TOC & Recently Viewed

Recently Viewed Topics

Vulnerability Analysis Tools

On the Vulnerability Analysis page, you can use the analysis tool drop-down box to select the vulnerability analysis tool you want to view.

Analysis Tool Description

IP Summary

Class A Summary

Class B Summary

Class C Summary

SecurityCenter has four tools for summarizing information by vulnerable IP addresses: IP Summary, Class A Summary, Class B Summary, and Class C Summary.

The vulnerability score for an address is computed by adding up the number of vulnerabilities at each severity level and multiplying it with the organization’s severity score.

The default severity scores at each level are:

  • Info - 0
  • Low – 1
  • Medium – 3
  • High – 10
  • Critical – 40

Severity scores for Low, Medium, High, and Critical are configured for each organization by the administrator user.

The OS CPE value may be used to determine the operating system reported on the target host.

IP Summary

The IP Summary tool lists the matching IP addresses, their vulnerability score, the repository the data is stored in, the OS Common Platform Enumeration (CPE) value, vulnerability count, and a breakdown of the individual severity counts.

The IP Summary tool displays a list of IP addresses along with summary information. Clicking on any of the column items for an IP address displays the Vulnerability List for that host.

The information icon next to the IP address displays the Host Detail information about the IP address. The System Information box displays information about the NetBIOS Name (if known), DNS Name (if known), MAC address (if known), OS (if known), Score, Repository, Last Scan, Passive Data, Compliance Data, and Vulnerabilities. The Assets box displays which asset lists the IP address belongs to. The Useful Links box contains a list of resources that can be queried by IP address.

Clicking on one of the Resource links causes the resource to be queried with the current IP address. For example, if the current IP address was a publicly registered address, clicking on the “ARIN” link causes the ARIN database to be queried for the registration information for that address. If custom resources have been added by the administrator user (via the “Manage IP Address Information Links” selection under the “Customization” tab), they are displayed here.

Class A Summary/Class B Summary/Class C Summary

Starting out with a Class A or Class B summary can identify more active network ranges for networks with a large number of active IP addresses. Clicking on a Class A or Class B summary displays a summary of the next class size down. Clicking on a Class C summary displays an IP summary.

Asset Summary

This tool summarizes the scores and counts of vulnerabilities for all dynamic or static asset lists.

A breakdown of each asset’s specific vulnerabilities and counts for each severity level is also included.

Clicking on any of the counts displays a Vulnerability List page with the corresponding filter.

CCE Summary

This displays a summary of hosts which have Common Configuration Enumeration (CCE) vulnerabilities.

Clicking on the count for any of CCE ID’s hosts or vulnerability counts displays an appropriate summary page, which is used to further examine the data.

CVE Summary

This view groups vulnerabilities based on their CVE ID, Hosts Total, and vulnerability count.

DNS Name Summary

SecurityCenter includes the ability to summarize information by vulnerable DNS name. The DNS Name Summary lists the matching hostnames, the repository, vulnerability count, and a breakdown of the individual severity counts.

Clicking on a DNS name displays the vulnerability list of that particular host.

List Mail Clients

SecurityCenter uses NNM to determine a unique list of email clients. The list contains the email client name, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of the matching addresses using that email client.

List OS

SecurityCenter understands both actively and passively fingerprinted operating systems. This tool lists what has been discovered.

The method (active, passive, or event) of discovery is also indicated.

Clicking on the count displays the IP Summary page with the corresponding filter.

List Services

SecurityCenter processes information from scans and creates a summary of unique services discovered. The service discovered, count of hosts, and detection method are listed.

Clicking on the service displays the IP Summary page with the corresponding filter.

List SSH Servers

This tool utilizes active and passive scan results to create a unique list of known SSH servers. The list contains the ssh server name, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of matching addresses using that SSH server.

Tip: Not all SSH servers run on port 22. Do not be surprised if you encounter SSH servers running on unexpected ports.

List Software

SecurityCenter processes information from scans and creates a summary of unique software packages discovered. The software name, count of hosts, and detection method are listed.

Clicking on a software name displays the IP Summary page with the corresponding filter.

List Web Clients

SecurityCenter understands NNM plugin ID 1735, which passively detects the web client in use. This tool lists the unique web clients detected. The list contains the user-agents, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of matching addresses using that web client.

List Web Servers

This tool takes the passive output from passive and active scans to create a unique list of known web servers. The list contains the web server name, count of detections, and the detection method.

Clicking on the count displays the IP Summary page of matching addresses using that web server.

Tip: Not all web servers run on port 80 or 443. Do not be surprised if you encounter web servers running on unexpected ports.

MS Bulletin Summary

This tool filters vulnerabilities based on Microsoft Bulletin ID. Displayed are the IDs, Vulnerability Totals, Host Total, and Severity. This view is particularly useful in cases where Microsoft releases a new bulletin and a quick snapshot of vulnerable hosts is required.

Plugin Family Summary

This tool will chart each present the Nessus, NNM, or Event plugin family as well as their relative counts based on severity level for all matching vulnerabilities.

Clicking on any of the counts displays a Vulnerability List page filtered by the selected plugin family.

Port Summary

A summary of the ports in use is displayed for all matched vulnerabilities. Each port has its count of vulnerabilities as well as a breakdown for each severity level. Clicking on any port count displays the IP Summary page with the corresponding filter.

Protocol Summary

This tool summarizes the detected IP protocols such as TCP, UDP, and ICMP. The tool also breaks out the counts for each protocol’s severity levels.

Clicking on any of the counts displays the IP Summary page with the corresponding filter.

Remediation Summary

The Remediation Summary tool provides a list of remediation actions that may be taken to prioritize tasks that have the greatest effect to reduce vulnerabilities in systems. This list provides a solution to resolve a particular CPE on a given OS platform. The data provided includes:

Risk Reduction - The score of the vulnerabilities that would be remediated by performing the remediation action over the total score of all vulnerabilities returned by the query as a percentage.

Hosts Affected - The number of unique hosts that would be affected by performing the remediation action.

Vulnerabilities - The count of vulnerabilities(Nessus plugins) that would be remediated by performing the remediation action.

Score - This is calculated by adding up the score for each vulnerability that would be remediated by performing the remediation action.

CVE - The number of distinct CVEs that would be remediated by performing the remediation action.

MS Bulletin - The number of unique MS Bulletins that would be remediated by performing the remediation action.

Vulnerability % - The count of vulnerabilities(Nessus plugins) that would be remediated by performing the remediation action over the total vulnerability count returned by the query as a percentage.

Severity Summary

This tool considers all of the matching vulnerabilities and then charts the total number of info, low, medium, high, and critical vulnerabilities.

Clicking on any of the counts or severities in the chart displays the Vulnerability Summary chart filtered with the matched vulnerabilities.

User Responsibility Summary

This displays a list of the users who are assigned responsibility for the vulnerability based on the user’s assigned asset list. Multiple users with the same responsibility are displayed on the same line. Users without any assigned responsibilities are not displayed in the list. This list is populated when assets are assigned to users in the Users section.

Vulnerability Summary

All matching vulnerabilities are sorted by plugin ID count and listed in a chart. Columns of plugin ID, Total, and Severity can be sorted by clicking on the column header.

Clicking on the information icon next to the plugin ID displays a window containing a description of the vulnerability check.

Vulnerability List

 

This tool lists out the Plugin ID, Name, Family, Severity, NetBIOS Name, DNS Name, MAC Address, and Repository Name for each matching vulnerability.

Clicking on any item displays a window that shows the Detailed Vulnerability List for that IP address.

Clicking on the information icon next to the plugin ID displays a window containing the plugin details.

Vulnerability Detail List

This view shows the actual results of a vulnerability scan. Nessus, NNM, and LCE return very detailed results from their analysis of network systems.

Important options include CVSS score, CVSS temporal score, availability of public exploit, CVE/BID/other references, synopsis, description, and solution.

Scroll arrows are displayed to the right of the vulnerability name for ease of browsing between vulnerabilities.

The host information is displayed in the window for that IP address similar to that described in detail for the IP Summary view above.

If there are any Common Vulnerability Enumeration (CVE) or Bugtraq IDs (BIDs), they are listed for further research as desired.

This display has links to accept this risk or recast it to a different severity level (cumulative database vulnerabilities only).

A ticket may be opened against the vulnerability being viewed from the Options drop-down menu in the top right of the page.

Copyright 2017-2018 Tenable, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc. Tenable, Tenable.io, Assure, and The Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.