The Risk of Default Configuration
A robust cyber security programme includes a variety of: technical controls, training, and programmes to respond to any identified gaps. Consider patch and vulnerability management programmes, these are closely linked.
Patch management: updates need to me validated and researched, in order to ensure they are not introducing new risks.
Vulnerability management: requires analysing the existing environment to identify risks, testing, and alignment with the patch management cycle.
One tool that you may have used is Tenable’s Nessus scanner, it’s one of the more common solutions you will see. As it’s common, there are many organisations which base their mitigation and remediation actions upon security findings identified by Tenable Nessus security scans.
This seems efficient, scan your network from both internal and external points, identify potential risks, validate which ones are of concern and remediate. Align this cycle with the patch management and you are covering any possible risks each time the network changes. Or are you? What happens if you realised that more than 3,000 findings are not reported?
Whilst many organisations struggle to clarify and understand their network, there are a few who’s infrastructure/operations teams know each granular piece of their environment – and embed a further programme into the mix; cyber security intelligence programme. Through this intelligence programme and the holistic understanding of their infrastructure, some organisations have identified these small gaps during the scans. What ended up being the issue?
Increasing the granularity of the Nessus scan As with all solutions, there is a default configuration that works for most situations, however, that doesn’t always mean it’s the right options for you. Identifying the different settings in a solution, comparison of levels, and documentation on which configuration is chosen to best suit your environment is a must for any organisation. This includes possible false positives, or potential gaps – in order to ensure they are appropriately validated and/or covered elsewhere.
In our example, there were missed findings identified because of a default settings; paranoia. The paranoia reporting default in a Nessus scan to 1. A few findings that do not appear when scanning with paranoia level 1:
F5 Networks BIG-IP : BIG-IP TMUI XSS vulnerability (K43638305)
Palo Alto Networks PAN-OS 8.0.x < 8.1.15 / 8.1.x < 8.1.15 / 9.0.x < 9.0.9 / 9.1.x < 9.1.3 Authentication Bypass in SAML
Intel Converged Security Management Engine (CSME) Active Management Technology (AMT) Multiple Vulnerabilities
Exim < 4.93 Privilege Escalation vulnerability
For our example, the fix is easy: enable paranoia reporting level 2. This can be achieved either globally by editing the Tenable.sc scan policy or on a per scan basis. I highly recommend you identify the impact to your organisation, on potentially missing these findings. Of those who have made this change and reported back, it doesn’t appear to have impacted the scan times or identified false findings. However, do not be alarmed if a high number of new – previously missed – findings now appear. It is better to know and be aware, than go through the motions believing you are compliant.
Tenable’s Nessus scan paranoia level is simply one example of where an organisation can continue to improve and tailor their controls to fit their environment. This is by no means the only example, consider Office 365 defaults of auto-forward being globally allowed, or SIEMS that ingest many logs but haven’t been designed to monitor the right ones.
For organisations looking to enhance their cyber security programme, they can start by assessing the maturity of the people, processes, and technology – that is:
Identify gaps in knowledge and experience to subsidise with training.
Audit processes and documentation to ensure they exist and are relevant.
Running risk assessments, security testing, and tabletop exercises to validate the controls align with expected threats/scenarios, and do not leave gaps that can be exploited.
Looking to learn more, read about configuring Tenable’s Nessus scanner paranoia levels here, and see here for the list of plugins that require level 2 to appear in scan findings.