I've been working on developing a custom cybersecurity home lab to practice implementing and utilizing defensive measures against cybersecurity risks.
(Please check out part 1 & 2 for the full story.)
For vulnerability scanning, I've selected Nessus as the tool of choice.Security professionals must determine the best scanning approach to ensure comprehensive visibility into potential weaknesses within their environment. Credentialed scans provide the most accurate insight, while non-credentialed scans are useful for simulating external attacker perspectives.
Before initiating scans on systems, it’s important to consider bandwidth usage and the potential impact on other system operations.
For example, scanning a router during critical hours could disrupt network connectivity.
I will begin with a host discovery scan on Nessus to identify active devices on the network.
Here, I can see a list of hosts that Nessus was able to identify.
Next, using those hosts, I will conduct a credentialed scan. Scans will be segmented according to their respective network segments to reduce load and improve efficiency.
Here are the results of the scans. It is critical to note that scan findings may include false positives, which require validation to confirm.
The info section does not contain vulnerability information. It only details system configurations and attributes for reference. Low vulnerabilities are much of concern but it is recommended to not overlook them completely. Balancing prioritization and time management is key.
Wow! that is alot of high severity vulnerabilities. Where should I start?
When looking at vulnerabilities, urgency and priority depend on the context, including factors such as asset value, exploitability, and potential business impact. A good starting point is to focus on the critical and high-severity vulnerabilities. Here, I will prioritize vulnerabilities that are both risky and quick to remediate.
For example, If I take 192.168.3.3, I can see that majority of the critical and high vulnerabilities are occurring due to an old Firefox version. In fact, Firefox accounts for most of the high-risk findings on this system.
If I click on one of the vulnerabilities, I can get more information, including a description as to why it was triggered, what attacks can occur, and the solution.
It also provides the plugin details such as CVSS readings, vulnerability information, and CVE records.
I should immediately update Firefox on that machine.
Lets take the next set of vulnerabilities from 192.168.3.2.
The threat above allows a threat actor to compromise confidentiality by accessing sensitive data stored in the TPM.
I see that majority of these vulnerabilities can easily be fixed by simply updating Windows server, which will apply the necessary security patches.
In the same host, there is another set of vulnerabilities.
It seems that Microsofts .NET framework is missing some updates so I will update those as well.
Next, If i take a look at Security Onion (192.168.2.2), it contains vulnerabilities that can be remediated by updating its packages.
PfSense and Ubuntu and also missing some updates.
After updating those, it meets the required versions.
Now that I have remediated the vulnerabilities, I should run the scans again to confirm. Taking a look at the results, more than 95% of the critical and high vulnerabilities have been remediated.
Additionally, I will configure schedules to the scans to automate the process.
When creating scheduled scans , its important to ensure that other business and user operations are not affected. The best times are to run them during low business hours.
After addressing the highest-risk vulnerabilities that were the quickest to remediate, the next step would be to prioritize the remaining high and medium-severity issues.
I can also generate detailed reports of the vulnerability scans. These reports are useful for communicating the results, tracking remediation progress and supporting audit requirements.
Thank you for reading!