2

I am wondering what others do in regards to setting up their enterprise scheduled vulnerability scan policies. For example do you prefer to create a single scan policy and scan all networks regardless of the hosts platforms (windows, linux, SQL Server, Oracle, Apache, IIS, etc.) or do you end up creating multiple scan policies with just the checks enabled for that OS, database, web server, etc? The latter seems like it would be a better choice for performance and for customizing the settings for the target platform however I think it would be difficult to ensure scan coverage and to maintain the policies as hosts are added, changed, or removed. It also adds a step at the end of merging the scan results back together from multiple policies for reporting.

I am using Nessus and currently I have a single policy that is configured to scan multiple /24's with most plugins enabled and credentials for the Windows and Linux hosts to perform authenticated scans. These scans are configured to run monthly and I generally create one off scan policies for ad-hoc requests. This works okay but I am wondering what tips & opinions others may have.

Thanks!

m3ta
  • 174
  • 2
  • 8

2 Answers2

5

Nessus and other vulnerability scans will only scan using applicable packages, dependent on what ports and applications are found per host during discovery. Nessus isn't going to run a web vulnerability scan against a db process, nor will it run a windows scan against a linux server, so tailoring your scans to specific DBs and software packages is a waste of your time.

Also, one of the benefits of running vulnerability scanners on your systems is to discover things that you don't know are there. If you limit a scan to what should be there as opposed to what could be there you may miss all sorts of important things. If you scan a db server with only db related packages you could miss the gaming server that has been installed on it against policy for example.

So your best policy would be to scan everything, using every non-disruptive test. Limiting your scans wastes your time, and may make you miss something important.

GdD
  • 17,291
  • 2
  • 41
  • 63
0

In addition to GdD I would also advise at timing your scans so that you:

  • Don't scan critical systems when nobody is available to restore them should you knock them over
  • Scan at night or during the weekend (generally all hours where the least load is set on the servers)
k1DBLITZ
  • 3,933
  • 14
  • 20
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196