a custom list of MD5 hashes to identify running processes on scanned hosts when plugin is enabled. The format of the file is one MD5 hash per line without any surrounding whitespace. Optionally a description may be added by putting a comma after the hash and the text of the description to be displayed in the scan results. Lines beginning with a # symbol are treated as comments and are ignored. All other items are considered invalid. # hashes for the foobar malware 11b95ccc1427be5f6c7f0e547bde34e6,foobar malware f2d53d861ed2819b8b298af,foobar malware 1.1 f80a405f55c2cd651e58a8fc ,foobar malware 1.2 # example.exe 4f8793a9c7560af2cb48f062cd7879af The Modbus/TCP Coil Access (plugin 23817) drop-down menu item is dynamically generated by the SCADA plugins. Modbus uses a function code of 1 to read coils in a Modbus slave. Coils represent binary output settings and are typically mapped to actuators. The ability to read coils may help an attacker profile a system and identify ranges of registers to alter via a write coil message. The defaults for this are 0 for the Start reg and 16 for the End reg. 89

90 Nessus SYN scanner (plugin 11219) and Nessus TCP scanner (plugin 10335) options allow you to better tune the native SYN and TCP scanner to detect the presence of a firewall. Table 31 Nessus SYN and TCP Scanner Settings Value Automatic (normal) Disabled (softer) This option can help identify if a firewall is located between the scanner and the target (default). Disables the Firewall detection feature. Do not detect RST rate limitation (soft) Ignore closed ports (aggressive) Disables the ability to monitor how often resets are set and to determine if there is a limitation configured by a downstream network device. Will attempt to run plugins even if the port appears to be closed. It is recommended that this option not be used on a production network. Oracle settings (plugin 22076) allows the user to enter the Oracle database SID to specify which database to test. In addition, Test default accounts (slow) enables the Nessus scan to probe for default accounts within the remote database for vulnerabilities. Palo Alto Networks PAN-OS Settings (plugin 64286) allows you to set the Username and Password for logging into a Palo Alto device. Additionally the Port may be customized and the ability to verify the SSL certificate presented. Patch Management: IBM Tivoli Endpoint Manager Server Settings (plugin 62558) allows the user to enter credentials for an IBM Tivoli Endpoint Manager Server. Patch Management: Red Hat Satellite Server Settings (plugin 57063) allows users to enter credentials for Red Hat Satellite servers. When a Red Hat host is scanned without local credentials, the Satellite server will be queried for and report the current patch status for the scanned host. Patch Management: SCCM Server Settings (plugin 57029) allows users to enter credentials for a SCCM server. When a machine is scanned without local credentials, the SCCM server will be queried for and report the current patch status for the scanned host. Patch Management: VMware Go Server Settings (plugin 57026) allows users to enter credentials for a VMware Go Server. When a machine is scanned without local credentials, the VMware Go server will be queried for and report the current patch status for the scanned host. Patch Management: WSUS Server Settings (plugin 57031) allows users to enter credentials for a WSUS server. When a machine is scanned without local credentials, the WSUS server will be queried for and report the current patch status for the scanned host. Patch Report (plugin 66334) allows the user to display superseded patches in the scan report when available. This setting is turned off by default. Ping the remote host (plugin 10180) options allow for granular control over Nessus ability to ping hosts during discovery scanning. This can be done via ARP ping, TCP ping, ICMP ping or applicative UDP ping. 90

91 Table 32 Ping the Remote Host Settings Plugin 10180: Ping the remote host Option TCP ping destination port(s) Do an ARP ping Specifies the list of ports that will be checked via TCP ping. If you are not sure of the ports, leave this setting to the default of built-in. Utilize the ARP protocol for pings. Do a TCP ping Utilize the TCP protocol for pings. Do an ICMP ping Utilize the ICMP protocol for pings. Number of retries (ICMP) Do an applicative UDP ping (DNS, RPC ) Make the dead hosts appear in the report Log live hosts in the report Allows you to specify the number of attempts to try to ping the remote host. The default is set to 2. Perform a UDP ping against specific UDP-based applications including DNS (port 53), RPC (port 111), NTP (port 123) and RIP (port 520). If this option is selected, hosts that did not reply to the ping request will be included in the security report as dead hosts. Select this option to specifically report on the ability to successfully ping a remote host. Test the local Nessus host Fast network discovery This option allows you to include or exclude the local Nessus host from the scan. This is used when the Nessus host falls within the target network range for the scan. By default, when Nessus pings a remote IP and receives a reply, it performs extra checks to make sure that it is not a transparent proxy or a load balancer that would return noise but no result (some devices answer to every port but there is no service behind). Such checks can take some time, especially if the remote host is firewalled. If the fast network discovery option is enabled, Nessus will not perform these checks. 91

92 Interpret ICMP unreach from gateway When a ping is sent to a host that is down, its gateway may return an ICMP unreach message. When enabled, this option will consider this to mean the host is dead. This is to help speed up discovery on some networks. Note that some firewalls and packet filters use this same behavior for hosts that are up but are connecting to a port or protocol that is filtered. With this option enabled, this will lead to the scan considering the host is down when it is indeed up. Port scanner settings (plugin 33812) provide two options for further controlling port scanning activity. Table 33 Port Scanner Settings Option Check open TCP ports found by local port enumerators Only run network port scanners if local port enumeration failed If a local port enumerator (e.g., WMI or netstat) finds a port, Nessus will also verify it is open remotely. This helps determine if some form of access control is being used (e.g., TCP wrappers, firewall). Otherwise, rely on local port enumeration first. SMB Registry: Start the Registry Service during the scan (plugin 35703) enables the service to facilitate some of the scanning requirements for machines that may not have the Remote Registry service running all the time. The administrative shares may be enabled during the scan if they are not enabled at the beginning of the scan. Under the SMB Scope (plugin 10917) menu, if the option Request information about the domain is set, then domain users will be queried instead of local users. SMB Use Domain SID to Enumerate Users (plugin 10399) specifies the SID range to use to perform a reverse lookup on usernames on the domain. The default setting (1000 to 1200) is recommended for most scans. SMB Use Host SID to Enumerate Local Users (plugin 10860) specifies the SID range to use to perform a reverse lookup on local usernames. The default setting (1000 to 1200) is recommended for most scans. SMTP settings (plugin 11038) specify options for SMTP (Simple Mail Transport Protocol) tests that run on all devices within the scanned domain that are running SMTP services. Nessus will attempt to relay messages through the device to the specified Third party domain. If the message sent to the Third party domain is rejected by the address specified in the To address field, the spam attempt failed. If the message is accepted, then the SMTP server was successfully used to relay spam. Plugin SMTP settings 92

93 Table 34 SMTP Settings Option Third party domain From address To address Nessus will attempt to send spam through each SMTP device to the address listed in this field. This third party domain address must be outside the range of the site being scanned or the site performing the scan. Otherwise, the test might be aborted by the SMTP server. The test messages sent to the SMTP server(s) will appear as if they originated from the address specified in this field. Nessus will attempt to send messages addressed to the mail recipient listed in this field. The postmaster address is the default value since it is a valid address on most mail servers. SNMP settings (plugin 19762) allow you to configure Nessus to connect and authenticate to the SNMP service of the target. During the course of scanning, Nessus will make some attempts to guess the community string and use it for subsequent tests. If Nessus is unable to guess the community string and/or password, it may not perform a full audit against the service. Table 35 SNMP Settings Plugin SNMP Settings Option UDP port Direct Nessus to scan a different port should SNMP be running on a port other than 161. SNMPv3 user name The username for a SNMPv3 based account. SNMPv3 authentication password SNMPv3 authentication algorithm SNMPv3 privacy password The password for the username specified. Select MD5 or SHA1 based on which algorithm the remote service supports. A password used to protect encrypted SNMP communication. 93

94 SNMPv3 privacy algorithm The encryption algorithm to use for SNMP traffic. SSH settings (plugin 14273) Users can select SSH settings from the drop-down menu and enter a known_hosts file for scanning Unix systems. There is also a field for entering the Preferred SSH Port. By default, Nessus will use the standard TCP port 22 for credentialed Unix scans; however, this setting enables the user to specify a non-standard port for SSH login attempts. Service Detection (plugin 22964) controls how Nessus will test SSL based services; known SSL ports (e.g., 443), all ports or none. Testing for SSL capability on all ports may be disruptive for the tested host. Unix File Contents Compliance Checks (plugin 72095) audits Unix systems for non-compliant content utilizing a compliance check. VMware SOAP API Settings (plugin 57395) provides Nessus with the credentials required to authenticate to VMware ESX, ESXi, and vsphere Hypervisor management systems via their own SOAP API, as SSH access has been deprecated. This API is intended for auditing vsphere 4.x / 5.x, ESXi, and ESX hosts, not the virtual machines running on the hosts. This authentication method can be used to perform credentialed scans or perform compliance audits. VMware vcenter SOAP API Settings (plugin 63060) provides Nessus with the credentials required to authenticate to VMware vcenter management systems via their own SOAP API. The API is intended for auditing vcenter, not the virtual machines running on the hosts. This authentication method can be used to perform credentialed scans or perform compliance audits. Wake-on-LAN (plugin 52616) controls which hosts to send WOL magic packets to before performing a scan and how long to wait (in minutes) for the systems to boot. The list of MAC addresses for WOL is entered using an uploaded text file with one host MAC address per line. For example: 00:11:22:33:44:55 aa:bb:cc:dd:ee:ff Web Application Tests Settings (plugin 39471) tests the arguments of the remote CGIs (Common Gateway Interface) discovered in the web mirroring process by attempting to pass common CGI programming errors such as cross-site scripting, remote file inclusion, command execution, traversal attacks or SQL injection. Enable this option by selecting the Enable web applications tests checkbox. These tests are not intended to target web applications implementing client-side technologies such as AJAX or Flash. 94

95 The following web application related plugins depend on plugin 39471: CGI Generic SQL Injection Vulnerability (CGI abuses) CGI Generic Command Execution Vulnerability (CGI abuses) CGI Generic Cross-Site Scripting Vulnerability (quick test) (CGI abuses: XSS) CGI Generic Path Traversal Vulnerability (CGI abuses) CGI Generic Header Injection Vulnerability (CGI abuses: XSS) CGI Generic Remote File Inclusion Vulnerability (CGI abuses) CGI Generic Tests HTTP Errors (CGI abuses) CGI Generic SSI Injection Vulnerability (CGI abuses) CGI Generic Format String Vulnerability (CGI abuses) CGI Generic Local File Inclusion Vulnerability (CGI abuses) CGI Generic SSI Injection Vulnerability (HTTP headers) (CGI abuses) CGI Generic SQL Injection (blind) (CGI abuses) CGI Generic Persistent Cross-Site Scripting Vulnerability (CGI abuses: XSS) CGI Generic SQL Injection Vulnerability (HTTP Cookies) (CGI abuses) CGI Generic SQL Injection Vulnerability (HTTP Headers) (CGI abuses) CGI Generic SQL Injection Vulnerability (2nd pass) (CGI abuses) CGI Generic Local File Inclusion Vulnerability (2nd pass) (CGI abuses) CGI Generic SQL Injection (blind, time based)(cgi abuses) CGI Generic Unseen Parameters Discovery (CGI abuses) CGI Generic Cookie Injection Scripting (CGI abuses) Web Application SQL Backend Identification (CGI abuses) CGI Generic Command Execution Vulnerability (time based) (CGI abuses) CGI Generic Cross Site Scripting (HTTP Headers) (CGI abuses: XSS) CGI Generic Path Traversal Vulnerability (write test) (CGI abuses) CGI Generic Path Traversal Vulnerability (extended test) (CGI abuses) CGI Generic XML Injection (CGI abuses) CGI Generic Injectable Parameter Weakness (CGI abuses) CGI Generic Cross-Site Scripting Vulnerability (extended test) (CGI abuses: XSS) CGI Generic On Site Request Forgery Vulnerability (CGI abuses) CGI Generic Redirection Vulnerability (CGI abuses) CGI Generic 2nd Order SQL Injection Detection (potential) (CGI abuses) CGI Generic SQL Injection Detection (potential, 2nd order, 2nd pass) (CGI abuses) CGI Generic HTML Injections (quick test) (CGI abuses : XSS) Web Application Session Cookies Not Marked Secure (Web Servers) CGI Generic Fragile Parameters Detection (Potential) (CGI abuses) CGI Generic Path Traversal (quick test) (CGI abuses) 95

96 The screen capture below is the Web Application Tests Settings input page: Table 36 Web Application Tests Settings Plugin 39471: Web Application Tests Settings Option Enable web applications tests Maximum run time (min) This check box enables web application tests and causes the settings below to be evaluated during the test. This option manages the amount of time in minutes spent per NASL script performing web application tests. These NASL scripts are listed above. At the time of this writing, there are 25 web application test NASLs. The run time of each script varies widely, however the following generic formula applies to the Maximum_run_time: scan_time = (num_scripts/max_checks)*maximum_run_time For example: (25/5) * 60 = 300 minutes This option defaults to 60 minutes and applies to all ports and CGIs for a given web site. Try all HTTP methods Combinations of arguments values By default, the Nessus web application tests will only use GET requests, unless this option is enabled. Generally, more complex applications use the POST method when a user submits data to the application. This setting provides more thorough testing, but may considerably increase the time required. When selected, Nessus will test each script/variable with both GET and POST requests. This option manages the combination of argument values used in the HTTP requests. This drop-down has five options: one value This tests one parameter at a time with an attack string, without trying non-attack variations for additional parameters. For example, Nessus would attempt /test.php?arg1=xss&b=1&c=1 where b and c allow other values, without testing each combination. This is the quickest method of testing with the smallest result set 96

97 generated. some pairs Like all pairs testing, this will try to test a representative data set based on the All-pairs method. However, for each parameter discovered, Nessus will only test using a maximum of three valid input variables. all pairs (slower but efficient) This form of testing is slightly slower but more efficient than the one value test. While testing multiple parameters, it will test an attack string, variations for a single variable and then use the first value for all other variables. For example, Nessus would attempt /test.php?a=xss&b=1&c=1&d=1 and then cycle through the variables so that one is given the attack string, one is cycled through all possible values (as discovered during the mirror process) and any other variables are given the first value. In this case, Nessus would never test for /test.php?a=xss&b=3&c=3&d=3 when the first value of each variable is 1. some combinations Like all combinations testing, this will perform tests using a combination of attack strings and valid input. However, for each parameter discovered, Nessus will only test using a maximum of three valid input variables. all combinations (extremely slow) This method of testing will do a fully exhaustive test of all possible combinations of attack strings with valid input to variables. Where All-pairs testing seeks to create a smaller data set as a tradeoff for speed, all combinations makes no compromise on time and uses a complete data set of tests. This testing method may take a long time to complete. HTTP Parameter Pollution Stop at first flaw When performing web application tests, attempt to bypass any filtering mechanisms by injecting content into a variable while supplying the same variable with valid content as well. For example, a normal SQL injection test may look like /target.cgi?a='&b=2. With HTTP Parameter Pollution (HPP) enabled, the request may look like /target.cgi?a='&a=1&b=2. This option determines when a new flaw is targeted. The drop-down has four options: per CGI (default) As soon as a flaw is found on a CGI by a script, Nessus switches to the next known CGI on the same server, or if there is no other CGI, to the next port/server. per port (quicker) As soon as a flaw is found on a web server by a script, Nessus stops and switches to another web server on a different port. This applies at the script level; finding an XSS flaw will not disable searching for SQL injection or header injection, but you will have at most one report for each type on a given port. per parameter (slow) As soon as one flaw is found in a parameter of a CGI, Nessus stops and switches to the next parameter of the same script. look for all flaws (slower) Perform extensive tests regardless of flaws found. This option can take a long time and is not recommend in most cases. Test embedded web servers URL for Remote File Inclusion Embedded web servers are often static and contain no customizable CGI scripts. In addition, embedded web servers may be prone to crash or become non-responsive when scanned. Tenable recommends scanning embedded web servers separately from other web servers using this option. During Remote File Inclusion (RFI) testing, this option specifies a file on a remote host to use for tests. By default, Nessus will use a safe file hosted on Tenable s web server for RFI testing. If the scanner cannot reach the Internet, using an internally hosted file is recommended for more accurate RFI testing. 97

98 Web mirroring (plugin 10662) sets configuration parameters for Nessus native web server content mirroring utility. Nessus will mirror web content to better analyze the contents for vulnerabilities and help minimize the impact on the server. Table 37 Web Mirroring Settings Plugin Web mirroring Option Number of pages to mirror The maximum number of pages to mirror. Maximum depth Limit the number of links Nessus will follow for each start page. Start page Excluded items regex The URL of the first page that will be tested. If multiple pages are required, use a colon delimiter to separate them (e.g., /:/php4:/base ). Enable exclusion of portions of the web site from being crawled. For example, to exclude the /manual directory and all Perl CGI, set this field to: (^/manual) (\.pl(\?.*)?$). Note that in the example above, the period (.) in front of pl is escaped out with a backslash to prevent it from being interpreted as a regex metacharacter and not as a literal period. Follow dynamic pages If this checkbox is selected, Nessus will follow dynamic links and may exceed the other Web mirroring parameters. When all of the options have been configured as desired, click Submit to save the policy and return to the Policies tab. At any time, you can click Edit to make changes to a policy you have already created or click on Delete to remove a policy completely. Post Scan These options determine what will occur immediately after the scan has completed. The table below describes the post scan options available to users: 98

99 Table 38 - Post Scan Options Option Post Scan Send an to me when the scan is launched Send an to me when the scan is finished This option generates an to the user launching the scan as soon as the scan is launched. This option generates an to the user launching the scan after the scan has completed. Post Scan Processing Remove vulnerabilities from scanned hosts that have been inactive for Track computers which have been re-issued IP addresses Scanning Virtual Hosts This option removes vulnerabilities from the scanned host that have been inactive for the specified period. Use the drop-down to select the time frame ranging from Now to 360 days. This option is useful in cases where hosts may have been removed from the network and should not appear on the vulnerability report. This option uses the DNS name, NetBIOS name, and MAC address (if known), in that order, of the computer to track it when the IP address of the computer may have changed. Once a match has been made, SecurityCenter will not search further for matches. For example, if a DNS name is not matched, but a NetBIOS name is, the MAC address will not be checked. Networks using DHCP require that this option be set to properly track hosts. This option treats new DNS entries for an IP address as a virtual host as opposed to a DNS name update. When selected, this option will result in two DNS name/ip address entries in the IP Summary analysis tool if a new DNS name is found for an IP address. If this option is not selected and a new DNS name is found for an IP address, vulnerability data for the two DNS names will be merged into the single IP address entry in the IP Summary analysis tool. Scan Recovery Scan Timeout Action Rollover Option Provides a drop-down selection of three options in the event a scan is not completed. Import Results With Rollover is the default option, and will import the results from the scan into the database and create a rollover scan that may be launched at a later time to complete the scan. Import Current Results will import the results of the current scan and discard the information for the unscanned hosts. Discard will not import any of the results obtained by the scan to the database. When the Scan Timeout Action is set to Import results with Rollover, this option determines through a drop-down menu how to handle the rollover scan. The rollover scan may be created as a template to launch manually or scheduled at a specific time. The second option is to configure the rollover scan to launch the next day at the same start time as the just completed scan. Auto-Run Reports Auto-Run Reports This field provides a list of report templates available to the user. Selecting the checkbox next to one or more reports will launch that report once the scan has completed. Additionally, the report generated may be based on the current scan s results or the results in the Cumulative database. 99

100 In a case where report results are desired based on both the current scan and the cumulative database, simply make a copy of the report from the reports page, and select both reports and the appropriate desired results. Scan Progress On the Scans page, selecting a scan while in progress will allow the Detail button to be selected. The Detailed Scan Progress screen is then displayed allowing the scan progress to be monitored as it occurs. The available information is the name of the scan, the status, the scan progress bar, and the scanner summary. The completed hosts are colored in green and the hosts currently being scanned are colored in blue. The Scan Progress bar shows the number of hosts completed, in progress, and yet to be scanned in grey. The senor summary lists the Nessus scanners being used in the scan, the number of completed and in-progress hosts. The boxes are dynamically sized and when there are too many hosts scanned/being scanned will display an appropriate message. Scan Results Clicking on Scan Results under the Scanning tab displays the status of completed scans. Results are displayed in a list view with the ability to drill down into individual scan details. An example screen capture of this page is shown below: Scan Results Listing 100

101 Filters are available at the top of the screen to allow the user to view only desired scan results. Filter parameters include the Name, Owner, Status, and Finish Time. To return to the original scan result view, click on the Reset button to the right of the filter options. The results of individual scans are viewable by double-clicking on the desired scan or highlighting the scan and using the Browse button. This option displays a subset of the Analysis vulnerability data covered by the selected scan. In addition, Nessus scans performed from other systems can be uploaded to SecurityCenter using the Upload Nessus Results command button. The scan results can be either raw.nessus or compressed (.zip) with one.nessus file per archive before uploading. This allows for scan results from scans run in remote locations without network connectivity to be imported into SecurityCenter. If uploads greater than 300MB are required, upload_max_filesize in /opt/sc4/support/etc/php.ini must be modified to accommodate the larger uploads. Nessus v2 scan results with hostnames have the hostname converted during import and display both the IP address and hostname. IPv6 addresses are only contained in Nessus v2 files. The Download button may be used to download the results of the selected scan. On a standard scan, a Nessus results file may be downloaded. If the scan contains SCAP results, there is an additional option to download the SCAP results. The Import button is used for manually importing scans that are listed in the scan results screen. This is useful for cases where a scan may have not fully imported after it completed. For example, if a scan was blocked because it would have exceeded the licensed IP count, after increasing the IP count, the import option could be used to import the scan results previously not imported. Selecting the Report button will allow an on-demand report to be created based on the results of the selected scan. After selecting a scan result from the list and clicking the button, a window opens with a report template selection box and a space for a report name and description. This will launch a report to be run immediately. The report progress may be seen in the Reports screen, and the completed result may be obtained from the Report Results screen when completed. Scan result details are available using the Detail button or by right-clicking on the scan and selecting Detail Scan Result. For example, if a scan fails and more information is required, click on the details to find a more complete summary of the root cause. Finally, scans may be removed from SecurityCenter using the Delete button. For more information about navigating this interface, refer to the Analysis Tools section of this document. Blackout Windows Currently running scans are stopped at the beginning of the blackout window period. The blackout window in SecurityCenter specifies a timeframe where new scans are prohibited from launching. This prevents remediation or ad-hoc scans from being performed during timeframes when they are not desired, such as production hours. 101

102 Add Blackout Window During a blackout window, the Scans window indicates the active window in red in the upper left-hand corner and no new scans can be run during this time: Active Blackout Window 102

103 To see all available blackout windows and their current status, click the Blackout Window box and a dialog similar to the one below is displayed: Blackout Window Schedule Alternatively, click on Scans and then Blackout Windows to see the current status of or manage existing blackout windows. When the system is no longer in a blackout window condition, the box changes back to indicate the inactive state: Inactive Blackout Window Blackout windows are organizational and will affect all scans in the creating user s organization. Only users with the Manage Blackout Windows permission can perform blackout window additions. To create a blackout window, click on Scanning, Blackout Windows and then Add. 103

104 Add Blackout Window Next, enter in the desired name and description. Make sure Enabled is checked and enter in the desired schedule and blackout time range and then click Submit. The next time that date/time window occurs, no new scans will be permitted. To disable a blackout window without actually removing it, click Edit to modify the desired window and deselect Enabled. Click Submit to apply the changes. These blackout windows will show with a state of Disabled in the blackout window display list. Click Detail to see existing blackout window details and click Delete to remove any blackout windows that are no longer required for the Organization. Reporting Tenable provides extremely flexible and simplified reporting through an assortment of report templates and user-friendly report creation interface. Quick reporting options are also available while browsing data by clicking on the More option in the upper right-hand corner of the screen and selecting Create Report. Supported report types include the well-known PDF, RTF, and CSV standards for a high level of compatibility and ease of use. For some specialized needs, additional DISA ASR, DISA ARF, and CyberScope reporting options are available. These specialized reporting types are enabled or disabled by an admin user of the SecurityCenter. Reports can be scheduled and automatically ed, shared to one or more specified SecurityCenter users and/or published to one or more sites on completion. Reports can be copied and reused as required. When configuring a scan, an existing report template can also be set to run on completion. 104

105 Reports To see a list of available reports, click on Reporting and then Reports. Reports Listing When creating a new report, the first step is to click the Add button. A window opens and lists high-level categories for available report templates from the SecurityCenter feed. Each category is represented by a name and description and lists the number of templates available in the category. From the Add Report screen, the templates may be searched by keyword in the Search Template field across all the categories or by clicking the high-level category name. Selecting a category such as Monitoring displays a list of the report templates and a list of tags that each of the available reports belongs to. Selecting a tag will further narrow the list of templates and list of tags to only those applicable to the prior selection. The remaining tags will become a lighter shade of blue. At any time in the search, the Search Templates text entry may be used to filter on keywords. Selecting any of the report templates will provide a screen with information about the report and a selectable list of chapters to disable as desired before adding the template. 105

106 Once a report template is added to the list of reports, it may be modified from the Edit Report screen to customize the report. The reports are created as a template report and may be scheduled as desired. If an existing template does not satisfy the need, a custom report may be created. From the initial Add Report screen select Create Custom Report at the bottom. The screen captures below show each page of the Create Custom Report dialog: 106

107 Reports General Tab Reports Definition Tab 107

108 Reports Schedule Tab These tabs allow the user to configure, define and schedule custom vulnerability and event reports. The tables below describe available reporting options. Table 39 Report Options Option General Name Name assigned to the report. Descriptive text for the report. Type PDF, RTF, and CSV. These three types are the most commonly used formats. DISA ASR, DISA ARF, and CyberScope. These three specialized reporting types are enabled or disabled by an admin user of the SecurityCenter. Available options depend on the report type chosen. Many of the options listed below are not available for reports other than PDF. Report Style (PDF, RTF) Report paper type/orientation. Available report types are selected from the drop-down shown in the image below and affect the report s printability. 108

109 Report Styles Drop-down If a Classification Type banner has been set by the SecurityCenter administrator, only the Plain report styles will be listed. Report Schedule Determines how often the report will be run. Options are Template, Now, Once, Daily, Weekly, or Monthly (Day or Date). The schedule may be altered by editing the report. 109

110 Include Cover Page (PDF and RTF) Include a cover page in the report. A sample cover page is displayed below: Sample Vulnerability Report Cover Page Cover Logo (PDF only) Choose the logo to display on the cover page (lower right-hand corner). Include Header (PDF only) Include a predefined header in the report. Include Footer (PDF only) Include a predefined footer in the report. Footer Logo (PDF only) Choose the logo to display on the cover page (lower center). Watermark (PDF only) Add a Confidential or other custom uploaded watermark to each page of the report. 110

111 Include Table of Contents (PDF and RTF) Include Index (PDF and RTF) Encrypt PDF (PDF only) Operational Attribute Set (DISA ARF or CyberScope) ASR Content (DISA ASR only) ASR Record Format (DISA ASR only) Include ARF (DISA ASR only) Benchmarks Include a table of contents with the report. Include an Index with the report. Protect the PDF with a password. This password must be used to open the report and view its contents. For more information about this encryption mechanism, please refer to the following URL: A drop-down list of available predefined operational attributes for adding required information to DISA ARF or CyberScope report types. Only the attribute set defined for the appropriate report will display in the drop-down. When creating a report, this drop-down offers a selection of Benchmark, IAVM, CVE, or Plugin ID to be included. This drop-down determines the format (Summary or Detail) of the DISA ASR report. When enabled, allows for the inclusion of a DISA ARF attribute set for the report. Benchmarks are generated after a scan using certain audit files that have been successfully run against at least one target system. Definition To determine what data will show up in your report, browse to the desired data view using the Analysis Tool and locate the desired data set. Save the data set as a query and then select the query as a data source for your report element (chart, table, etc.). The definition will appear differently for different report types. CSV reports will offer a drop-down to define a data type of Vulnerability, Event, Alert, Ticket, or User, and the ability to define an appropriate filter set or to use a predefined query. A selection to define the columns and number of results to appear in the report is then available for configuration. DISA ARF, DISA ASR, and CyberScope reports offer a Vulnerability data filter or predefined Query selection from which the report may be defined. When PDF and RTF reports are selected, this section allows the user to define report elements such as charts, tables and chapters along with their underlying data sources. Each element described below can be used more than once to create multifunction reports with great flexibility. A sample definition section for PDF and RTF reports is displayed below: 111

112 Sample Report Definition Chapter (PDF and RTF) Click the chapter button to add a chapter element to the report. A chapter is used to group elements by arbitrary characteristics such as compliance benchmark, repository, plugin type, etc. The chapter level filter is only a means of specifying a default query that is used to populate any new elements added to the report when building the report initially. It is not saved or intended to be used to make global changes to its sub-elements. Template (PDF and RTF) Templates provide predefined report configurations based on known standards and are a good way to become familiar with SecurityCenter reporting. Click the template button to add a predefined template to the report. More than one template can be used in each report. The screen capture below shows the initial category view of available reports. Report Template Listing 112

113 The templates provide reports based on SANS CAG, PCI DSS, CIS, FISMA, OWASP, HIPAA, and generic security best practices. A detailed description of the report source and parameters is displayed in the field when a particular template is selected. Once selected for the report, the template objects may be edited for the particular data desired by utilizing a variety of filters. Group (PDF and RTF) Section (PDF and RTF) Click the group button to add a group element to the report. Grouping will attempt to keep associated elements on the same page, but does not affect the content of the report. Click to add a section and section title to the report. Iterator (PDF and RTF) Click to add an iterator to the report. Iterators are grouping elements that determine the field a report is grouped by. For example, if an Iterator Type of Port is chosen for a vulnerability report, the report is displayed with vulnerability data grouped by detected ports. To use an iterator, click the iterator button. When adding elements to the report, the iterator may be selected for the location defined in the element. The resulting iterator grouping will look similar to the screen capture below: An example of medium vulnerabilities using the port iterator is shown below: Iterator Example Output Notice that the count is of medium vulnerabilities (the filtered field) grouped by TCP port (the iterator). In the example below, the same vulnerability filter is chosen, with an iterator of IP Address using an IPv6 address. This groups vulnerabilities based on IP address. 113

114 IP Iterator If an iterator is not selected, the hosts and vulnerabilities are listed in the report individually. 114

115 Table (PDF and RTF) Click to add a table element to the report (max results displayed: 999). Report Table Add Dialog The underlying data set has a big effect on the report display. The default view for most reports is host-centric and SecurityCenter presents the user with the ability to choose a vulnerability-centric report (a listing of vulnerabilities with all associated hosts). Sample Vulnerability-Centric Report To select this view, perform the following steps: 1. From within the Add Table dialog, choose Edit Filters. 2. Click the Analysis Tool drop-down to view all available analysis tools. 3. Select Vulnerability Summary IP List or Vulnerability Summary IP Detail. The Vulnerability Summary IP List report provides a listing of all vulnerabilities that meet the filter parameters along with host IP addresses affected by the vulnerability. The Vulnerability Summary IP Detail view has the same information along with details about each host including the MAC address and host DNS name. Paragraph (PDF and RTF) Click to add a paragraph element to the report. A paragraph is simply descriptive text that can be inserted anywhere into the report. Use this option to describe table elements or report output for the viewer. 115

116 Matrix (PDF and RTF) Click to add a Matrix chart to the report. Matrix charts have a variety of useful methods to display data in a chart layout within a report. Pie Chart (PDF and RTF) Click to add a pie chart element to the report. A sample pie chart is displayed below: Sample Report Pie Chart Bar Chart (PDF and RTF) Click to add a bar chart element to the report. A sample bar chart is displayed below: Sample Report Bar Chart 116

117 Area Chart (PDF and RTF) Click to add an area chart element to the report. A sample area chart is displayed below: Sample Report Area Chart Area charts are defined by time (x-axis) and series data (y-axis). When selecting the time, available options include Relative time and Absolute time. One or more series data elements can be chosen and displayed as a stackable view for easy comparison. Line Chart (PDF and RTF) Click to add a line chart element to the report. A sample line chart is displayed below: Sample Report Line Chart Line charts are defined by time (x-axis) and series data (y-axis). When selecting the time, available options include Relative time and Absolute time. One or more series data elements can be chosen and displayed as discrete lines for easy comparison. Distribution on Completion Share on Completion Publish on Completion When a report has run, an will be sent to selected users (with a defined address) and additionally specified address. When a report has run, the completed report will be shared in SecurityCenter with other users within the Organization. This is useful if ing potentially sensitive data is prohibited by organizational policies. Upon completion of the report, it may be uploaded to one or more defined publishing sites selected from the list. 117

118 Report Results Either the Oracle Java JRE or OpenJDK along with their accompanying dependencies must be installed on the system hosting the SecurityCenter for PDF reporting to function. Clicking on Report Results opens a view to the status of running or completed reports. Results are displayed in a list view with the ability to drill down into individual report details. An example screen capture of this page is shown below: Report Results Listing Filters are available at the top of the screen to allow the user to view only desired report results. Filter parameters include the Name, User, Status and Finish Time. The User filter allows you to view reports owned by your user, shared with a user, or any users managed by your user. Status allows you to view any or only completed reports and Finish Time gives you the ability to filter reports for the finish time (today, last seven days, last 30 days, specific month). To return to the original report result view, click on the Reset button to the right of the filter options. The results of individual reports are available by highlighting the report and using the Download button. The report is downloaded as a PDF, RTF, CSV, DISA ARF, DISA ASR, or CyberScope file as it was originally created. The Share button will allow sharing a selected report with other SecurityCenter Organization users or sharing the report via by entering the individual address(es). The Send button allows you to send a completed report to a defined publishing site. Basic report parameters are available using the Details button. Finally, reports may be removed from SecurityCenter using the Delete button. Report Images Report Images Listing Image files must be of type.png or.jpg. Images used must be consistent when selecting the bit depth (8- bit, 16-bit, 24-bit, etc.). Otherwise, errors may be encountered when generating reports. 118

119 The Report Images interface allows a user with permissions to add, edit, or delete PDF report images. Two types of images are managed from this interface: logos and watermarks. Logos are displayed at the bottom of each page, while watermarks are displayed prominently across the center of the report page. Table 40 Report Image Options Option Add Add a new logo or watermark image. Note that only PNG and JPEG formats are supported. The default image sizes are as follows, all at 300 DPI: Cover page logo 1287x347 Footer logo 458x123 Watermark 887x610 While there are no set limitations on image size or resolution, using images that are different from these specifications can have a negative impact on report appearance. Edit Edit any of the selected image s fields, including name, description, type and file. Detail View image details including: name, description, date uploaded, last modified and type. Delete Delete the highlighted image. Report Import and Export SecurityCenter supports importing and exporting report definitions via the SecurityCenter web interface. Buttons for both options are found under the Reporting -> Reports tab: Clicking Import Report displays the following dialog box: 119

120 The Import Report button allows users to import a report definition exported from another SecurityCenter. This is useful for Organizations running multiple SecurityCenters to provide consistent reports without duplicating the work needed to create the definition templates. Clicking Export brings up the following dialog box: The Export button allows users to export the report definition for use by other SecurityCenter users in other Organizations. This allows one user to create a report and other users to import it for consistency in reporting across their Organization. Support SecurityCenter support objects (assets, audit files, credentials, queries, and scan policies) are defined from the Support tab on the dashboard. This section provides details on configuring these objects. Assets This option lists the available asset lists along with their defined parameters and attributes. Asset lists are dynamically or statically generated lists of assets within the Organization. Asset lists can be shared with one or more users based on local security policy requirements. Assets can be defined as a grouping of devices (laptops, servers, tablets, phones, etc.), that are grouped together using common search terms within SecurityCenter. A network that assigns a department s laptops by a defined IP range can create a static asset list using that block of IP addresses. A dynamic asset list can be created based on PluginID 21642, Session Initiation Protocol Detection, and PluginID 6291, SIP Server Detection. Any devices with a positive for these IDs will be added to the asset list automatically. SecurityCenter makes use of an asset list type known as a Watchlist. A watchlist is an asset list, intended only for events, that is used to maintain lists of IPs not in the user s managed range of IP addresses. This proves beneficial when analyzing event activity originating outside of the user s managed range. For example, if a block of IP addresses is a known source of malicious activity, they could be added to a watchlist called malicious IPs and added to a custom query. Dynamic Asset Discovery SecurityCenter has the ability to parse the results of Nessus, PVS, or event data obtained to build dynamic lists of assets. For example, a dynamic rule can be created that generates a list of IP addresses that each have ports 25 and 80 open. These rules can be very sophisticated and take into account addressing, open ports, specific vulnerability IDs, and discovered vulnerability content. SecurityCenter ships with a number of example rule templates and new rules are generated easily with a web-based wizard. 120

121 Example Dynamic Asset Configuration Dynamic asset lists take advantage of the flexible grouping of condition statements to obtain lists of systems on the network that meet those conditions. For example, in the asset above, we are looking for Linux systems (operating system contains the pattern inux ) listening on TCP Port 80 and the number of days since it was observed is greater than 7. Adding Assets There are two methods for adding asset lists: selecting from Tenable-provided templates or creating a Custom Asset. Tenable assets are updated via the SecurityCenter feed. They are searchable by using the text search field on the Add Asset page or selecting the major category and selecting from the list presented. Once a list of asset templates is displayed, it may be searched by refining the original text query or selecting from the category tags. Clicking on the title of the asset list displays details of the criteria used to build the asset list. Once added to the list of assets, the entry may be edited to refine the criteria for particular requirements. 121

122 The table below outlines available fields for adding a Custom Asset List. Table 41 Asset List Fields Option Static/Watchlist Asset List Visibility Name User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the Organization have query access. The asset list name. Group A logical grouping for created asset objects. Group names can be reused as desired. This reduces lengthy lists of asset lists with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the Organization Head creates an Organizational asset and assigns it to the DMZ group, all users will now have a DMZ group containing that Organizational asset. Asset group names are entered by selecting the text field and typing a new group name or selecting from the drop-down menu of previously used group names. Descriptive text for the asset list. 122

123 Addresses IP addresses to include within the asset list (20 K character limit). One address, CIDR address, or range can be entered per line. Using the Expand link will open a window to enter octets in a range and expand them for appropriate use in the Addresses field. The list may then be copied to the clipboard for pasting into the field. Assets Merging Addresses and Assets A listing of currently configured asset lists is available, from which a new asset list may be created. One or more asset lists may be selected. It may be desirable to create an asset list from some combination of an existing asset list and a new selection of addresses. The available options for these selections are: Union Intersection Difference Compliment Combines Addresses and Asset lists, discarding duplicates Removes Addresses that are not present in the selected Asset list(s) Combines the Addresses and selected Asset lists, then removes the common addresses Removes Addresses that are in the selected Asset list(s) Static/Watchlist Upload Visibility Name User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the Organization have query access. The asset list name. Group A logical grouping for created asset objects. Group names can be reused as desired. This reduces lengthy lists of asset lists with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the Organization Head creates an Organizational asset and assigns it to the DMZ group, all users will now have a DMZ group containing that Organizational asset. Asset group names are entered by selecting the text field and typing a new group name or selecting from the drop-down menu of previously used group names. Descriptive text for the asset list. 123

124 File File that contains the IP address(es) to include within the asset list. Addresses IP address(es) that will be used with the asset list. (20 K character limit). DNS Visibility Name User or Organizational. If User is specified, only the current user has access to the saved query. Otherwise, all users within the Organization have query access. The asset list name. Group A logical grouping for created asset objects. Group names can be reused as desired. This reduces lengthy lists of asset lists with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the Organization Head creates an Organizational asset and assigns it to the DMZ group, all users will then have a DMZ group containing that Organizational asset. Asset group names are entered by selecting the text field and typing a new group name or selecting from the drop-down menu of previously used group names. Descriptive text for the asset list. DNS Names The DNS hostnames for the asset list to be based upon. Static Upload Multiple File File that contains the IP address(es) to include within the asset list. Uploaded Lists IP address(es) that will be used with the asset list. (20K character limit). "Asset1","","group","visibility","IP Address(es)"... For example: "Internal","Int IPs","ranges","user"," , " "External","Ext IPs","ranges","user"," " Double quotes are required within the uploaded file around all fields. The visibility field (user or organizational). This field must be entered in lower-case. Dynamic Visibility User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the Organization have query access. 124

125 Name The asset list name. Group A logical grouping for created asset objects. Group names can be reused as desired. This reduces lengthy lists of asset lists with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the Organization Head creates an Organizational asset and assigns it to the DMZ group, all users will now have a DMZ group containing that Organizational asset. Asset group names are entered by selecting the text field and typing a new group name or selecting from the drop-down menu of previously used group names. Descriptive text for the asset list. LDAP Query Visibility Name User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the Organization have query access. The asset list name. Group A logical grouping for created asset objects. Group names can be reused as desired. This reduces lengthy lists of asset lists with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the Organization Head creates an Organizational asset and assigns it to the DMZ group, all users will now have a DMZ group containing that Organizational asset. Asset group names are entered by selecting the text field and typing a new group name or selecting from the drop-down menu of previously used group names. Descriptive text for the asset list. Search Base Search String Preview Query This is the LDAP search base used as the starting point to search for the user information. This string may be modified to create a search based on a location or filter other than the default search base or attribute. The preview query is displayed after selecting the Generate Preview button. The preview lists the LDAP objects that match the defined search string. This table describes what type of logic can be used when writing a dynamic rule. Table 42 Dynamic Rule Logic Valid Operators Effect Plugin ID is equal to Field value must be equal to value specified. not equal to Field value must be not equal to value specified. is less than Field value must be less than the value specified. 125

126 is greater than Field value must be greater than the value specified. Plugin Text is equal to Field value must be equal to value specified. not equal to Field value must be not equal to value specified. contains the pattern Field value must contain the text specified (e.g., ABCDEF contains ABC). regex Any valid regex pattern contained within / and / (example: /.*ABC.*/). where Plugin ID is Any valid Plugin ID number. Operating System is equal to Field value must be equal to value specified. not equal to Field value must be not equal to value specified. contains the pattern Field value must contain the text specified (e.g., ABCDEF contains ABC). regex Any valid regex pattern contained within / and / (example: /.*ABC.*/). Address is equal to Field value must be equal to value specified. not equal to Field value must be not equal to value specified. DNS, NetBIOS Host, NetBIOS Workgroup, MAC, SSH v1 Fingerprint, SSH v2 Fingerprint is equal to Field value must be equal to value specified. not equal to Field value must be not equal to value specified. contains the pattern Field value must contain the text specified (e.g., contains 124). regex Any valid regex pattern contained within / and / (example: /.*124.*/). Port, TCP Port, UDP Port is equal to Field value must be equal to value specified. 126

127 not equal to Field value must be not equal to value specified. is less than Field value is less than value specified. is greater than Field value is greater than the value specified. Days Since Discovery, Days Since Observation is equal to not equal to is less than is greater than Field value must be equal to value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365. Field value must be not equal to value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365. Field value is less than value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365. Field value is greater than the value specified. Scroll arrows are provided to allow for entry selection or the value can be manually entered. Max 365. Severity is equal to Field value must be equal to value specified (info, low, medium, high, or critical). not equal to Field value must be not equal to value specified (info, low, medium, high, or critical). is less than Field value must be less than the value specified (info, low, medium, high, or critical). is greater than where Plugin ID is Field value must be greater than the value specified (info, low, medium, high, or critical). Any valid Plugin ID number. Audit Files The Nessus vulnerability scanner includes the ability to perform compliance audits of numerous platforms including, but not limited to, databases, Linux, Unix, Cisco IOS, IBM iseries, and Windows server configurations as well as sensitive data discovery based on regex contained in audit files. Audit files are text files that contain the specific configuration, file permission and access control tests to be performed. Additionally, NIST SCAP security checklist files may be uploaded in the same manner as a standard audit file. Tenable provides a wide range of audit files and new ones are easy to write. These audit files are maintained on the Tenable Support Portal for users who wish to perform compliance and configuration auditing. NIST SCAP security checklist files may be obtained from NIST s site at under the link for SCAP Content and then Security checklists. Links under the Resources column to the SCAP content files will take you to the appropriate page to download the checklist zip file. Only Tier IV files are supported by Tenable for this process. The complete.zip file obtained from the NIST site is needed for use with SecurityCenter. The screen capture below contains a listing of an audit file page with PCI and CIS-based audits. 127

128 Audit Files Listing Audit files are added, edited, downloaded, viewed, and deleted from this web interface. Clicking on Add an Add Audit File dialog screen similar to the following: Audit File Add Dialog Available fields include: Table 43 Audit File Fields Option Name A descriptive name assigned to the audit file (not the actual file name). Descriptive text about the audit file. File Benchmark (SCAP Only) An interface that allows you to browse on your local system for the actual audit file itself. When selecting an audit file, no further options are available and the audit file may be submitted. If a SCAP file is to be uploaded, the complete.zip file acquired from the NIST SCAP website must be uploaded and additional options are presented. When selecting a NIST SCAP file as an audit resource, the Benchmark field is displayed with a drop-down menu of the available benchmarks. Select an appropriate 128

129 benchmark for the purpose of the audit. SecurityCenter attempts to determine if the file is for SCAP Windows or SCAP Linux. This is not always possible due to different SCAP file versions; a benchmark OS version must be manually selected from the drop-down menu if one is not automatically determined by SecurityCenter. Tailoring (SCAP Only) As of SCAP version 1.2, an XML tailoring file may be selected to customize certain results based on the local environment. If needed, a tailoring file may be uploaded through this option. Once an audit or SCAP file has been uploaded, it may be referenced from within scan policies for enhanced security policy auditing. It may also be downloaded for review or uploaded to another SecurityCenter or Nessus scanner to ensure the same audit file is being used throughout the Organization. SCAP based scans requires sending an executable to the remote host. For systems that run security software (e.g., McAfee Host Intrusion Prevention), they may block or quarantine the executable required for auditing. For those systems, an exception must be made for the either the host or the executable sent. Credentials Credentials are reusable objects that facilitate scan target login. Various types of credentials can be configured for use within scan policies. Additionally, credentials may be shared between users for scanning purposes. When shared, the other users cannot see a cleartext version of the passwords. This enables sensitive credential sets to be shared in a more secure manner. Available credential types include: Windows Nessus has vulnerability checks that can use a Microsoft Windows domain account to find local information from a remote Windows host. For example, using credentials enables Nessus to determine if important security patches have been applied. To use this feature, enter the Username, Password, and Domain in the text boxes. SSH (password with optional privilege escalation and key-based) SSH credentials are used to obtain local information from remote Unix and Cisco IOS systems for patch auditing or compliance checks. There is a field for entering the SSH user name for the account that will perform the checks on the target system, along with either the SSH password or the SSH public key and private key pair. There is also a field for entering the Passphrase for the SSH key, if it is required. In case of invalid or expired SSH keys, use the Clear button to remove the current SSH keys. The most effective credentialed scans are those with root privileges ( enable privileges for Cisco IOS). Since many sites do not permit a remote login as root, a Nessus user account can invoke a variety of privilege escalation options including: su, sudo, su+sudo, DirectAuthorize dzdo, Powerbroker pbrun, and Cisco enable. Scans run using su+sudo allow users to login to the remote host with a non-privileged account and then scan with sudo privileges on the remote host. This is important for locations where remote privileged login is prohibited. Scans run using sudo vs. the root user do not always return the same results because of the different environmental variables applied to the sudo user and other subtle differences. Please refer to the sudo man pages or the following web page for more information: To direct the Nessus scanner to use privilege escalation, click on the drop-down menu labeled Privilege Escalation and select the appropriate option for your target system. Enter the escalation information in the provided box. 129

130 If an SSH known_hosts file is available and provided as part of the scan policy (located within the SSH Settings in the scan policy preferences), Nessus will only attempt to log into hosts in this file. This ensures that the same username and password used to audit your known SSH servers is not used to attempt a login to a system that may not be under your control. SNMP community string Enter the appropriate private or public SNMP community string used for authentication. Kerberos The Kerberos IP, Port, Protocol, and Realm are available for this type of authentication. An example Windows credential with options is displayed below: Credential Add Dialog For more information on Nessus credentialed scanning, please refer to the Nessus Credentialed Checks for Unix and Windows document available from Queries Queries provide the ability to save custom views of vulnerability, event, ticket, user, and alert data for repeated access. Common fields for all query types are described in the following table: Table 44 Common Query Options Option Name The name used to describe the query. Group A logical grouping for created query objects. Group names can be reused as desired. This reduces lengthy lists of asset lists with no logical grouping. Objects shared with new users will retain the group specified by the creator. For example, if the organization head creates an organizational query and assigns it to the DMZ group, all users will now have a DMZ group containing that organizational query. Descriptive text for the query. Visibility Type User or Organizational. If User is specified, only the current user has access to the saved query, otherwise, all users within the organization have query access. This option specifies whether the query will use vulnerability, mobile, event, ticket, user, or alert data. 130

131 The table below indicates other options available for vulnerability queries: Table 45 Vulnerability Query Options Option Target Filters Address DNS Name Repository This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit the viewed vulnerabilities. For example, entering /24 and/or 2001:DB8::/32 limits any of the web tools to only show vulnerability data from the selected network(s). Addresses can be comma separated or on separate lines. This filter specifies a DNS name to limit the viewed vulnerabilities. For example, entering host.example.com limits any of the web tools to only show vulnerability data from that DNS name. Display vulnerabilities from the chosen repositories. Asset Output Assets (only available in the Asset Summary analysis tool) Port This filter displays systems from the chosen asset list. If more than one asset list contains the systems from the primary asset list (i.e., there is an intersect between the asset lists), those asset lists are displayed as well. This filter displays only the desired asset list systems. The equality operator is specified to allow matching vulnerabilities with the same ports, different ports, all ports less than, or all ports greater than the port filter. The port filter allows a comma separated list of ports. For the larger than or less than filters, only one port may be used. All host-based vulnerability checks are reported with a port of 0 (zero). Protocol This filter provides check boxes to select TCP, UDP, or ICMP-based vulnerabilities. Vulnerability Filters Plugin Family Plugin Name This filter allows for the selection of a Nessus or PVS plugin family. Only vulnerabilities from the selected family will be shown. Enter all or a portion of the actual plugin name. For example, entering MS in the plugin name filter will display vulnerabilities using the plugin named: MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644)(uncredentialed check). Similarly, entering the string uncredentialed will display a list of vulnerabilities with that string in their plugin name. Vulnerability Text Displays vulnerabilities containing the entered text (e.g., php 5.3 ). 131

132 Scan Policy Audit File Plugin Type This filter allows for the selection of a scan policy. Only vulnerabilities from the selected scan policy will be shown. This filter displays vulnerabilities detected when a scan was performed using the chosen.audit file. Select whether to view passive, active, lce, compliance, or all vulnerabilities. Severity Displays vulnerabilities with the selected severity (Info, Low, Medium, High, Critical). CVSS Score Displays vulnerabilities within the chosen CVSS score range. Exploit Available If set to yes, displays only vulnerabilities for which a known public exploit exists. ID Filters Plugin ID CVE ID MS Bulletin ID IAVM ID Enter the plugin ID desired or range based on a plugin ID. Available operators are equal to (=), not equal to (!=), greater than or equal (>=) and less than or equal to (<=). Displays vulnerabilities based on the chosen single CVE ID (e.g., CVE ) or multiple CVE IDs separated by commas (e.g., CVE ,CVE ,CVE ). Displays vulnerabilities based on the chosen Microsoft Bulletin ID (e.g., MS ) or multiple Microsoft Bulletin IDs separated by commas (e.g., MS10-012,MS10-054,MS ). Displays vulnerabilities based on the chosen IAVM ID (e.g., 2011-A-0007 ) or multiple IAVM IDs (e.g., 2011-A-0005,2011-A-0007,2012-A-0004 ). Date Filters Vulnerability Last Observed (Cumulative only) This filter allows the user to see when the vulnerability was last observed by Nessus or PVS. The observation date is based on when the vulnerability was most recently imported into SecurityCenter. For PVS, this will not match the exact vulnerability discovery as there is normally a lag between the time that PVS discovers a vulnerability and when the import occurs. Days Since Mitigation (Mitigated only) Vulnerability Discovered This filter allows the user to track the number of days since a vulnerability was moved to the mitigated database. SecurityCenter tracks when each vulnerability was first discovered. This filter allows the user to see when vulnerabilities were discovered less than, more than or within a specific count of days. The discovery date is based on when the vulnerability was first imported into SecurityCenter. For PVS, this will not match the exact vulnerability discovery time as there is normally a lag between the time that PVS discovers a vulnerability and when the import occurs. 132

133 Days are calculated based on 24-hour periods prior to the current time and not calendar days. For example, if the report run time was 11/8/2012 at 1 PM, using a 3-day count would include vulnerabilities starting 11/5/2012 at 1 PM and not from 12:00 AM. Plugin Published Plugin Modified Vulnerability Published Patch Published Tenable plugins contain information about when a plugin was published. This filter allows the user to search based on when a particular plugin was created; less than, more than or within a specific count of days. Tenable plugins contain information about when a plugin was last modified. This filter allows the user to search based on when a particular plugin was modified; less than, more than or within a specific count of days. When available, Tenable plugins contain information about when a vulnerability was published. This filter allows the user to search based on when a particular vulnerability was published; less than, more than, or within a specific count of days. When available, Tenable plugins contain information about when a patch was published for a vulnerability. This filter allows the user to search based on when a patch became available; less than, more than or within a specific count of days. Workflow Mitigated Status Accepted Risk Status (Cumulative Only) Recast Risk Status Cumulative Only) Display vulnerabilities that were at one time mitigated, but have been discovered again in a subsequent scan. This option is not used in conjunction with other options unless all options within the selected combination are set (e.g., selecting the Was Mitigated checkbox will return no results if both the Was Mitigated and the Accepted Risk flags are set). Display vulnerabilities based on their Accepted Risk workflow status. Available choices include Accepted Risk or Non-Accepted Risk. Choosing both options displays all vulnerabilities regardless of acceptance status. Display vulnerabilities based on their Recast Risk workflow status. Available choices include Recast Risk or Non-Recast Risk. Choosing both options displays all vulnerabilities regardless of recast risk status. The table below indicates the options available for mobile queries: Table 46 Mobile Query Options Option Analysis Tool Filter Analysis Tool Active Filters This drop-down is used to choose the analysis tool used by the filter. This is the same as selecting the desired analysis tool from the Analysis -> Mobile dialog. This field displays the existing filters and allows the user to selectively remove filters as needed. In the example below, the Active Filters displayed are MDM Type, Model, Plugin Output, and Days Since Observation. Clicking the X next to any one of these filters will remove that filter from the filter list. 133

134 Mobile Filters Target Filters Repository Display vulnerabilities from the chosen repositories. Device Filters Identifier This is a text based search filter that looks at the Identifier field in the repository. Model This is a text based search filter that looks at the Model field in the repository. Operating System CPE Version This is a text based search filter that looks at the Operating System CPE field in the repository. This is a text based search filter that looks at the OS Version field in the repository. Serial Number This is a text based search filter that looks at the Serial Number field in the repository. MDM Type Username The MDM type field is a drop-down menu to select the MDM server type of ActiveSync, Apple Profile Manager, or Good MDM server. This is a text based search filter that looks at the User field in the repository. Vulnerability Filters Plugin ID Enter the Plugin ID to filter results on. Plugin Output Filter results based on a text search of plugin output. Severity Displays vulnerabilities with the selected severity (Info, Low, Medium, High, Critical). 134

135 Date Filters Vulnerability Last Observed (Cumulative only) This filter allows the user to see when the vulnerability was last observed. The table below indicates the options available for event queries: Table 47 Event Query Options Filter Analysis Tool Filter Analysis Tool Active Filters This drop-down is used to choose the analysis tool used by the filter. This is the same as selecting the desired analysis tool from the Analysis -> Events dialog. These tools are described in detail in the Analysis Tools section. This field displays the existing filters and allows the user to selectively remove filters as needed. In the example below, the Active Filters displayed are Timeframe, Type, and Targeted IDS Events. Clicking the X next to any one of these filters will remove that filter from the displayed events. Event Filters Target Filters Address Port Specifies an IP address, range, or CIDR block to limit the displayed events. For example, entering /24 limits any of the web tools to only show event data from that network. Addresses can be entered on separate lines or comma separated. This filter type of filter can be specified to allow matching vulnerabilities with the specified ports (=) or excluding ports (!=). The port filter may specify a single port, comma separated list of ports, or range of ports (e.g., ). All host-based vulnerability checks are reported with a port of 0 (zero). 135

136 Protocol Specify the protocol of the event (Any, TCP, UDP, ICMP, or Unknown). Direction Filter by event direction (Any, Inbound, Outbound, and Internal). Asset Output Assets (only available in the Asset Summary analysis tool) Filter the event by asset list. Select an asset list from those available. To narrow down the number of displayed asset lists, enter text to filter on in the search box. This filter displays only the desired asset list systems. Event Filters Timeframe A shortcut to this configuration item is available by clicking on the date field directly below the Analysis Tool. An explicit timeframe is displayed by default. Specify either an explicit or relative timeframe for the event filter. Choosing explicit opens up a calendar dialog allowing the user to select the from and to dates and times. Relative timeframes range from the last 15 minutes to the last 12 months, and All. Normalized Event Detailed Event Type Sensor The Normalized Event is the name given to the event by the LCE after the LCE runs its PRM and TASL scripts against it. This is the detailed event name given by the IDS vendor. For example, an event received from a Snort sensor can have a detailed event name of DOUBLE DECODING ATTACK, which means that HTTP_INSPECT 119:2:1 fired and was sent to the LCE. Clicking in this box generates a drop-down that allows one to select the event type (e.g., error, lce, login, intrusion, etc.). Filter the events by sensor using the equal (=) or not equal (!=) operators. User Specify only events tied to a particular username. Targeted IDS Events Syslog Text This filter checkbox selects IDS events that have targeted systems and ports with vulnerabilities likely to be exploited by the detected attack. This is determined by comparing the host s vulnerabilities (CVE, etc.) against those tied to the actual IDS event. (Raw Syslog Events Analysis Tool) String to search for within the filtered event. When using LCE server version and newer, the text search is case insensitive and Boolean operators may be used. For example: text="(drive AND serial) OR utilization" This filter is case-sensitive when using LCE version and earlier. 136

137 Advanced Filters LCEs Repositories Source Address Destination Address Source Port Destination Port Source Asset Specify which LCEs to obtain events from. Use <CTRL> or <Shift> + click to select more than one. Specify which Repositories to obtain events from. Use <CTRL> or <Shift> + click to select more than one. Specifies an IP address or CIDR block to limit the displayed events based on source. For example, entering /24 limits any of the web tools to only show event data with source IPs in that block. Addresses can be comma separated. Specifies an IP address or CIDR block to limit the displayed events based on destination. For example, entering /24 limits any of the web tools to only show event data with destination IPs in that block. Addresses can be comma separated. This type of filter can be specified to allow matching events with the same ports (=) or different ports (!=). The port filter may specify a single, comma separated list of ports or range of ports (e.g., ). This type of filter can be specified to allow matching events with the same ports (=) or different ports (!=). The port filter may specify a single, comma separated list of ports or range of ports (e.g., ). Events originating from the defined source asset list. Destination Asset Events originating from the defined destination asset list. Ticket queries are a useful way of determining what tickets to alert against. For example, if you want to be alerted when a user named Joe is assigned a ticket, you could create a query with a ticket filter based on the Assignee value of Joe. You could then create an alert to you when Joe was assigned a ticket. The table below contains a list of the ticket query options. Table 48 Ticket Query Options Option Analysis Tool Filter Analysis Tool Chooses the analysis tool used by the query. Ticket Filters Name Ticket name to filter against Status Ticket status to filter against. Classification The ticket classification to filter against. Owner The manager (owner) of the ticket assignee. 137

138 Assignee The ticket assignee to filter against. Created Timeframe Assigned Timeframe Modified Timeframe Resolved Timeframe Closed Timeframe Ticket creation date/time to filter against. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.) Ticket assigned date/time to filter against. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.) Ticket modified date/time to filter against. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.) Ticket resolution date/time to filter against. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.) Ticket closed date/time to filter against. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.) User queries are useful for reporting, dashboards and alerts based on user actions. For example, it can be used for tracking and alerting on user logins and locked accounts. It could also be used to track user logins from accounts not authorized on the monitored systems. Table 49 User Query Options Option Analysis Tool Filter Analysis Tool Chooses the analysis tool used by the query. User Filters First Name User first name to filter against. Last Name User last name to filter against. Username Actual username to filter against. Manager Filters against users who have the specified manager. Role Filters against users who have the specified role. Filters against users based on their address. Last Login Timeframe Filters against users whose last login was that the timeframe specified. Either specify an explicit timeframe, including the start and end time or choose one of the predefined 138

139 periods (e.g., last 15 minutes, last hour, etc.). Account State Filters against the user account state (locked vs. unlocked). The Alert query is useful for reporting, dashboards and alerting when an alert has triggered. This is useful for situations where a report, dashboard element or conditional alert is required after the specified alert filter conditions have been met. For example, a daily report could be scheduled containing a query of all active alerts and their details. Table 50 Alert Query Options Option Analysis Tool Filter Analysis Tool Chooses the analysis tool used by the filter. Alert Filters Name Filter against alerts with the specified name. Filter against alerts with the specified description. State Choose from All, Triggered, or Not Triggered. Created Timeframe Modified Timeframe Last Triggered Timeframe Last Evaluated Timeframe Filters against the alert creation timeframe specified. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.). Filters against the most recent alert modification timeframe specified. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.). Filters against the most recent alert trigger timeframe specified. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.). Filters against the most recent alert evaluation timeframe specified. Either specify an explicit timeframe, including the start and end time or choose one of the predefined periods (e.g., last 15 minutes, last hour, etc.). Scan Policies The scan policy contains plugin settings and advanced directives used during the course of the Nessus scan. Click on Support and then Scan Policies to display a listing of all currently available policies. Tabs at the upper-right hand portion of this page give the user the ability to Add, Copy, Edit, Share, Download, Detail (view details of), and Delete existing policies. 139

140 Scan Policies Listing Add a Scan Policy Clicking on Add opens the following screen that is used to configure the new scan policy. Four tabs are displayed including: Basic Audit Files Plugins Preferences 140

141 Basic Scan Policy Settings Basic The Basic tab contains basic scan policy settings and allows the user to load a predefined scan policy template if desired. The Load Policy Template option is a command button located in the upper right-hand corner of the Basic tab page and allows the user to load scan policy options based on a variety of predefined scan policy templates. Available templates include: Web Safe Scan, FTP Safe Scan, SMTP Safe Scan, Cisco Safe Scan, Full Safe Scan All Ports, Full Safe Scan Common Ports, Microsoft Scan, PCI DSS Scan, Topology Scan, Peer-To-Peer Scan, Virus Check Scan, Operating System Identification, Patch Audit and Local Security Checks, and Netstat Port Scan. These templates use optimized plugin and configuration settings for their specified scan type. The tables below contain detailed descriptions of options available on each of the five frames displayed under the Basic tab: Table 51 Basic Options Option Name Unique policy name Visibility User or Organizational Policy description (optional) Group Policy group name (optional) Type Family or Plugin. If Family is chosen then when plugin updates occur, new plugins will automatically be enabled for plugin families that are enabled. If Plugin is enabled, only the currently enabled plugins are enabled. New plugins must be manually enabled 141

142 by the user. This is beneficial where strict control over new plugins is required. Changing from Family to Plugin, or vice-versa, clears all currently enabled plugins. Please make a note of all enabled plugins before changing this option so that they can be enabled afterwards. The Scan frame controls basic scan options for the scan: Table 52 - Scan Options Option Safe Checks Silent Dependencies Consider Unscanned Ports as Closed Nessus can attempt to identify remote vulnerabilities by interpreting banner information and attempting to exercise a vulnerability. This is not as reliable as a full probe, but is less likely to negatively impact a targeted system. If this option is checked, the list of dependencies is not included in the report. If you want to include the list of dependencies in the report, uncheck this box. With this setting enabled, ports that are not enumerated by the port scan will not be tested. For example, scanning ports 21, 22 and 23 will only test those ports and not any other port. The Port Scanners frame controls which methods of port scanning should be enabled for the scan: Table 53 Port Scanner Options Option TCP Scan Use Nessus built-in TCP scanner to identify open TCP ports on the targets. This scanner is optimized and has some self-tuning features. On some platforms (e.g., Windows and Mac OS X), if the operating system is causing serious performance issues using the TCP scanner, Nessus will launch the SYN scanner. UDP Scan This option engages Nessus built-in UDP scanner to identify open UDP ports on the targets. UDP is a stateless protocol, meaning that communication is not done with handshake dialogues. UDP based communication is not always reliable, and because of the nature of UDP services and screening devices, they are not always remotely detectable. SYN Scan SNMP Scan Use Nessus built-in SYN scanner to identify open TCP ports on the targets. SYN scans are a popular method for conducting port scans and generally considered to be a bit less intrusive than TCP scans. The scanner sends a SYN packet to the port, waits for SYN-ACK reply and determines port state based on a reply, or lack of reply. Direct Nessus to scan targets for a SNMP service. Nessus will guess relevant SNMP settings during a scan. If the settings are provided by the user under Preferences, this will allow Nessus to better test the remote host and produce more detailed audit 142

143 results. For example, there are many Cisco router checks that determine the vulnerabilities present by examining the version of the returned SNMP string. This information is necessary for these audits. Netstat SSH Scan Netstat WMI Scan Ping Host This option uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a SSH connection to the target. This scan is intended for Unix-based systems and requires authentication credentials. This option uses netstat to check for open ports from the local machine. It relies on the netstat command being available via a WMI connection to the target. This scan is intended for Windows-based systems and requires authentication credentials. This option enables the pinging of remote hosts on multiple ports to determine if they are alive. The Port Scan Options frame directs the scanner to target a specific range of ports. The following values are allowed for the Port Scan Range option: Table 54 Values for Port Scan Options Value default Using the keyword default, Nessus will scan approximately 4,605 common ports. Custom List A custom range of ports can be selected by using a comma-delimited list of ports or port ranges. For example, 21,23,25,80,110 or ,8080, are allowed. Specifying will scan all ports. The range specified for a port scan will be applied to both TCP and UDP scans. The Performance frame provides two options that control how many scans will be launched. These options are perhaps the most important when configuring a scan as they have the biggest impact on scan times and network activity. Table 55 Performance Options Option Max Checks Per Host Max Hosts Per Scan Max Scan Time in hours Max TCP Connections This setting limits the maximum number of checks a Nessus scanner will perform against a single host at one time. This setting limits the maximum number of hosts that a Nessus scanner will scan at the same time. If the scan is using a zone with multiple scanners, each scanner will accept up to the amount specified in the Max Hosts Per Scan option. For example, if the Max Hosts Per Scan is set to 5 and there are five scanners per zone, each scanner will accept five hosts to scan, allowing a total of 25 hosts to be scanned between the five scanners. This setting limits the length of time a scan is allowed to run. If a scan reaches this limit, the unscanned targets are captured in a new rollover scan that can be run manually or scheduled at a later time. This setting limits the maximum number of TCP sessions established by any of the 143

144 active scanners while scanning a single host. Audit Files The Audit Files tab contains two options related to Nessus compliance scans. Note that you must at least name the scan from the Basic frame to be able to open the Audit Files tab. Table 56 Audit File Options Option Select Audit File Perform PCI DSS Analysis Tenable provides a variety of audit files that provide a template check for compliance audits against various established standards, such as the Center for Internet Security (CIS) benchmarks, healthcare industry standards (HIPAA), Payment Card Industry (PCI) requirements and many more. To perform a compliance check, you must have the ability to perform authenticated Unix and/or Windows local checks. The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security standards established by the founding members of the PCI Security Standards Council, including Visa, American Express, Discover Financial Services, and MasterCard. The PCI DSS is intended to provide a common baseline to safeguard sensitive cardholder data for all bankcard brands and is in use by many e-commerce vendors who accept and store credit card data. Tenable provides three plugins to all SecurityCenter users that automate the process of performing a PCI DSS audit. These plugins are: PCI DSS compliance: tests requirements PCI DSS compliance: passed PCI DSS compliance These plugins evaluate the results of your scan and the actual configuration of your scan to determine if the target server is PCI compliant. The plugins do not perform actual scanning; they just look at the results from other plugins. To activate the PCI DSS plugins, simply check the box labeled Perform PCI DSS Analysis from the Compliance screen. It is important to note that a secure infrastructure is achieved through a fusion of people, processes, and technology. Tenable s solutions provide the technology to aid in compliance requirements and are intended to be used in conjunction with a comprehensive security strategy. Please consult with your organization s Audit and Compliance group for guidance and directives specific to your organization. Generate XCCDF Results When performing a compliance scan with a qualifying SCAP audit file, the Generate XCCDF Results option is enabled by default. When the scan completes, it will generate an XCCDF result file, which may be downloaded from the scan result page when the scan is selected. Plugins The Plugins tab gives the user the option to customize which plugins will be utilized during the policy s Nessus scan. 144

145 Scan Policy Plugins Settings Clicking on the circle next to a plugin family allows you to enable or disable the entire family. When the circle next to a family is green, that family is enabled and all plugins within that family are enabled. Selecting a family will display the list of its plugins in the upper right pane. Individual plugins can be enabled or disabled to create very specific scan policies. As adjustments are made, the total number of families and plugins selected is displayed at the bottom. The circles next to the Family name will show green when some or all of the plugins for that Family are enabled. The green will show as full if all the plugins are selected, or ¼, ½, or ¾ full when some plugins in the family are selected, where the circle s green fill approximates the percentage of plugins selected. 145

146 Plugin Selection Dialog Selecting a specific plugin will display the plugin output that will be displayed as seen in a report. The synopsis and description will provide more details of the vulnerability being examined. Scrolling down in the Plugin pane will also show solution information, additional references, the CVSSv2 score that provides a basic risk rating, and/or any other information that is available in the plugin. When a policy is created and saved, it records all of the plugins that are initially selected. When new plugins are received via a plugin feed update, they will automatically be enabled if the family they are associated with is enabled. If the family has been disabled or partially enabled, new plugins in that family will automatically be disabled as well. The Denial of Service family contains some plugins that could cause outages on a corporate network if the Safe Checks option is not enabled, but does contain some useful checks that will not cause any harm. The Denial of Service family can be used in conjunction with Safe Checks to ensure that any potentially dangerous plugins are not run. However, it is recommended that the Denial of Service family not be used on a production network. The following table describes options that will assist you in selecting plugins. Table 57 Plugin Options Option Plugin Filters Show Only Enabled Display plugins based on selected parameters (Name, ID and Family). Select the parameter you wish to search and type in some text to look for and hit Enter. Select this checkbox to only show currently enabled plugins. 146

147 Enable All Plugins Enable all available plugins. Disable All Plugins Disable all available plugins. Preferences Scan Policy preferences are discussed in detail in the Plugin Preferences section of this document. Additional Scan Policy Options Other options are available to the user who wishes to work with scan policies. These include, Copy, Edit, Share, Download, Detail, and Delete. Clicking on Copy makes a copy of the highlighted policy so that the existing policy does not need to be modified. This copy is created with a visibility of User. Clicking on Share allows you to share a policy with one or more users who may not currently have access to your policy. Download provides the option to download a XML version of the policy to share with other SecurityCenter users outside of the Organization or with a separate SecurityCenter. Other options such as Edit, Details and Delete allow the user to modify, view an overview and remove existing scan policies. Users The Users tab is used to define Users and Roles. Users Organizational users can be added, edited, viewed and deleted by selecting Users from the drop down menu in the Users tab. The last login of the user is displayed as shown by the screen capture below: Organizational User Listing Add User Clicking on Add displays a three-tab configuration dialog with the following options: Table 58 User Basic Options Option Authentication Information Type TNS Username This is the name the user will use to login to SecurityCenter. When selecting this account name, it is sometimes easier to focus on the person s real name as a convention (e.g., Bob Smirth would become bsmirth). However, it may also be useful to assign names based on role, such as auditny. 147

148 Password Login password. It is recommended to use passwords that are at least eight characters in length and include a combination of lower and upper-case letters along with non-alphabetic characters. Type LDAP Search String This is the LDAP search string to use to narrow down user searches. Proper format is: attribute=<filter text>. Wildcards are permitted and the field accepts up to 1024 characters. For Example: samaccountname=* mail=a* displayname=c* Users List of available LDAP user accounts. Username User that is selected from the list of users above. Notification user their account information When the user is created, you can choose to have them notified via of their account by selecting this check box. If the following error message is received when attempting to add a user: Error creating notifying user 'test'. Invalid address: noreply@localhost Login as the administrator user and check the System -> Configuration -> Mail -> Return Address settings. The address defaults to noreply@localhost if left blank and many servers will disallow s from this address. user their password (TNS Authentication Only) User must change their password on login (TNS Authentication Only) There is an option to include the user s password within the if desired. If this is not included, contact information of the security manager will be included. Require password change on next login. Basic/Contact Information Name, Title, Address Information, , Phone Contact information for the user can be entered here. 148

149 Table 59 User Access Options Option Manager Role Designated manager for the user. This can be specified as any existing non-admin user with the Manage Users permission. The Orghead or Manager user creating the new user is set to the Manager by default. The role assigned to the user. The default roles that may be used during user creation include: End User Manager No Role A user may only create new users with permissions that the creating user currently has. For example, if a user has the Manager role, they can only create new users with the Manager or lesser role. Available Repositories Repository that the user will have access to. The user creating the account may only assign repositories that they have access to. If repository access is revoked, any queries or other objects that the user has access to and the reference repository will be automatically replaced by the text Unknown Object in the box where the repository originally was: Unknown Object Error A message similar to the one below is sent to the user to notify the user of repository access removal. Object Removal Notification LCEs Assigns LCE(s) that the user will be able to access data from. Defining Assets Assigns asset lists that the user will be able to access. The assets selected here determine the user s managed ranges. Table 60 User Resource Options Option Filterable Assets Asset lists that will show up within their filter criteria. Credentials Assigns credentials that the user may leverage during their scans. 149

150 Queries Assigns query resources that the user may access. Policies Determines what scan policies the user will see when the access their account. Dashboard Template This option allows you to browse for an exported dashboard tab XML or archive file containing one or more tab XML files and assign the dashboard tab(s) to the new user. These tabs will be displayed to the user after SecurityCenter login. Dashboard tabs are exported as XML files and can be combined post-export as either a.zip or.tar.gz package for multi-tab import. Tenable and community developed dashboards are available for download at: This option is only available through the user Add process. Subsequent edits do not display this dialog. This option is also not currently available through the dashboard Import function. Edit Clicking on the Edit button allows editing of any information described in the previous section after the user has been created. Additionally, the user s account may be locked or unlocked from the edit screen s Basic tab. Detail Clicking on the Detail button displays a summary of the user s information, such as name, role, last login, repositories and defined assets. Delete Clicking on the Delete button displays a window asking to confirm the deletion of the user. Organization objects assigned to the user will be moved to Organization Head. Roles The default roles of Administrator, No Role, and Organization Head cannot be edited. Custom roles can be edited by the administrator and Organization Head users. Roles determine what a user can or cannot do when they access their account and are configurable to a great degree. SecurityCenter comes with five pre-defined roles; however, custom roles may be created by the Organization Head user to facilitate organizations with complex security policy needs. In keeping with the SecurityCenter convention, role assignments are hierarchical. Users may only create new users with roles that have the same permissions or a subset of permissions of their current Role. For example, if a user has a custom role with View Vulnerability Data enabled and Update Plugins disabled, they can only create users with View Vulnerability Data enabled. Available pre-defined roles include: Administrator End User Manager No Role 150

151 Organization Head Most of these roles are static and cannot be modified. An administrator is an account that has management responsibility over the console. The primary task of the administrator is to correctly install and configure each organization. In addition, the administrator adds components to SecurityCenter such as PVS, LCE, and Nessus to extend its capability. The administrator is automatically assigned the Manage Application permission. An Organization Head is the account within an organization that has a broad range of security roles. This is the initial user that is created when a new organization is created. They have the ability to launch scans, configure users (except for administrator user roles), vulnerability policies, and other objects belonging to their organization. Each organization has an Organization Head account that cannot be deleted without deleting the entire Organization. Additional users may be created and assigned one of three possible default roles or a subsidiary thereof. These roles are Manager, End User, and No Role. The Manager role is intended for security team managers who have the need to manage other users along with vulnerabilities, events, and scans. An end-user is a system administrator, network engineer, or auditor. They use their account to review their security data, create and view reports, enter in their remediation actions to close tickets, and if given proper credentials, launch scans. No Role is the default catch-all role for users or objects for which no role has been assigned or explicit roles have been removed. Add Role Only the administrator and Organization Head users can add new roles. Other user roles do not have this privilege. A powerful feature of SecurityCenter is the ability to add new roles. These custom roles can be configured and fine-tuned to match the duties to be performed by users who are assigned them. Clicking on Add Role displays a screen similar to the one below: Add Role Dialog 151

152 Please reference the table below for detailed descriptions of each role item: Table 61 Add User Role Option Basic Name Custom role name Custom role description Scan Permissions Scan Privileges Allow user with this role to perform Nessus scans. Available options include: No Scan cannot perform scans Policy Scanning unable to perform plugin scans. Used without the Create Policies permission, this role can limit a user to a select number of policies for scanning. Full Scanning may create policy and plugin based scans Upload Nessus Scan Results Manage Blackout Windows Allows user with this role to upload Nessus scan results to SecurityCenter. Allows user with this role to add, remove, or edit blackout windows. Vulnerability Permissions View Vulnerability Data Allows user with this role to view vulnerability data. Accept Risks Allows user with this role to accept risks for vulnerabilities. Recast Risks Allows user with this role to recast risks for vulnerabilities. Event Permissions View Event Data Allows user with this role to view event data. Organizational Attribute Permissions Manage Attribute Sets Create and manage CyberScope and ARF attribute sets for reports Dashboard Permissions Share Dashboard Tabs Allows user with this role to share dashboards tabs with other SecurityCenter users. 152

153 Report Permissions Manage Report Images Allows user with this role to add or remove images used in SecurityCenter reports. Plugin Permissions Update Plugins Allow user with this role to update Nessus and PVS plugins. User Permissions Manage Users Allows user with this role to manage non-admin SecurityCenter users. User Log Permissions View Organization Logs Allows user with this role to view logs for all organizational users. Support Asset Permissions Share Assets Allows users with this role to share assets with other users. Create Organization Assets Allows users with this role to create organizational assets. Edit/Delete Organization Assets Allows users with this role to edit organizational assets. Audit File Permissions Create Audit Files Allows users with this role to upload audit files. Credential Permissions Share Credentials Allows users with this role to share credentials with other users. Create Organization Credentials Edit/Delete Organization Credentials Allows users with this role to create organizational credentials. Allows users with this role to edit organizational credentials. Policy Permissions Create Policies Allows users with this role to create scan policies. 153

154 Share Policies Allows users with this role to share scan policies. Create Organization Policies Edit/Delete Organization Policies Allows users with this role to create organizational policies. Allows users with this role to edit organizational policies. Query Permissions Share Queries Allows users with this role to share custom queries. Create Organizational Queries Edit/Delete Organization Queries Allows users with this role to create organizational queries. Allows users with this role to create organizational queries. Workflow Permissions Create Alerts Allows users with this role to create custom alerts. Create Tickets Allows users with this role to create tickets. Purge Tickets Allows users with this role to purge tickets. Edit Clicking on the Edit button allows you to change any of the information for any custom role that has been created. Detail Clicking on the Detail button displays a summary of the role, such as name, description, number of users and permissions. Delete Clicking on the Delete button displays a window asking if you really want to delete the role and then deletes it after confirmation. Deleting a role will cause all users with that role to lose all assigned permissions. Workflow The Workflow tab contains options for alerting and ticketing. These functions allow the user to be notified of and properly handle vulnerabilities and events as they come in. Alerts SecurityCenter can be configured to perform actions, such as alerts, for select vulnerability or alert occurrences to various users regardless of whether the events correlate to a local vulnerability or not. Other alert actions include UI notification, ticket creation/assignment, remediation scans, launching a report, and syslog alerting. Many actions can be assigned per ticket. 154

155 Triggered Alert Listing The user is presented with the ability to Add, Edit, Evaluate, Detail (view details of) and Delete alerts. The Evaluate option allows an alert to be tested whether it has met the configured time criteria or not. The screen capture below shows a sample alert configuration page: Add Alert Dialog Table 62 Alert Options Option Name Alert name Descriptive text for the alert Data Type Vulnerability, Event, or Ticket 155

156 Query The dataset to which the trigger condition will be compared. Filters Trigger Apply advanced filters to the vulnerability or event data. The complete filter set may be created here, or if a Query was selected those parameters may be edited. See tables 8 and 10 for filter options. IP Count Trigger on vulnerabilities or events whose IP count matches the given parameters. Unique Vulnerability/Event Count Trigger an alert when the vulnerability/event count matches the given parameters. This option is set to Unique Vulnerability Count for vulnerability alerts and Event Count for event alerts. Port Count Trigger an alert when the events/vulnerabilities using a certain port number match the given parameters. Frequency How often the alert will check the trigger condition. Behavior If set to alert on the first occurrence, the alert will only trigger when the condition initially changes from false to true. Clicking on Add New Action will present you with the following options: Use alerts to interface with third-party ticketing systems by adding variables in the message field. Table 63 Alert Action Definition Options Option Subject Subject line of the alert . Message Message of the alert . Within the message body, the following variables can be defined for message customization: Alert ID Designated with the variable: %alertid%, this specifies the unique identification number assigned to the alert by SecurityCenter. Alert name Designated with the variable: %alertname%, this specifies the name assigned to the alert (e.g., Test alert ). Trigger Name Designated with the variable: %triggername%, this specifies if the trigger is IP count, Vulnerability count or Port count Trigger Operator Designated with the variable: %triggeroperator%, this specifies which operator was used for the count: >=, =, >= or!= Trigger value Designated with the variable: %triggervalue%, this specifies the specific threshold value set that will trigger the alert. 156

157 Calculated value Designated with the variable: %calculatedvalue%, this specifies the actual value that triggered the alert. Alert Name Designated with the variable: %alertname%, this specifies the name given to the alert within SecurityCenter. Alert owner Designated with the variable: %owner%, this specifies the user that created the alert. SC4 URL Designated with the variable: %url%, this specifies the URL that the SecurityCenter can be accessed with. This is useful where the URL that users can access SecurityCenter with differs from the URL known by SecurityCenter. The sample alert below contains some of these keywords embedded into an HTML Alert <strong>%alertname%</strong> (id #%alertid%) has triggered. <strong>alert Definition:</strong> %triggername% %triggeroperator% %triggervalue% <strong>calculated Value:</strong> %calculatedvalue% Please visit your SecurityCenter (<a href="%url%">%url%</a>) for more information. This was automatically generated by SecurityCenter as a result of alert <strong>%alertname%</strong> owned by <strong>%owner%</strong>. If you do not wish to receive this , contact the alert owner. Include Results Users If this check box is checked, the query results (maximum of 500) that triggered the alert are included in the . Users who will be ed. The user address is used with this function. If a user is configured within the action and that user is deleted, the action field within the alert turns red. In addition, a notification is displayed for the new alert owner with the new alert status. To resolve this, edit the alert action definitions and choose Edit Action to apply the correct users(s). Addresses Additional addresses to send the alert to. For multiple recipients, add one address per line or use a comma-separated list. Notify Notification Message Custom notification message to generate when the alert triggers. Assignees Users who will receive the notification message. 157

158 Syslog Host Host that will receive the syslog alert. Port UDP port used by the remote syslog server. Severity Severity level of the syslog messages (Critical, Warning, or Notice). Message Message to include within the syslog alert. Assign Ticket Name Name assigned to the ticket. Ticket description Assignee User who will receive the ticket. Scan Scan Template Scan template to be used for the alert scan. Allows the user to select from a list of available scan templates to launch a scan against a triggered host. The scanned host will be the host that triggered the scan and not the host within the scan template itself. IPs used for the scan targets are limited to the top 100 results of the alert query. Report Report Template Allows the user to select an existing report template and generate the report based on triggered alert data. Tickets Tickets can be created both manually and automatically by a predefined set of conditions through the alerting functionality described above. Tickets are created from the Workflow -> Tickets view or when viewing vulnerabilities or events through the analysis tools. Tickets contain the following fields: 158

159 Table 64 Ticket Options Option Name Name assigned to the ticket. Descriptive text for the ticket. Notes Notes for the ticket assignee. Status (Available during edit) The following ticket statuses become available after a ticket has been created and are available from the Edit screen: Assigned More Information Not Applicable Duplicate Resolved Closed Assignee User that the ticket is assigned to. If the ticket assignee is deleted, the ticket is automatically reassigned to the assignee s owner along with a notification message indicating that the ticket has been reassigned. Classification Data Type Ticket classification can be selected from a drop-down list containing such items as Information, Configuration, Patch, Disable, False Positive, and many others. Vulnerability or Event Take Snapshot Allows a snapshot of query results to be saved for the ticket assignee. Queries List of queries generated from the Take Snapshot option for the ticket assignee to assist with resolution. In addition to adding and editing tickets, a Browse command button is available. This option enables the user to view the vulnerability snapshot added during ticket creation. The displayed view matches the query that was used by the ticket. To return to the ticket view, click on the white arrow displayed on the left-hand side of the screen. To view details about an existing ticket, either use the Edit button to view options that were set during the Add Ticket process or use the Details button to view a Ticket Detail summary with the name, status, creator, assignee, history, queries, description, and ticket notes. Once a ticket has been mitigated, click on Update to provide ticket resolution. 159

160 Ticket Resolution Within the Status drop-down, the user can select from one of three status options: Resolved, More Information, Duplicate, or Not Applicable. Choose the correct status and add notes relevant to the ticket resolution. Resolved tickets still show up in the user s ticket queue with an Active status. Closing a ticket removes the ticket from the Active status filter view, but does not provide the ability to add notes similar to the Update Ticket function. Tickets in the Resolved or Closed state can always be reopened as needed. The final option is Purge Tickets. Purged tickets are removed completely from SecurityCenter. Do not perform this option unless you are certain that the tickets are no longer needed. This option is available, by default, only to the Organization Head user and is used to remove tickets based on date criteria. Clicking on the Purge Tickets command button displays the following dialog: Ticket Purge Dialog Only closed tickets can be purged and purged tickets are removed permanently from the system. Accept Risk Rules The Accept Risk Rules section lists the currently created rules of accepted risks. This enables users to obtain information on what particular vulnerabilities or hosts have been declared to be accepted and, if noted in the comments, the reason. Rules may be searched by Plugin ID or Repository. If a vulnerability is determined to be unaccepted, the rule may selected and deleted. 160

161 Recast Risk Rules The Recast Risk Rules section lists the currently created rules of recast risks. This enables users to obtain information on what particular vulnerabilities or hosts have had risk levels recast, their new severity level and, if noted in the comments, the reason for the severity change. Rules may be searched by Plugin ID or Repository. If a vulnerability is to be reset to its original severity level, the rule may be deleted. Plugins Plugins are scripts used by the Nessus, PVS, and LCE servers to interpret vulnerability data. For ease of operation, Nessus and PVS plugins are managed centrally by SecurityCenter and pushed out to their respective scanners. LCE servers download their own event plugins and SecurityCenter downloads event plugins for its local reference. SecurityCenter does not currently push event plugins to LCE servers. Within the Plugins interface, the user has the ability to perform a wide variety of plugin-related functions including updating active, passive and event plugins, upload custom plugins, view plugin details/source, and search for specific plugins. Clicking on the Plugins tab displays a page similar to the one below: Plugin Listing Update Plugins Immediately after installing SecurityCenter, plugins are automatically updated and then updated on a regular scheduled basis. Manually updating plugins simply involves clicking on the command button and waiting for the process to complete. Due to the large quantity of plugins and inconsistency of network speeds, this process can take a long time to complete. The date and time of the last successful plugin update is displayed for each type at the top of the page to the right of the Upload Plugins command button. After a successful download, the plugins are displayed in the plugin table with the date or number of hours or days of the last successful download in the Date Downloaded field. Upload Plugins Clicking on Upload Plugins opens a dialog box that allows the user to upload one or more active, passive, event, or custom plugins. Choose Custom for any active, passive, or event plugins that you have created. All custom plugins must have unique Plugin ID numbers and have family associations based on existing SecurityCenter families. Choose Active, Passive, or Event for the appropriate type of Tenable provided signed plugins. Custom plugin uploads must now be a complete feed. In order to upload custom plugins the provided tar.gz file must include the relevant NASLs and a custom_feed_info.inc file comprised of the following two lines: PLUGIN_SET = " "; PLUGIN_FEED = "Custom"; The administrator must manage this file and update the PLUGIN_SET option for each upload. The PLUGIN_SET format is YYYYMMDDHHMM. 161