TOC & Recently Viewed

Recently Viewed Topics

Vulnerability Analysis

The Vulnerabilities display screen is the focal point for the display and analysis of vulnerabilities from either the cumulative or mitigated vulnerability database. Vulnerability data is displayed at varying levels and views ranging from the highest level summary down to a detailed vulnerability list data. Clicking through Analysis and Vulnerabilities displays a screen with information from the cumulative vulnerability database using the selected default filter. The Vulnerability Summary is shown here:

Cumulative vs. Mitigated

At the top of the default vulnerability display screen under the Options drop-down menu is a selection to Switch to Mitigated. This indicates that the displayed list of vulnerabilities is from the cumulative database of vulnerabilities. This selection reads Switch to Cumulative when the mitigated database of vulnerabilities is being displayed. The Cumulative database contains current vulnerabilities, including those that have been recast, accepted, or mitigated and found vulnerable on rescan. The Mitigated database contains vulnerabilities that are no longer vulnerable based on current scan result information.

Mitigation Logic

SecurityCenter uses the scan definition, the results of the scan, the current state of the cumulative view, and authentication information to determine if a vulnerability is mitigated. To start, the vulnerability must be present in the cumulative view to be considered for mitigation. The import process will then look at each vulnerability in the import repository. The vulnerability will then be mitigated if:

  • The IP of the vulnerability was in the target list of the scan.
  • The plugin ID of the vulnerability was in the list of scanned plugins.
  • The port of the vulnerability was in the list of scanned ports.
  • The vulnerability with that IP/port/pluginID combination was not in the scan result.

The import process will also verify that authentication was successful before mitigating any local check vulnerabilities that meet the above criteria.

Note: Mitigation Logic works with scans using policies defined by templates, advanced policies, and remediation scans.  These policies will be set up to take advantage of this new mitigation logic.

Analysis Tools

A wide variety of analysis tools are available for comprehensive vulnerability analysis. Clicking on the analysis tool drop-down box displays a list of available tools with a scroll bar on the right to view the complete list.

When viewing the analysis tool results, clicking on a result will generally take you to the next level of detail for the analysis. For instance, from the IP summary page clicking on a host will display the Vulnerability List. Clicking on a vulnerability in that list will display the Vulnerability Detail page featuring that vulnerability. Along each progression a new drop-down menu will appear allowing for easy access to either pivot to another analysis tool based on the current view or to return to the previous view.

Additionally most results will have a gear icon next to them. This icon will provide summaries, normally based on time restrictions, around that items result.

The table below contains detailed descriptions of all available analysis tools.

Vulnerability Analysis Tools

Analysis Tool Description

IP Summary

Class A Summary

Class B Summary

Class C Summary

SecurityCenter has four tools for summarizing information by vulnerable IP addresses. These include summary by IP, Class A, Class B, and Class C.

The IP Summary tool lists the matching addresses, their vulnerability score, the repository the data is stored in, the OS Common Platform Enumeration (CPE) value, vulnerability count, and a breakdown of the individual severity counts.

The IP Summary tool displays a list of IP addresses along with summary information. Clicking on any of the column items for an IP address displays the Vulnerability List for that host.

The information icon next to the IP address displays the Host Detail information about the IP address. The System Information box displays information about the NetBIOS Name (if known), DNS Name (if known), MAC address (if known), OS (if known), Score, Repository, Last Scan, Passive Data, Compliance Data, and Vulnerabilities. The Assets box displays which asset lists the IP address belongs to. The Useful Links box contains a list of resources that can be queried by IP address. Clicking on one of the Resource links causes the resource to be queried with the current IP address. For example, if the current IP address was a publicly registered address, clicking on the “ARIN” link causes the ARIN database to be queried for the registration information for that address. If custom resources have been added by the administrative user (via the “Manage IP Address Information Links” selection under the “Customization” tab), they will be displayed here.

Starting out with a Class A or Class B summary can identify more active network ranges for networks with a large number of active IP addresses. Clicking on a Class A or Class B summary will display a summary of the next class size down. Clicking on a Class C summary will display an IP summary.

The vulnerability score for an address is computed by adding up the number of vulnerabilities at each severity level and multiplying it with the organization’s severity score.

The default severity scores at each level are:

  • Info - 0
  • Low – 1
  • Medium – 3
  • High – 10
  • Critical – 40

Severity scores for Low, Medium, High, and Critical are configured for each organization by the administrator user.

The OS CPE value may be used to determine the operating system reported on the target host.

All displayed columns can be sorted for more useful views.

Asset Summary

This tool summarizes the scores and counts of vulnerabilities for all dynamic or static asset lists.

A breakdown of each asset’s specific vulnerabilities and counts for each severity level is also included.

Clicking on any of the counts displays a Vulnerability List page with the corresponding filter.

CCE Summary

This displays a summary of hosts which have Common Configuration Enumeration (CCE) vulnerabilities.

Clicking on the count for any of CCE ID’s hosts or vulnerability counts will display an appropriate summary page, which is used to further examine the data.

CVE Summary

This view groups vulnerabilities based on their CVE ID, Hosts Total, and vulnerability count.

DNS Name Summary

SecurityCenter includes the ability to summarize information by vulnerable DNS name. The DNS Name Summary lists the matching hostnames, the repository, vulnerability count, and a breakdown of the individual severity counts.

Clicking on a DNS name will display the vulnerability list of that particular host.

List Mail Clients

SecurityCenter uses NNM to determine a unique list of email clients. The list contains the email client name, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of the matching addresses using that email client.

List OS

SecurityCenter understands both actively and passively fingerprinted operating systems. This tool lists what has been discovered.

The method (active, passive, or event) of discovery is also indicated.

Clicking on the count displays the IP Summary page with the corresponding filter.

List Services

SecurityCenter processes information from scans and creates a summary of unique services discovered. The service discovered, count of hosts, and detection method are listed.

Clicking on the service displays the IP Summary page with the corresponding filter.

List SSH Servers

This tool utilizes active and passive scan results to create a unique list of known SSH servers. The list contains the ssh server name, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of matching addresses using that SSH server.

Tip: Not all SSH servers run on port 22. Do not be surprised if you encounter SSH servers running on unexpected ports.

List Software

SecurityCenter processes information from scans and creates a summary of unique software packages discovered. The software name, count of hosts, and detection method are listed.

Clicking on a software name displays the IP Summary page with the corresponding filter.

List Web Clients

SecurityCenter understands NNM plugin ID 1735, which passively detects the web client in use. This tool lists the unique web clients detected. The list contains the user-agents, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of matching addresses using that web client.

List Web Servers

This tool takes the passive output from passive and active scans to create a unique list of known web servers. The list contains the web server name, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of matching addresses using that web server.

Tip: Not all web servers run on port 80 or 443. Do not be surprised if you encounter web servers running on unexpected ports.

MS Bulletin Summary

This tool filters vulnerabilities based on Microsoft Bulletin ID. Displayed are the IDs, Vulnerability Totals, Host Total, and Severity. This view is particularly useful in cases where Microsoft releases a new bulletin and a quick snapshot of vulnerable hosts is required.

Plugin Family Summary

This tool will chart each present the Nessus, NNM, or Event plugin family as well as their relative counts based on severity level for all matching vulnerabilities.

Clicking on any of the counts will display a Vulnerability List page filtered by the selected plugin family.

Port Summary

A summary of the ports in use is displayed for all matched vulnerabilities. Each port has its count of vulnerabilities as well as a breakdown for each severity level. Clicking on any port count displays the IP Summary screen with the corresponding filter.

Protocol Summary

This tool summarizes the detected IP protocols such as TCP, UDP, and ICMP. The tool also breaks out the counts for each protocol’s severity levels.

Clicking on any of the counts will display the IP Summary page with the corresponding filter.

Remediation Summary

The Remediation Summary tool provides a list of remediation actions that may be taken to prioritize tasks that will have the greatest effect to reduce vulnerabilities in systems. This list provides a solution to resolve a particular CPE on a given OS platform. The data provided includes -

Risk Reduction - The score of the vulnerabilities that would be remediated by performing the remediation action over the total score of all vulnerabilities returned by the query as a percentage.

Hosts Affected - The number of unique hosts that would be affected by performing the remediation action.

Vulnerabilities - The count of vulnerabilities(Nessus plugins) that would be remediated by performing the remediation action.

Score - This is calculated by adding up the score for each vulnerability that would be remediated by performing the remediation action.

CVE - The number of distinct CVEs that would be remediated by performing the remediation action.

MS Bulletin - The number of unique MS Bulletins that would be remediated by performing the remediation action.

Vulnerability % - The count of vulnerabilities(Nessus plugins) that would be remediated by performing the remediation action over the total vulnerability count returned by the query as a percentage.

Severity Summary

This tool considers all of the matching vulnerabilities and then charts the total number of info, low, medium, high, and critical vulnerabilities.

Clicking on any of the counts or severities in the chart will display the Vulnerability Summary chart filtered with the matched vulnerabilities.

User Responsibility Summary

This displays a list of the users who are assigned responsibility for the vulnerability based on the user’s assigned asset list. Multiple users with the same responsibility are displayed on the same line. Users without any assigned responsibilities are not displayed in the list. This list is populated when assets are assigned to users in the Users section.

Vulnerability Summary

All matching vulnerabilities are sorted by plugin ID count and listed in a chart. Columns of plugin ID, Total, and Severity can be sorted by clicking on the column header.

Clicking on the information icon next to the plugin ID will produce a window containing a description of the vulnerability check.

Vulnerability List

 

This tool lists out the Plugin ID, Name, Family, Severity, NetBIOS Name, DNS Name, MAC Address, and Repository Name for each matching vulnerability.

Clicking on any item will open a window that shows the Detailed Vulnerability List for that IP address.

Clicking on the information icon next to the plugin ID will produce a window containing the plugin details.

Vulnerability Detail List

This view shows the actual results of a vulnerability scan. Nessus, NNM, and LCE will return very detailed results from their analysis of network systems.

Important options include CVSS score, CVSS temporal score, availability of public exploit, CVE/BID/other references, synopsis, description, and solution.

Scroll arrows are displayed to the right of the vulnerability name for ease of browsing between vulnerabilities.

The host information is displayed in the window for that IP address similar to that described in detail for the IP Summary view above.

If there are any Common Vulnerability Enumeration (CVE) or Bugtraq IDs (BIDs), they will be listed for further research as desired.

This display has links to accept this risk or recast it to a different severity level (cumulative database vulnerabilities only).

A ticket may be opened against the vulnerability being viewed from the Options drop-down menu in the top right of the screen.

Add Risk Recast/Acceptance Rule

Vulnerabilities can be recast or accepted based on situational requirements.

To add a Risk Recast Rule, click the vulnerability within the Vulnerability Detail List page and click Recast Risk in the top right corner of the Vulnerability Detail List page. A pop-up similar to the one below is displayed:

Choose the new severity risk level to assign to the current vulnerability and the selected filter options (Repository, Targets, Ports, and Protocol). If any of the selected options are modified, they will filter what vulnerabilities will inherit the new risk rating. In addition, a comment can be added to describe why the risk is being recast.

Note: There can be a short delay between clicking on Submit and vulnerabilities showing the new risk. It may be necessary to reload the filters to view the applied changes.

Similar to recasting risks, risk acceptance is performed from a similar screen and displays a pop-up similar to the one below:

The Acceptance Rule has the ability to have an expiration date added to it. This adds a method to accept a risk on a temporary basis. Any vulnerabilities that match the chosen criteria will be automatically accepted and not show in a vulnerability search unless the Accepted Risk filter flag is set.

Note: There can be a short delay between clicking on Submit and vulnerabilities showing the new risk acceptance. It may be necessary to reload the filters to view the applied changes.

Viewing and deleting of current accept and recast risk rules is performed from the Workflow section of SecurityCenter.

Launch Remediation Scan

This option provides the user with the ability to launch a new remediation scan based on the selected vulnerability. This option is only available through the Vulnerability Detail List analysis tool. For more information about the configuration of the scan to launch, see Scans.

Load Query

The Load Query option enables users to load a predefined query and display the current dataset against that query. Click on Load Query in the filters list to display a box with all available queries. The query names are displayed in alphabetical order. After clicking on an individual query, the vulnerability view is changed to match the query view for the current dataset.

Vulnerability Filters

Filters limit the results of the vulnerability display and can be added, modified, or reset as desired. The filter selection is accessed by the double arrow link in the top left of the Vulnerability Analysis screen. Additional filters may be added using the Select Filter link. Filters may be loaded from previously saved queries or customizing the filters based on a current need. The filter restraints may all be reset using the Clear Filters option or individually using the X button next to the filter.

The screen capture below shows a search based on a filtering of vulnerabilities with http in the name, a patch that was published more than 7 days ago, and a Medium severity level.

Note: The Mitigated database filter does not contain the Accepted Risk or Recast Risk options under the Workflow Filters tab.

The screen capture below displays results from the previous search:

The results are displayed with the filter options collapsed. The number under the double arrows indicates the number of filters currently in use. Selecting the arrows to expand the filter screen will show the filters in use and provide the ability to redefine them as desired.

Vulnerability Filter Options

Filters Description

Analysis Tool Filter

Filters

The active filters are listed when the Filters slide-out is displayed. A filter may be removed using the X in the top right of the filter. Filters may be added using the Select Filters option and checking the filter(s) to be added. Once configured, click the Apply All button to display results based on the newly selected options.

Target Filters

Accept Risk

(Cumulative Only)

Display vulnerabilities based on their Accepted Risk workflow status. Available choices include Accepted Risk or Non-Accepted Risk. Choosing both options displays all vulnerabilities regardless of acceptance status.

Address

This filter specifies an IPv4 or IPv6 address, range, or CIDR block to limit the viewed vulnerabilities. For example, entering 192.168.10.0/24 and/or 2001:DB8::/32 limits any of the web tools to only show vulnerability data from the selected network(s). Addresses can be comma separated or separate lines.

Application CPE

Allows a text string search to match against available CPEs. The filter may be set to search based on a contains, Exact Match, or Regex Filter filter. The Regex Filter is based on PCRE 

Asset

This filter displays systems from the chosen asset list. If more than one asset list contains the systems from the primary asset list (i.e., there is an intersect between the asset lists), those asset lists are displayed as well. The operators NOT, OR, and AND may be used to exclude unwanted asset lists from the view.

Audit File

This filter displays vulnerabilities detected when a scan was performed using the chosen .audit file.

CCE ID

Displays results based on the entered CCE ID.

CVE ID

Displays vulnerabilities based on the chosen single CVE ID (e.g., CVE-2010-1128) or multiple CVE IDs separated by commas (e.g., CVE-2011-3348,CVE-2011-3268,CVE-2011-3267).

CVSS Score

Displays vulnerabilities within the chosen CVSS score range.

CVSS Vector

Filters results based on a search against the CVSS Vector information.

Cross Reference

Filters results based on a search against the cross reference information in a vulnerability.

DNS Name

This filter specifies a DNS name to limit the viewed vulnerabilities. For example, entering host.example.com limits any of the web tools to only show vulnerability data from that DNS name.

Exploit Available

If set to yes, displays only vulnerabilities for which a known public exploit exists.

Exploit Frameworks

When set, the text option can be equal to or contain the text entered in the option.

IAVM ID

Displays vulnerabilities based on the chosen IAVM ID (e.g., 2011-A-0007) or multiple IVAM IDs (e.g., 2011-A-0005,2011-A-0007,2012-A-0004).

MS Bulletin ID

Displays vulnerabilities based on the chosen Microsoft Bulletin ID (e.g., MS09-001) or multiple Microsoft Bulletin IDs separated by commas (e.g., MS10-012,MS10-054,MS11-020).

Mitigated

Display vulnerabilities that were at one time mitigated, but have been discovered again in a subsequent scan. This option is not used in conjunction with other options unless all options within the selected combination are set (e.g., selecting the Was Mitigated box will return no results if both the Was Mitigated and the Accepted Risk flags are set).

Output Assets (only available in the “Asset Summary” analysis tool)

This filter displays only the desired asset list systems.

Patch Published

When available, Tenable plugins contain information about when a patch was published for a vulnerability. This filter allows the user to search based on when a patch became available; less than, more than, or within a specific count of days.

Plugin Family

This filter chooses a Nessus or NNM plugin family. Only vulnerabilities from that family will be shown.

Plugin ID

Type the plugin ID desired or range based on a plugin ID. Available operators are equal to (=), not equal to (!=), greater than or equal (>=) and less than or equal to (<=).

Plugin Modified

Tenable plugins contain information about when a plugin was last modified. This filter allows users to search based on when a particular plugin was modified: less than, more than, or within a specific count of days.

Plugin Name

Using the Contains option, type all or a portion of the actual plugin name. For example, entering MS08-067 in the plugin name filter will display vulnerabilities using the plugin named MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check). Similarly, entering the string uncredentialed will display a list of vulnerabilities with that string in the plugin name.

Using the Regex Match option regex options may be used to filter on the Plugin Name.

Plugin Published

Tenable plugins contain information about when a plugin was first published. This filter allows users to search based on when a particular plugin was created: less than, more than, or within a specific count of days.

Plugin Type

Select whether to view all plugin types or passive, active, event, or compliance vulnerabilities.

Port

This filter is in two parts. First the equality operator is specified to allow matching vulnerabilities with the same ports, different ports, all ports less than or all ports greater than the port filter. The port filter allows a comma separated list of ports. For the larger than or less than filters, only one port may be used.

Note: All host-based vulnerability checks are reported with a port of 0 (zero).

Protocol

This filter provides boxes to select TCP, UDP, or ICMP-based vulnerabilities.

Recast Risk

(Cumulative Only)

Display vulnerabilities based on their Recast Risk workflow status. Available choices include Recast Risk or Non-Recast Risk. Choosing both options displays all vulnerabilities regardless of recast risk status.

Repositories

Display vulnerabilities from the chosen repositories.

STIG Severity This filter maps to the stigseverity column in the plugins database.

Scan Policy

This filter chooses a scan policy. Only vulnerabilities from that scan policy will be shown.

Severity

Displays vulnerabilities with the selected severity (Info, Low, Medium, High, Critical)

Users

Allows selection of one or more users who are responsible for the vulnerabilities.

Vulnerability Discovered

SecurityCenter tracks when each vulnerability was first discovered. This filter allows the user to see when vulnerabilities were discovered less than, more than or within a specific count of days.

Note: The discovery date is based on when the vulnerability was first imported into SecurityCenter. For NNM, this will not match the exact vulnerability discovery time as there is normally a lag between the time that NNM discovers a vulnerability and the import occurs.

Note: Days are calculated based on 24-hour periods prior to the current time and not calendar days. For example, if the report run time was 1/8/2012 at 1 PM, using a 3-day count would include vulnerabilities starting 1/5/2012 at 1 PM and not from 12:00 AM.

Vulnerability Last Observed (Cumulative only)

This filter allows the user to see when the vulnerability was last observed by Nessus, LCE, or NNM.

Note: The observation date is based on when the vulnerability was most recently imported into SecurityCenter. For NNM, this will not match the exact vulnerability discovery as there is normally a lag between the time that NNM discovers a vulnerability and the import occurs.

Vulnerability Mitigated (Mitigated only)

This filter allows the user to filter results based on when the vulnerability was mitigated.

Vulnerability Published

When available, Tenable plugins contain information about when a vulnerability was published. This filter allows users to search based on when a particular vulnerability was published: less than, more than, or within a specific count of days.

Vulnerability Text

Displays vulnerabilities containing the entered text (e.g., “php 5.3”) or regex search term.

Options Drop-Down Menu

The following options are available under the Options drop-down menu in the top right corner of the Event Analysis screen:

Save Query

This option, available in the top right corner of the web interface under the Options drop-down menu, saves the current vulnerability view as a query for reuse. If this link is clicked, a dialog similar to the one below is displayed:

The table below describes the available query options:

Query Options

Option Description

Name

A name for the query (required)

Description

This option enables users to provide a description of the query.

Save Asset

Vulnerability results can be saved to an asset list for later use by clicking on the Save Asset link in the top right side of the screen under the Options drop-down menu.

The table below describes the available asset options:

Asset Options

Option Description

Name

A name for the asset (required)

Description

This option enables users to provide a description of the asset.

Open Ticket

Tickets are used within SecurityCenter to assist with the assessment and remediation of vulnerabilities and security events. Use this option to open a ticket based on the current event view. Click on the Open Ticket link under the Options drop-down menu and complete the relevant options as described below:

Ticket Options

Option Description

Name

Ticket name (required)

Description

Ticket description

Notes

Notes to be used within the ticket and read by the ticket assignee.

Assignee

The user to assign the ticket to (required)

Classification

Information, Configuration, Patch, Disable, Firewall, Schedule, IDS, Accept Risk, Recast Risk, Re-scan Request, False Positive, System Probe, External Probe, Investigation Needed, Compromised System, Virus Incident, Bad Credentials, Unauthorized Software, Unauthorized System, Unauthorized User, or Other.

Export as CSV

Vulnerability results can be exported to a comma-separated file for detailed analysis outside of SecurityCenter by clicking on the Options drop-down menu and then the Export as CSV option.

If the record count (rows displayed) of any CSV export is greater than 1,000 records, a pop-up is displayed that prompts for the name of the CSV report to be generated. When complete, the report can be downloaded from the Report Results page.

View Settings

When available, this setting controls the columns that are displayed for the selected analysis tool.

Switch to Mitigated/Switch to Cumulative

The final option on the menu is Switch to Mitigated or Switch to Cumulative. This option will be displayed on the opposite of the data currently being viewed.

Copyright 2017 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.  Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc.  All other products or services are trademarks of their respective owners.