Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

How to Protect Scanning Credentials: Overview

Running remote vulnerability scans of your network? This three-part blog series will equip you with tips on how to keep your scanning credentials safe.

Assessing systems remotely on a network has been a tried-and-true method of open-source and commercial vulnerability scanning since its inception over 20 years ago. External assessments like this are excellent for automatically testing visible network services and finding vulnerabilities or misconfigurations that may expose sensitive information.

A default scan is a remote, unauthenticated test. Unless you’re missing a patch to an exposed network service (e.g., EternalDarkness), this type of scanning won’t provide much detail on missing OS or third-party patches or compliance-related benchmarks (e.g., CIS Benchmarks or DISA STIGs) because they cannot look into the system being scanned and run the proper tests.

Actual results will vary, but it’s not uncommon to see a 10x increase in the number of vulnerabilities reported between an authenticated and unauthenticated scan (Tenable.io and Tenable.sc customers can use Predictive Prioritization and VPR to help manage this vulnerability overload). These vulnerabilities always existed; authenticated assessments provide visibility that an unauthenticated one cannot.

Thus, a question we often get is: “How do I ensure credentials used for vulnerability scanning are protected?” This is a great thought process for analysts to work through, and there are several things that organizations can do across the board to ensure credentials are secure.

5 ways to protect scanning credentials

  1. Use a unique account for vulnerability assessments.
    There is no reason to share the account used for vulnerability assessments. Create a new one dedicated to this purpose, or have multiple accounts, depending on the complexity of your organization. Accounts should only exist on the systems they apply to (with applicable permissions). Tenable allows you to specify as many accounts as needed to run assessments.
    Settings
  2. Store credentials in encrypted data stores and/or with appropriate user access (i.e., use privileged access management).
    Storing network passwords in a text file or spreadsheet is definitely a bad idea. Instead, use a system built and designed to store this data securely. Tenable integrates with a variety of solutions to enable customers to use these types of tools.
  3. Only use secure protocols to authenticate to systems on your network.
    There are lots of ways to authenticate to a system in today's networks. Some protocols are clear-text or have known vulnerabilities that make them trivial to compromise. Don’t use these protocols to authenticate to your systems. Though it can use plain-text protocols, the Nessus scanner defaults to only using secure protocols to authenticate to target systems.
  4. Restrict when and how accounts are allowed to be used.
    If you’re scanning your network every Sunday morning, then there should never be a reason your scanning account is used on a Tuesday from the intern’s laptop. Some platforms also allow accounts to be restricted to only use certain (e.g., secure) protocols. If you can restrict usage of your scanning account(s) to when they’re actually expected, how they authenticate to the targets, and from what systems, then definitely do so.
  5. Monitor accounts used for anomalies.
    If you’re using a dedicated account for scanning or only scanning at certain times, then the usage of that account should be predictable, be it the source of the login attempts (Nessus) or the times of authentication attempts. Don’t overlook the verification component of control implementation.

3 things to avoid

  1. Do not reuse accounts between scanning and users or other IT operations.
    There is no reason to reuse accounts for vulnerability assessments. Accounts should be single-use.
  2. Do not use memorable or recycled passwords.
    Because these passwords won’t ever be typed in manually by a human, they don’t need to be memorable or reused. They should be complex, long and unique.
  3. Don’t change passwords too frequently.
    Unless automated, changing scanning passwords too frequently can lead to scan errors and frustration. Where possible, only manually change passwords due to organizational policy or incident.

Next time, we’ll discuss Windows credentialed assessments and how you can secure them.

Note: There are alternatives to credentialed network scanning, such as agents and passive assessments.

Learn more

Read the online documentation:

Other blog posts in this series: 

Explore related webinars:

Watch how-to videos:

Request a demo or free trial

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.