Tenable Vulnerability Management Specialist – Discovery, Assessment, Analysis, Compliance, Dashboard, Reports, Core, Nessus, Agent, NNM, Access Control

• Parallels CVSS: Unproven → High

• Number of unique products: Low → Very High

• Availability
• Integrity
• Confidentiality

● Maintain export schedules in Tenable Vulnerability Management

● Demonstrate where to locate exported data, dashboards and reports

● Assets discovered while in this mode do not count against your license

● Safest option to start with to ensure sensor setup is correct

Full

● In this mode, NNM will report on vulnerabilities it sees via the network

● This is a good option for vulnerability assessment for fragile devices that can not be scanned 

● Source is equal to (Cloud Discovery Connector, NNM, ServiceNow, etc.) AND Source is not (Nessus Scan, Nessus Agent)

● Assessed vs. Discovered Only

• RHEL, Windows and other operating systems
• Install using the appropriate package manager.
• Tenable Core + NNM is also available
• Install on virtual platforms.

1. Connect to NNM using a web browser on port 8835 (https)
2. Sign in with username “admin” and password “admin”
3. Reset password
4. Use “Cloud” as activation code
5. Provide linking key
6. Give scanner a name
7. Select Network Interface
8. Provide managed range
9. Set exclusion range(s) – optional

Certificates for NNM

Place the SSL certificates in appropriate location. Refer to:

https://docs.tenable.com/nessus-network-monitor/Content/ConfigureNNMForCertificates.htm

● Sufficient hardware (RAM, core, HD)

● Connectivity

● Local firewall rules

● Local malware/antivirus application

● Can NNM connect to cloud.tenable.com on port 443?

● Is the SPAN port configured properly?

Summary

● NNM sensors can run on a variety of platforms.

● Use the package manager for the operating system to install NNM, or use Tenable Core.

● Connect with a web browser and complete the configuration.

● Custom SSL certificates can be uploaded, if required.

● Additional CAs can also be created.

To deploy Tenable Core + Tenable Nessus as a VMware virtual machine:

1. Download the Tenable Core Nessus VMware Image file from the Tenable Downloads page.

2. Open your VMware virtual machine in the hypervisor.
3. Import the Tenable Core + Tenable Nessus VMware .ova file from your computer to your virtual machine. For information about how to import a .ova file to your virtual machine, see the VMware documentation.
4. In the setup prompt, configure the virtual machine to meet your organization’s storage needs and requirements, and those described in  System and License Requirements.

5. Launch your Tenable Core + Tenable Nessus instance.

   The virtual machine boot process appears in a terminal window.

• Operating System (OS) level configuration Networking + storage + updates
• Start and stop sensor
• Command line access
• Resource utilization

Tenable Nessus is also available for a variety of platforms including:

● Windows

● RHEL/CentOS

● OS X and others

• Connect to Nessus scanner using a web browser on port 8834 (https).
• On the Welcome screen, select “Managed by.”
• Select “Tenable.io” and provide the linking key.
• Create a username and password.
• Sign into Tenable Nessus to confirm username and password work.

Certificates for Nessus

Place SSL certificates in the appropriate location. Refer to:

https://docs.tenable.com/nessus/Content/CustomSSLCertificates.htm

● Scan using lightweight, low-footprint programs installed locally on hosts

● Collect vulnerability, compliance and system data, and report back to Tenable Vulnerability Management

● Minimal impact on system and network 

○ Direct access to all hosts

○ Minimal disruption to end users

● Extended scan coverage and continuous security

● Deploy where impractical or unable to run networkbased scans

● Assess off-network assets and endpoints with intermittent internet access (ex. laptops)

● Extended scan coverage and continuous security

● Deploy where impractical or unable to run networkbased scans

● Assess off-network assets and endpoints with intermittent internet access (ex. laptops)

● Reduces overall network scanning overhead

● Relies on local host resources with minimal performance overhead

● Reduces network bandwidth need; important for slow networks

● Removes challenge of scanning systems over segmented or complex networks

● Updates automatically without reboot or end-user interaction

Network checks

● Agents are not designed to perform network checks, so certain plugins items cannot be checked or obtained.

○ Combining traditional scans with agent-based scanning eliminates this gap.

Remote connectivity

● Agents may miss items performed through remote connectivity

○ Logging into a database (DB) server

○ Trying default credentials (brute force)

○ Traffic-related enumeration

Agent periodically connects to cloud.tenable.com (Tenable Vulnerability Management) via

port 443, and queries for work to be completed.

If there is work, the Agent completes the work and returns the results.

Types of Work

● Software updates

● Plugin updates

● Scans (Vulnerability, Compliance)

● Include the Tenable Nessus Agent in your gold images

● Configure connections to Tenable Vulnerability Management/Tenable Nessus Manager instance

1. Create agent scan.

2. Select group(s).

3. Select scan window/trigger.

4. Set scan schedule.

1. Download agent.

2. Retrieve linking key.

3. Install agent (manual, or with software management).

4. Configure with linking key.

5. Create groups and assign agents.

Possible Scanning Challenges

When to Use Scanner Groups

Summary

● Scanner groups can be used for large network partitions to:

○ Provide for high availability of scanners and make it easier to identify the appropriate scanner

○ Speed up scans

The Challenge of Crossover IP

Question: What should the response be when there are two assets that are in different NAT’d subnets, but have the same IP address?

Answer: Define Networks + Scanners and Groups in Tenable Vulnerability Management

Activating the “age out” option will prompt for a number of days.

Any assets in this network that have not been seen within X days will automatically be deleted.

When To Use Networks

Networks can make it complicated to scan properly.

Do not use networks unless you are in an environment that contains assets with the same IP address.

Summary

● Networks should be used in environments where there are two assets with the same IP Address,

due to Network Address Translation (NAT).

● Networks can complicate the scanning process, so they should be avoided unless necessary.

Access Control Components

The Importance of Access Control
● Improve overall security posture
● Simplify use of Tenable  Vulnerability Management
● Improve reporting
● Reduce overall risk of internal threat

Permissions

● Rule-based criteria, based on tags

● What assets can be viewed?

● Scanning of existing, or new, assets

● User groups and/or individual users are assigned permissions

Plan Your Tags

Every tag you create automatically creates a new corresponding Permission!

User Groups

● Individually assigned

● Common permission

● Users can be in multiple groups

Roles vs. Permissions

● Roles control what a user can DO.

● Permissions control what a user can SEE.

Summary

● Access control components are Users, User Groups, Permissions, and Roles.

● Permissions define which assets can be viewed, and scanned.

● User groups and roles can give users common capabilities within Tenable Vulnerability Management.

Tags

● Create groups of assets that have common criteria for permissions, reporting, etc.

● Manual or rules-based criteria are available.

Default Permissions

● Administrators: All admin users can see all assets and perform all functions. This cannot be changed.

● Access All Assets: By default, all users can see all assets! This should be changed.

Summary

● Permissions define which assets can be viewed, and whether those assets can be scanned. They also

allow users to use the associated tags for analysis and reporting.

● For every tag, a new corresponding permission is added.

● Be very aware of the default “Access all Assets” permission. Best practice is to either delete or edit it,

to limit your cyber risk.

● Best practice for assigning permissions

● Common permissions

Single User

● Need to re-assign every permission if user leaves, or another user needs to be added

Summary

● When assigning permissions, it is best practice to assign to a user group instead of an individual user.

● Roles can be used to give users common capabilities

within Tenable Vulnerability Management. Check online documentation for the latest role descriptions.

● To reduce cyber risk, plan out requirements first  by ensuring that a user is assigned a role and permissions with the least privilege.

• Access to functions 
• Access to assets 
• Access to objects

Scan:

● No access*

● Can view

● Can execute

● Can edit

Linked Scanner and Scanner Group:

● Can use*

● No access

● Can manage

Role Access always overrides user permissions:

● Regardless of assigned user permissions, all users with an Administrator role have the

highest permissions for an object by default.

● Other roles limit access (e.g., if you assign ‘Can View’ permissions for a scan to a user

with a Basic role, the user will still not be able to view that scan.)

Summary

● Many objects such as scans, credentials, agent groups and scanner groups allow you to assign

specific permissions to users and user groups.

● The functions of an assigned role will always overrides user permissions.

● Administrators can use the User Assist function to ensure permissions are set correctly.

• www.tenable.com/webinars
• youtube.com/TenableProductEducation
• community.tenable.com
• university.tenable.com
• docs.tenable.com