Nessus Enterprise Cloud User Guide October 2, 2014 (Revision 9)
Table of Contents Introduction... 3 Nessus Enterprise Cloud... 3 Subscription and Activation... 3 Multi Scanner Support... 4 Customer Scanning Interface... 5 User Profile... 5 Create and Manage Nessus Enterprise Cloud Users... 7 Create and Manage Nessus User Groups... 9 Creating a New Policy... 10 Using the Policy Wizard... 10 Advanced Policy Creation... 12 Creating and Launching a Scan... 14 Scheduling a Scan... 14 Managing Scans... 15 Viewing Scan Results... 16 Reviewing Scan Results... 16 PCI ASV Validation... 19 Submitting Scan Results for PCI Customer Review... 21 Customer Review Interface... 22 Reviewing Scan Results... 23 Disputing Scan Results... 25 Submitting Attachments as Evidence for a Dispute... 27 Submitting a Scan Report for Tenable Review... 29 PCI ASV Report Formats... 32 Manage a Nessus Enterprise Cloud Scanner to a Local Nessus scanner... 35 Support... 38 Changing Your Password... 39 For More Information... 39 About Tenable Network Security... 40 2
Introduction This document describes Tenable Network Security s Nessus Enterprise Cloud. Please email any comments and suggestions to support@tenable.com. This document covers the Nessus Enterprise Cloud as used for vulnerability scanning, assessment, and reporting. The contents of this document include the processes of Enterprise Cloud subscription and activation, customer scan initiation, vulnerability and compliance reporting, PCI ASV validation, and Enterprise Cloud support. A basic understanding of Tenable s Nessus vulnerability scanner, network protocols, vulnerability analysis and remediation, and cloud-based services is assumed. Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples, and best practices are highlighted with this symbol and white on blue text. Nessus Enterprise Cloud The Nessus Enterprise Cloud is an enterprise-class remote vulnerability scanning service that may be used to audit Internet-facing IP addresses for both network and web application vulnerabilities from the cloud. Subscribers who log in to Nessus scanners hosted in Tenable s secure data center may employ the Nessus Enterprise Cloud to scan any number of Internet-facing sites. This includes a wide variety of devices enterprise servers, desktop computers, mobile laptops, iphones wherever is convenient and as often as needed, all for one flat fee. The Nessus Enterprise Cloud portal provides secure access to detailed vulnerability audits and remediation information hosted on Tenable s infrastructure. The Nessus Enterprise Cloud can be accessed from any computer with Internet access and a standard web browser, as well as from mobile devices including Android and iphone/ipad, providing fixed or mobile scanner command and control, plus access to vulnerability and compliance reports from anywhere, anytime. The Nessus Enterprise Cloud is supported by a world-renowned research team and has the industry s largest vulnerability knowledge base, making it suitable for even the most complex audits. Subscription and Activation Tenable s Nessus Enterprise Cloud is available as an annual subscription. Subscriptions are available through the Tenable Store. For pricing, please visit the Tenable Store or inquire at subscriptions@tenable.com for more information. A Nessus Enterprise Cloud subscription package includes: Unlimited scanning of your perimeter systems Web application audits Ability to prepare for security assessments against current PCI standards Up to 2 quarterly report submissions for PCI ASV validation through Tenable Network Security, Inc. 24/7 access to the Tenable Support Portal for Nessus knowledgebase and support ticket creation One user account per subscription 3
Upon purchase of a Nessus Enterprise Cloud subscription, Tenable Product Delivery will notify the customer of product availability via email. The notification email will also include the customer s order number, product expiration date, and a product activation link. An activation help document is available online at: http://static.tenable.com/documentation/nec_activation_help.pdf If you experience any problems with the activation process, please contact licenses@tenable.com. You must include your Customer ID with any inquiry. If you do not have a Customer ID, please include your order number to receive the proper assistance. Multi Scanner Support The Multi Scanner functionality gives your Nessus scanner the ability to delegate vulnerability scanning to multiple secondary servers, or be delegated to perform scans for another. You can use your own Nessus server to act as the primary, or you can configure your Nessus Enterprise Cloud scanner in the cloud to be the primary. This allows for consolidated reporting in a single Nessus user interface with scheduled scanning and emailing results. The use of this functionality positions companies to create an extended network of Nessus scanners that give added value. Through strategic positioning of the scanners, you are able to not only test for vulnerabilities and misconfigurations, but also examine the system from different viewpoints on the network. This can greatly assist you in ensuring that network screening devices (e.g., firewalls, routers) are properly restricting access to a given system. It is important to note that primary scanners do not reach out to the secondary scanners. Instead, secondary scanners periodically poll the primary scanner they are registered with to receive new instructions. When deploying a network of Nessus scanners using this functionality, this must be kept in mind to ensure that nothing will hinder the secondary scanner in connecting to its primary. Note that an Enterprise Cloud deployment can only be configured as a primary scanner. It cannot be configured as a secondary to another scanner. 4
User roles are not enabled when Nessus is in multi-scanner mode. Customer Scanning Interface Customers who subscribe to the Nessus Enterprise Cloud interact with a secure web-based portal. To access the service, all customers require credentials to the portal that are provided by Tenable Network Security upon purchase of the service. The following screen capture displays the portal login page, which offers Nessus HTML5 user interface by default: Initial Nessus Enterprise Cloud Login Screen If you forget your password, click on the Forgot your password? link. This will take you to the password reset page, where you will need to provide your registered email address to receive a temporary password. User Profile The user profile options allow you to manipulate options related to your account. Click on the user account to change the options related to the account. 5
The Account Settings field shows the current authenticated user as well as the user role: Read Only, Standard, or Administrator. The default admin account has the user role Administrator. User Role Read Only Description Users with the Read Only user role can only read scan results. Standard Administrator Users with the Standard user role can create scans, policies, schedules, and reports. They cannot change any user, user groups, scanner, or system configurations. Users with the Administrator role have the same privileges as the Standard user but can also manage users, user groups, and scanners. The Change Password option allows you to change the password, which should be done in accordance with your organization s security policy. The Plugin Rules option provides a facility to create a set of rules that dictate the behavior of certain plugins related to any scan performed. A rule can be based on the Host (or all hosts), Plugin ID, an optional Expiration Date, and manipulation of Severity. The same rules can be set from the scan results page. This allows you to reprioritize the severity of plugin results to better account for your organization s security posture and response plan. 6
Create and Manage Nessus Enterprise Cloud Users When you are assigned your Nessus Enterprise Cloud account, your account has administrator privileges. With this account, you can create and manage additional users. Using the credentials specified during the setup, log in to the Nessus GUI. Once authenticated, click on the Users heading at the top: To create a new user, click New User on the upper left. This will open a dialogue box prompting for required details: 7
Input the username (which must be an email address) and password, verify the password, and determine if the user will be a read only, a standard user, or an administrator. Use the Email field to verify the address added as the username. If a user account needs to be modified, click on the user name: You cannot rename a user. If you want to change the name of a user, delete the user and create a new user with the appropriate login name. The user account must be assigned an email address (myaccount@example.com). That email address must use the same domain as the original account. You cannot use a different domain in the email field for additional accounts. To remove a user, either select the check box to the right of the account name on the list and then Delete at the top, or click the X to the right of the account name. 8
Create and Manage Nessus User Groups Nessus Enterprise has an extensive set of user and group roles that allow for granular sharing of policies, schedules, and scan results. For more information on creating and managing groups, please consult the Nessus 5.2 Enterprise User Guide. Users can be placed into groups, depending on their function or classification (e.g., Windows Administrators, Auditors, Firewall Administrators, or Security Analysts). 9
Creating a New Policy Once you have connected to a Nessus Enterprise Cloud, you can create a custom policy by clicking on the Policies option on the bar at the top and then + New Policy button toward the left. The policy addition screen will be displayed as follows: Using the Policy Wizard The first option is whether to use the Policy Wizard to help you form a policy with a specific purpose. The included wizard templates may change from time to time. Some included templates are: Policy Wizard Name PCI Quarterly External Scan Host Discovery Description An approved policy for quarterly external scanning required by PCI. Identifies live hosts and open ports. Basic Network Scan For users scanning internal or external hosts. Credentialed Patch Audit Log in to systems and enumerate missing software updates. Web Application Tests For users performing generic web application scans. Windows Malware Scan For users searching for malware on Windows systems. Mobile Device Scan For users of Apple Profile Manager, ADSI, MobileIron, or Good MDM. Offline Config Auditing Upload and audit the config file of a network device. 10
Amazon AWS Audit For users who want to audit managed AWS infrastructure systems. Advanced Policy For users who want total control of their policy configuration, this creates a default scan. Over time, the policy wizard will receive additional wizards to help customers and existing wizards may be further enhanced. The following provides a general idea of using one of the wizards. Note that each wizard is different, so this is just one example. The first step for each wizard asks you to set the policy name, policy visibility (private or shared), and a description. By default wizard policies will allow you to edit the report after a scan. Click Next to continue to the next step: 11
This policy will ask you to select if it is to be used for internal or external hosts, as the options will vary based on the answer. Click Next to go to the final step: The final step gives you the option to add credentials to enhance scanning. As noted, some steps of a policy wizard may be optional. Once created, the policy will be saved with recommended settings. You can edit the wizard options or any other aspect of the policy at any time. Advanced Policy Creation If a policy wizard is not desired, the Advanced option allows you to create a policy the traditional way, with full control over all options from the beginning. Note that there are four configuration tabs: General Settings, Credentials, Plugins, and Preferences. For most environments, the default settings do not need to be modified, but they provide more granular control over the Nessus 12
scanner operation. Detailed information on Nessus policies, scanning, and reporting can be found in the Nessus User Guide available here: http://www.tenable.com/products/nessus/documentation Clicking on Share will open the share settings for the selected policy. The available selections for default permissions are No access, Can use, and Can edit. Default permissions for other users are set to No access. Additional users or groups can be added for more refined access control to the policy. Policies are listed by Advanced or Wizard, depending on how they are created. 13
Preset policies in Nessus Enterprise Cloud are regularly reviewed and updated by Tenable staff to ensure that they include updates to plugin families and other enhancements to settings. Customers do not have the ability to view or alter any of the preset parameters of the PCI DSS policy. Instead of directly editing preset scan policies, it is highly recommended to make a copy of a preset scan policy and edit the copy. If a preset scan policy has been directly edited, ownership of the policy will change from admin to the Nessus Enterprise Cloud user and the original settings cannot be automatically restored. The Upload button will allow you to upload previously created policies to the Enterprise Cloud scanner. Using the Browse dialog box, select the policy from your local system, and click Submit. Creating and Launching a Scan To create a scan, a Nessus Enterprise Cloud customer enters the Scans section of the service and selects New Scan. The customer then enters a unique name for the scan, the type of scan, selects the policy, and enters the IP address(es), IP range(s), or hostnames of their externally-facing servers that will be the target of the scan. Click Launch to initiate the new scan immediately. Note that the Scanner option will only appear if secondary scanners have been configured. To set up secondary scanners that can be used to conduct scans on behalf of the perimeter scanner, please consult the Nessus 5.2 HTML5 User Guide. More information on the use of additional scanners and the network flow can be found below in the section titled Multi Scanner Support. Scheduling a Scan To initiate a scan as a template, start by creating a new scan via the Scans menu or the Schedules menu. After filling out the basic settings, select Schedule Settings and select the frequency: 14
Once saved, the scheduled scans can be accessed through the Schedules menu at the top: Managing Scans Once started, scans can be paused or stopped during the scan process by using the pause or stop icon to the right of the scan: 15
Viewing Scan Results Results obtained from a scan that is currently in progress can be viewed by selecting the Scans menu and clicking on the scan that is running or completed: Reviewing Scan Results Once a scan has completed, the status will appear under the Scans section along with the date and time that the scan was either last updated or completed. The customer has the option to browse the scan or download the report in a variety of formats, including the.nessus, CSV, PDF, HTML, and Nessus DB file formats. 16
Completed Scan in Vulnerabilities View Export Option to Download Current Scan Clicking on Share will open the share settings for the selected scan. The available selections for default permissions are No access, Can use, and Can edit. Default permissions for other users are set to No access. Additional users or groups can be added for more refined access control to the policy. 17
The HTML report download format allows for the selection of chapter types within the report. Select HTML as the export format, and then click on the chapters to include in the report output: 18
HTML Report Output for Hosts Summary (Executive) Customers are not limited in the number of scans they can perform and reports they can generate during an active subscription to the Nessus Enterprise Cloud. Detailed information on Nessus policies, scanning, and reporting can be found in the Nessus User Guide available here: http://www.tenable.com/products/nessus/documentation PCI ASV Validation Tenable Network Security, Inc. is a PCI Approved Scanning Vendor (ASV), and is certified to validate vulnerability scans of Internet-facing systems for adherence to certain aspects of the PCI Data Security Standards (PCI DSS). The Nessus Enterprise Cloud includes a pre-built static PCI DSS policy that adheres to the quarterly scanning requirements of the PCI DSS v2.0. This policy may be used by merchants and providers to initially assess their environments based on PCI DSS requirements, and also to perform external vulnerability scans and generate reports that can be validated by qualified Tenable Network Security staff members for the PCI DSS ASV validation requirement. It is important to note that, while customers can use the PCI DSS scan policy to test their externally-facing systems as often as they wish, a scan must be submitted to Tenable for validation before it can be considered to qualify as a valid PCI ASV scan. Customers are allowed up to two quarterly report submissions for PCI ASV validation through Tenable Network Security, Inc. Once logged into the service, customers have the option to select a policy titled PCI Quarterly External Scan that adheres to the requirements of the PCI ASV Program Guide v2.0 section titled ASV Scan Solution Required Components. To qualify as a PCI DSS ASV scan for validation through the Nessus Enterprise Cloud, PCI Quarterly External Scan policy must be selected. 19
To create a PCI DSS ASV scan policy, go to Policies and click New Policy. Click on PCI Quarterly External Scan : In step 1, enter a name and description for your PCI scan: In step 2, define your scan settings. This allows scan customization without taking away the stricter PCI settings. For more details on the scan settings, see the Nessus 5.2 HTML5 User Guide. 20
Any policies created with the PCI Quarterly External Scan policy template cannot be copied and edited. Submitting Scan Results for PCI Customer Review Customers have the option to submit their scan results to Tenable Network Security for PCI ASV validation. By clicking Submit for PCI, the scan results will be uploaded to an administrative section of the Nessus Enterprise Cloud for customer review, and the customer will be prompted to log in to the user section of the service to review the findings of the scan results from a PCI DSS perspective. Link to Submit for PCI (highlighted in red) 21
PCI-DSS ASV scans older than three months cannot be submitted for review. No Submit for PCI button will appear for those scans. Report Upload and PCI Validation Link Dialog Box Customers are strongly urged to thoroughly review their PCI scan results before submitting their report(s) to Tenable Network Security through the Nessus Enterprise Cloud. Reports with failed results are required to undergo a full PCI review cycle, of which Nessus Enterprise Cloud customers are limited to two (2) per quarterly period. Customer Review Interface Nessus Enterprise Cloud Customer Login Screen 22
Once a customer logs into the PCI Validation user section, they are presented with a list of reports that have been submitted by their unique Nessus Enterprise Cloud login. The Report Filter allows reports to be filtered by Owner, Name, and Status. Reviewing Scan Results To pass a PCI DSS ASV assessment, all items (except for denial of service (DoS) vulnerabilities) listed as Critical, High, or Medium (or with a CVSS score of 4.0 or higher) must either be remediated or disputed by the customer, and all disputed items must either be resolved, accepted as exceptions, accepted as false positives, or mitigated through the use of compensating controls. All items listed as Critical, High, or Medium in the Nessus Enterprise Cloud can be viewed in detail, and all items carry an option to dispute the item in question. Clicking the name of the scan in the List of Reports allows the user to view a list of hosts and the number of vulnerabilities found on each host, sorted by severity. Clicking the number of Failed Items in the List of Reports will display a list of items that will need to be addressed in order to qualify for a compliant ASV report through Tenable s Nessus Enterprise Cloud. 23
Nessus Enterprise Cloud customers are responsible for reviewing all of their Failed Items before submitting a scan report to Tenable Network Security. Selecting the Failed Items in the List of Reports allows you to jump directly to the items that may affect your PCI ASV Validation compliance status. Use the green + button under the far left column to expand an individual entry for additional vulnerability details. Scan Report Item Description with Dispute Functionality As shown above, a Dispute button is displayed for each individual item, which allows the customer to enter additional details about vulnerability remediation, or dispute what they believe may be a false positive generated by the initial scan. 24
Disputing Scan Results When an item is disputed, a ticket is created that allows for the selection of an amendment type, the addition of text to the amendment, and any other notes that the customer may want to add prior to submission for review by Tenable Network Security. Once a ticket for a particular item has been created, the customer can view it by selecting the item in question and then selecting View Ticket. 25
Scan Report Item Description with View Ticket Functionality 26
Additional comments can be added by clicking the Edit button, then Add Note, and saving the note into the ticket by clicking Update. Plugin 33929, PCI DSS Compliance, is an administrative plugin that links to the results of other plugins. If a report shows that a host is not PCI DSS compliant, resolving all failed items will then allow plugin 33929 to resolve and be replaced with plugin 33930, PCI DSS Compliance: Passed. In cases of disputes or exceptions, if all failed report items are successfully disputed or given exceptions, an exception can then be given for plugin 33929 based on the remediation of all other report issues. Submitting Attachments as Evidence for a Dispute Once a ticket is created, it is possible to submit supporting evidence as an attachment. After creating a ticket, click the number listed under Open Tickets to display all open tickets: 27
In the List of Tickets screen, click View : When the screen for the open ticket is displayed, options for Upload File and Attach are displayed: Click Browse to navigate to and select the evidence file (screenshot, Word document, PDF, etc.) to be uploaded: Sample Evidence File (no_shiro.png) 28
Next, click Attach to attach the file to the ticket. When completed, the screen will display a message that the file was uploaded successfully: Clicking the Download link next to Attachments will show the names of all files attached to the ticket: Submitting a Scan Report for Tenable Review When tickets have been created for all outstanding report items under user review, the report can then be sent to Tenable Network Security for ASV review. Before a report can be submitted for review, the customer must fill in contact information and agree to an attestation that includes mandatory text as described in the ASV Program Guide. 29
Report Submission Attestation Text If a customer neglects to address any outstanding item for a particular scan before the report is submitted for ASV review, they will be prompted to make sure that a ticket has been created for each item. Any report with outstanding items that have not been addressed by the customer cannot be submitted to Tenable Network Security for review. 30
When a report is finally submitted to Tenable Network Security for review, the status of the report changes from Under User Review to Under Admin Review and the Submit option is removed (greyed out) to prevent the submission of duplicate items or reports. Submitted Report Under Admin Review The Withdraw function within an open ticket is only available once a report has been submitted for review by Tenable s Nessus Enterprise Cloud. Be careful when using the Withdraw function; withdrawing a ticket will cause the item in question to be flagged as unresolved due to having inconclusive evidence, and the report as a whole will be deemed as non-compliant. If a Tenable Network Security staff member requests more information or if any other user action is required by the customer for a ticket, an indicator will appear in the customer s List of Reports as shown below: User Action Required Notification 31
The ticket can then be amended by the user and resubmitted to Tenable Network Security for further review. PCI ASV Report Formats Once a scan report has earned compliance status by Tenable s Nessus Enterprise Cloud, customers have the option of viewing reports in Attestation Report, Executive Report, or Detailed Report formats. An ASV Feedback Form is also provided to the Nessus Enterprise Cloud customer. These options are available through the Download icon listed next to each report. The Attestation Report, Executive Report, and Details Report are only available to the customer in PDF format and cannot be edited. 32
Sample Attestation Report 33
Sample Executive Report When a report name and then host name is selected within the web-based interface, a list of items pertaining to the selected report is displayed. List of Items Displayed in the Web Interface 34
Manage a Nessus Enterprise Cloud Scanner to a Local Nessus scanner The Multi Scanner functionality gives your Nessus scanner the ability to delegate vulnerability scanning to multiple secondary servers, including Nessus Enterprise Cloud scanners, or be delegated to perform scans for another. You can configure your Nessus Enterprise Cloud scanner in the cloud to be the primary. This allows for consolidated reporting in a single Nessus user interface with scheduled scanning and emailing results. The use of this functionality positions companies to create an extended network of Nessus scanners that give added value. Through strategic positioning of the scanners, you are able to not only test for vulnerabilities and misconfigurations, but also examine the system from different viewpoints on the network. This can greatly assist you in ensuring that network screening devices (e.g., firewalls, routers) are properly restricting access to a given system. It is important to note that primary scanners do not reach out to the secondary scanners. Instead, secondary scanners periodically poll the primary scanner they are registered with to receive new instructions. When deploying a network of Nessus scanners using this functionality, this must be kept in mind to ensure that nothing will hinder the secondary scanner in connecting to its primary. 35
By default, a Nessus scanner will have this feature disabled. Selecting a different role will activate it. As a primary scanner, your installation will gain the ability to designate scans to additional scanners that have been configured to be a secondary scanner. After selecting Secondary Scanner on the local Nessus scanner, assign the scanner a unique name for easy identification, along with the user credentials and server address of the Nessus Enterprise Cloud scanner. You will be required to provide your credentials for the Nessus Enterprise Cloud to connect the local Nessus scanner. The Nessus Enterprise Cloud needs to be provided as the primary scanner only. For configuring the primary Nessus Enterprise Cloud scanner to your local scanner, the format needs to be hostname:443. After clicking Save, you will see a confirmation screen showing the secondary scanner name, UUID of the secondary scanner, the primary scanner information, and if you need to use a proxy to access the primary scanner. If communication 36
must be directed through a proxy, select this option. Once selected, the scanner will use the proxy configured under Settings > Proxy. Click Save to convert your local Nessus scanner to a secondary scanner for your Nessus Enterprise Cloud scanner. Log in to your Nessus Enterprise Cloud account, and you can see your local Nessus scanner as a secondary scanner. The Scanners setting displays the other Nessus scanners linked to the current one. You have the ability to unlink scanners from this screen. As a Primary Scanner on Nessus Enterprise Cloud, you can unlink a secondary scanner via the icon on the left. Unlinking the scanner will make it unavailable for scheduled scans until re-linked. To completely remove a scanner, click the X. To retrieve information about the secondary scanner, click on the scanner name: 37
At any time, you can disable the secondary scanner setup via the button on the upper right on the local Nessus scanner. Scanners that are managed by SecurityCenter cannot use the Multi Scanner functionality. Support When a Tenable Nessus Enterprise Cloud subscription is purchased, the name(s) and email address(es) of your Technical Contact Person(s) is provided to Tenable. A separate Tenable Support Portal account is automatically created for each Technical Contact Person. Support requests are accepted via the Tenable Support Portal, or an email may be sent to support@tenable.com. Note that email requests must be sent from one of the email addresses provided to Tenable as a support contact. 38
Changing Your Password If you need to change your Nessus Enterprise Cloud password, click on your email address in the upper right hand side of the scanner screen and chose the User Profile option in the drop-down list. Then select Change Password : After changing your password, a dialogue will display confirming: For More Information Nessus documentation can be found here: http://www.tenable.com/products/nessus/documentation More information about the Tenable Support Portal features can be found here: http://www.tenable.com/whitepapers/tenable-network-security-support-portal http://static.tenable.com/prod_docs/subscription_agreement.pdf If you experience any problems with the registration process, please contact licenses@tenable.com. The Nessus Enterprise Cloud is supported by email only. Please direct all support related questions to support@tenable.com and provide your Customer ID with a detailed description of the issue you are having. You may also log in to the Tenable Support Portal to generate a support ticket. 39
About Tenable Network Security Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance. Our family of products includes SecurityCenter Continuous View, which provides the most comprehensive and integrated view of network health, and Nessus, the global standard in detecting and assessing network data. Tenable is relied upon by more than 24,000 organizations, including the entire U.S. Department of Defense and many of the world s largest companies and governments. For more information, please visit www.tenable.com. GLOBAL HEADQUARTERS Tenable Network Security 7021 Columbia Gateway Drive Suite 500 Columbia, MD 21046 410.872.0555 www.tenable.com Copyright 2014. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable Network Security, Inc. 40