Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus is proprietary, something that doesn't fit with a security audit very well. I'd question the veracity of an auditing tool
Here is how it works. Every CVE is given a specific plugin from Nessus of any other vulnerability scanner. You can easily read the script yourself if you're worried its inaccurate. Whats proprietary is the delivery and the scanning itself.
Openvas performance wise is terrible compared to nessus. Although the scan results are similar. Openvas does not scale well
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
The question here is about patching, not securing.
Then nessus is the wrong tool as it is a vulnerability scanner not patch auditor. If you want to audit patches use powershell
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
You can also run NIST specific audits with nessus.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
Ah, gotcha
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
You can also run NIST specific audits with nessus.
Well it does some things I “think” Nessus doesn’t. It will scan VMs without an agent or logging in from the hypervisor. OpenSCAP also has all of RHELs gardening rules baked in like sysctl configs and things like AIDE.
-
Haha it’s only somewhat decent with gardening rules. It has many better hardening rules.
-
Here is an example of patching not being good enough. This needs an additional reg key.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529
