Nessus professional is a widely used scanner for vulnerability assessment. As a general purpose scanner, Nessus can be used to perform a variety of tasks, including vulnerability detection, configuration auditing and patch status reporting. After the scanning, detailed report can be generated for further analysis and remediation. Department CSC can contact ITSC for account creation on the scanner if their system administrators want to conduct scanning on their own servers.
User can log in Nessus scanner via a web browser to manage his scanning items, including policies, history and reports. In general, each scan requires one policy, which should be created by user in advance. There are many built-in templates in nessus, and we have created some for different scanning purpose as well. In most cases, user just needs to adjust part of the template to create his own policy.
Depending on the depth of scanning, login credential to the target server may be required to provided within the scanning policy. Especially for tasks involved with in-depth checking, for example, patch and configuration checking, login credential is a must for complete and accurate result. User is advised to create a special user account in the target server for Nessus scanning. In this way, login activities by Nessus scanning can be monitored and the access can be forbidden whenever scanning is not running.
Remediation requirements
For all servers,
- Critical vulnerability must be fixed within 14 days
- High vulnerability must be fixed within 28 days
- Medium vulnerability must be reviewed. System administrator should evaluate if fix need to be applied by considering the risk associated.
- If security fix cannot be applied, compensation protection (e.g. disconnect from network, stringten firewall protection) must be applied to remediate the risk.
Reference
- Nessus Professional Scanner User Manual (requires HKUST login)
For more detailed about Nessus Professional, please check the following links: