Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?
-
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
-
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
It looks at the attack surface of CVE itself. Auditing patches can be done easily through powershell , nessus looks specifically for vulnerabilities.
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
It looks at the attack surface of CVE itself. Auditing patches can be done easily through powershell , nessus looks specifically for vulnerabilities.
Then it should list vulnerabilities, not missing patches. That just makes it wrong.
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
The question here is about patching, not securing.
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.
I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.
OR Nessus needs to find another way to verify that the patch is installed.
It looks at the attack surface of CVE itself. Auditing patches can be done easily through powershell , nessus looks specifically for vulnerabilities.
Then it should list vulnerabilities, not missing patches. That just makes it wrong.
Not sure what you mean here. Nessus is s vulnerability scanner.
The OP is confused because Tenable uses the name MS1503 for the vulnerability as it is related to patch MS1503. The CVE is named something different. Would you rather have a list of friendly names or CVE that mean nothing to you?
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus is proprietary, something that doesn't fit with a security audit very well. I'd question the veracity of an auditing tool
Here is how it works. Every CVE is given a specific plugin from Nessus of any other vulnerability scanner. You can easily read the script yourself if you're worried its inaccurate. Whats proprietary is the delivery and the scanning itself.
Openvas performance wise is terrible compared to nessus. Although the scan results are similar. Openvas does not scale well
-
@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
Nessus works off CVEs not patches. Read the CVE and you will see patching is only part of the solution.
The question here is about patching, not securing.
Then nessus is the wrong tool as it is a vulnerability scanner not patch auditor. If you want to audit patches use powershell
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
-
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
You can also run NIST specific audits with nessus.
-
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
Ah, gotcha
-
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:
You'd think they would be running OpenVAS or SCAP or something similar instead of just scanning for patches that may or may not apply to the server...
What are you talking about? It only runs applicable scripts. Nessus is much better than either of those solutions.
I don't think it compares to SCAP. That's just hardening rules. I really like OpenSCAP it's just a different tool.
OpenSCAP is what I meant... I didn't know there was a difference between OpenSCAP and SCAP.
SCAP is the NIST stuff. OpenSCAP is the tool.
You can also run NIST specific audits with nessus.
Well it does some things I “think” Nessus doesn’t. It will scan VMs without an agent or logging in from the hypervisor. OpenSCAP also has all of RHELs gardening rules baked in like sysctl configs and things like AIDE.
-
Haha it’s only somewhat decent with gardening rules. It has many better hardening rules.
-
Here is an example of patching not being good enough. This needs an additional reg key.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529
