Scan configuration - Nessus Tutorial

- [Instructor] Now we've already run a couple of simple vulnerability scans in this course, but now let's explore the process of setting up a vulnerability scan in more detail. I'm back in Nessus and I'm going to set up a new scan from scratch. When I go ahead and click the new scan button, I'm presented with a series of templates to choose from. These are pre-configured scan settings that I can choose if I don't want to set everything myself. I'd like to look at all of the options, so I'm going to go ahead and click advanced scan, which allows me to choose my own settings. The initial screen that I see lets me enter some basic information about the scan. I can give it a name, I'm going to go ahead and call this Mike's scan. I could fill in a description if I want to, but I'm going to leave that blank for now. The most important part of this page of settings is the targets box. That's where I configure the scope of the scan. In this box, I can enter system names, IP addresses, or network ranges that contain the systems that I'd like to scan. I'm going to set my scan to run on a local network here. I'd like to scan all the systems in the 172.30/24 network. So let me go ahead and enter that address range and now that's 255 IP addresses represented by this range. Nessus is going to scan all of those to see if systems are active and then perform vulnerability scans on those systems that respond. Now, notice down here that there's a link to upload a target file. This is useful if your organization has a separate asset management tool. You can export a list of systems from that tool and import it here so that you don't have to retype or cut and paste everything. When I'm creating a scan program, I generally want to organize it into a series of scans that each include systems that will be scanned at the same time. For example, if I decided that I want to set the scanning frequency based upon the types of data that a system processes, I might create different scans for systems that process confidential, sensitive and highly sensitive information. This allows me to set different schedules for each of these system groups. We've already looked at the schedule tab. I'm going to enable this scan to run on a schedule, and I'm going to ask that it run every day. I'm going to go to the notification tab and say that I would like the scanner to send me a report by email every time the scan finishes. Let's go ahead and save this. Now let's take a look at the discovery options. This is where I can provide Nessus with instructions about how to decide if a system is alive on the network. I can configure the types of network pings and how Nessus should handle devices like printers and NetWare systems that might react negatively to a scan. On the port scanning tab, I can set the specific ports that I'd like Nessus to scan and also tell it which protocols to use when scanning for open ports. The default settings for include all commonly used ports, so I'm going to leave that setting alone, but if your network uses custom ports, you can configure those here. In the assessment section of the scan configuration, I can set the scan sensitivity level. This is an important setting. When you're performing any type of scan, you run the risk of false alarms. These can waste the time of cybersecurity analysts, and by default, Nessus uses what it calls normal accuracy. Think of this as a medium setting that seeks to balance the risk of a false alarm with the risk of missing a real vulnerability. If you'd like, you can change the setting to err on the side of reporting a vulnerability, which will give you more false alarms by checking the override normal accuracy box and then choosing show potential false alarms. Or you can make Nessus try to avoid false alarms more than the default by choosing avoid potential false alarms. The last setting page we'll look at is the advanced page. This has a few important settings. First, notice the first box that's checked here, enable safe checks. This setting tells Nessus to avoid performing scans that might disrupt a system. It's probably best to leave this box checked when you're working in a production environment. You may wish to uncheck it if you're scanning systems prior to their deployment in production to get the most thorough scan results possible. There are also some settings on this page that allow you to alter the performance of the scan. You can choose to stop scanning hosts that become unresponsive during the scan. Scan IP addresses in a random order, automatically accept detected SSH disclaimer prompts, scan targets with multiple domain names in parallel, and create a unique identifier and host scanned using credentials. There are lots of other options here as well that you can go through and configure as appropriate for your environment. Nessus uses plugins to perform vulnerability checks. Each plugin is designed to check for one specific vulnerability and plugins are organized by the types of systems that they affect. You'll see the settings for plugins in the plugins tab here. If I'd like, I could go through and configure these settings to only include the plugins for applications and services that I know exist in my environment. This will make scans complete faster. Vulnerability scanners offer a wide variety of configuration options that allow you to customize the scanner's performance. If you find yourself tweaking these settings, be sure to create your own custom templates so that you can easily reuse your settings across many scans.