Key Asset Attributes
There are a number of methods that can be used to collect key information to identify and categorize assets. Active scanning can perform high speed asset discovery, and Nessus can be installed on a variety of platforms, including Raspberry Pi. Nessus Agents can help organizations meet the challenges of obtaining vulnerability data from cloud environments, and Nessus Network Monitor (NNM) continuously monitors network traffic to detect new assets in on-premise environments. Most importantly, these sensors collect attributes that allow organizations to easily identify asset types for classification and categorization. The most important collected inventory attributes include:
-
BIOS and Device Type
-
Active and Passive OS Detection
-
Active and Passive Asset Attributes:
-
Ethernet (MAC/Vendor) Data
-
FQDN
-
Processor/System Information
Nessus is used to actively scan assets with a wide range of detection methods, such as banner grabbing, protocol detections, and advanced fingerprinting. Other items, such as hardware attributes that are collected passively, are also often part of hardware identification. Operating system detections are collected both passively and actively. Plugin outputs for the following plugins contain information that organizations may find useful in the classification and categorization process.
Useful plugins used for asset identification:
-
11936 - OS Identification
-
764487 - CDP Message Detection
-
50350 - OS Identification Failed
-
97993 - OS Identification and Installed Software Enumeration over SSH v2
-
34097 - BIOS Info (SMB)
-
34098 - BIOS Info (SSH)
-
34096 - BIOS Info (WMI)
-
55472 - Device Hostname
-
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
-
54615 - Device Type
-
33276 - Enumerate MAC Addresses via SSH
-
35716 - Ethernet Card Manufacturer Detection
-
86420 - Ethernet MAC Addresses
-
12053 - Host Fully Qualified Domain Name (FQDN) Resolution
-
48942 - Microsoft Windows SMB Registry : OS Version and Processor Architecture
-
19506 - Nessus Scan Information
-
43815 - NetBIOS Multiple IP Address Enumeration
-
92372 - Microsoft Windows NetBIOS over TCP/IP Info
-
118730 - Windows NetBIOS / SMB Remote Host Report Tag
-
10180 - Ping the remote host
-
45432 - Processor Information (via DMI)
-
35351 - System Information Enumeration (via DMI)
-
48337 - Windows ComputerSystemProduct Enumeration (WMI)
-
42409 - Windows NetBIOS Remote Host Information Disclosure
-
1 - Passive OS Detection
-
7186 - DHCP Client Detection
-
7185 - DHCP Server / Client Detection
-
6640 - DHCPv6 client detection
-
6641 - DHCPv6 server detection
-
2313 - Host DHCP Address Release
-
7254 - Hostname Detection via DHCP
NNM Version 6 DHCP
NNM 6 provides security teams with the ability to poll events every five to ten minutes to identify assets from DHCP logs. NNM 6 queries DHCP logs from SIEM providers to record address assignment. In the DHCP exchange, many attributes of the asset are discovered and recorded to provide a choice of targets that may be added to a vulnerability scan. Organizations are often required to maintain an asset inventory to adhere to compliance standards, such as the CIS Critical Control 1. Security teams must have an accurate count of the assets on the network, including assets not owned by the organization to meet compliance requirements. Since many assets are not static, the likelihood of having full asset coverage in an active scan is slim. The data provided by NNM 6 can be leveraged to support compliance-based use cases, perform risk analysis, and establish new scan activities.