Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?

dave247

@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dave247 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

Additionally, we used to have Kaspersky 8 AV installed which was so unbelievably fucked up... I think it was even managing our Windows updates at one time. Then when I ripped it out of our environment, I had to use their special uninstall tool in safe mode.. so God knows how that messed things up. Some of my servers and computers that used to have Kav can't even run Windows update themselves.

In a situation like that, did you look at creating a clean image and rolling that out instead? That would get you to a known good state and clear out any old crap. Sure, it's a hassle too - making sure people don't have stuff saved local, but it's also a good time to make sure people are saving their stuff to the network/cloud shares.

Yeah I've considered it, but I honestly don't know how that would work here since we have a large mix of Dell desktop models as well as custom computer builds (previous sysadmins liked to order parts from NewEgg and build user's expensive computers). I can't just make a single image... I would have to make about 20 different images, and some of them I would only use once...

When I redo computers, I usually just put a new SSD in (if needed) and then manually install Windows and all the applications we need. I've done it enough times now that it only takes me like 20 minutes, minus the wait for Windows to get updated.

IRJ

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

scottalanmiller

Nessus is proprietary, something that doesn't fit with a security audit very well. I'd question the veracity of an auditing tool that we can't audit.

scottalanmiller

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.

They just click buttons in the order they are told.

This too is true.

Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.

Not really, put it on them. Ask them to show which things are missing since all patches are applied.

DustinB3403

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.

They just click buttons in the order they are told.

This too is true.

Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.

Not really, put it on them. Ask them to show which things are missing since all patches are applied.

These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"

Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.

"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8

scottalanmiller

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.

They just click buttons in the order they are told.

This too is true.

Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.

Not really, put it on them. Ask them to show which things are missing since all patches are applied.

These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"

Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.

"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8

There is nothing to prove, then. Just say "audit is wrong." You can't prove the negative. It's not possible. Just point out that htere is nothing to prove and it's done.

momurda

You could sort of double check the results yourself by installing the free openvas vm appliance and scanning a few systems to see if the results are similar to Nessus' results. It only takes a few minutes to setup a basic scan

stacksofplates

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

scottalanmiller

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

Sounds like Nessus is a known broken tool.

stacksofplates

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

Sounds like Nessus is a known broken tool.

?? The patches need manual intervention in the registry. Nessus brought that to light.

scottalanmiller

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

Sounds like Nessus is a known broken tool.

?? The patches need manual intervention in the registry. Nessus brought that to light.

It brought what to light? That the patches are failing?

momurda

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

stacksofplates

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

Sounds like Nessus is a known broken tool.

?? The patches need manual intervention in the registry. Nessus brought that to light.

It brought what to light? That the patches are failing?

The patches install correctly so it looks like everything is fine, but admins still have to go in and set registry entries. No one realized this because the patches install fine.

stacksofplates

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

I’d have to dig through their reports. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.

scottalanmiller

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@irj said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

So, I'm guessing you aren't actually missing updates . nessus is probably looking at a reg key entries in addition to windows updates. Quite a few MS updates do requite additional configuration such as reg key changes.

You need to review "plugin output" for each vulnerabilities. This section of the report tells you exactly why you failed the particular check.

You can also view source code of each plugin. The plugins are usually VB or power shell scripts for windows machines.

I remember our Windows guys complaining about this.

Sounds like Nessus is a known broken tool.

?? The patches need manual intervention in the registry. Nessus brought that to light.

It brought what to light? That the patches are failing?

The patches install correctly so it looks like everything is fine, but admins still have to go in and set registry entries. No one realized this because the patches install fine.

Wow, I had no idea that Windows needed that level of manual intervention to get patches working correctly. What a steaming pile it is.

Dashrender

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.

OR Nessus needs to find another way to verify that the patch is installed.

stacksofplates

@dashrender said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@stacksofplates Is there a list somewhere of what registry changes need to be made on each computer after installing these patches from MS? It certainly isnt mentioned in WSUS or Windows Update. I thought that was the point of the constant rebooting.

I’d have to dig through their logs. That’s why they were so surprised. It’s not listed anywhere but these reg entries needed added or modified.

OR Nessus needs to find another way to verify that the patch is installed.

That’s not how it verifies. There were strings in keys that needed modified. Like one string had a space that needed quoted because it created some vulnerability without quotes. I’ll have to talk with some of those guys and get some examples since I don’t do anything with Windows.

dave247

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@scottalanmiller said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dustinb3403 said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@jaredbusch said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

And remember auditors are not IT. Most of them don't know their ass from a hole in the ground.

They just click buttons in the order they are told.

This too is true.

Unfortunately it's now on you to prove that the auditors assessment is flawed, by proving you're systems are secured from the oldest threats.

Not really, put it on them. Ask them to show which things are missing since all patches are applied.

These audits always read as "it's on the customer to prove compliance, not the auditor to prove non-compliance"

Have you ever read one of these contracts from these auditors? They're as bad as the ToC from most big ISPs.

"You have to be available between 3AM and 9PM all of December so we can troubleshoot any cablebox issues"
http://4.images.southparkstudios.com/images/shows/south-park/clip-thumbnails/season-17/1702/south-park-s17e02c05-the-cable-company-runaround-16x9.jpg?quality=0.8

aaaaahahahahahahhahaa... omfg this gave me a good laugh. THANK YOU

momurda

@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled.

scottalanmiller

@momurda said in Had a vulnerability assessment with Nessus and it found hundreds of missing critical Windows OS updates from as far back as 2016 - is this even right?:

@dashrender
stackofplates is saying that even after windows says it is up to date, admins need to go into the registry and make changes to registry keys for the update to be fully installed and enabled.

Right... basically Windows isn't production ready is what I'm hearing. This feels insane.