Vulnerability Scanning with Tenable's SecurityCenter at MIT

IS&T licenses Tenable SecurityCenter to perform vulnerability scanning, if DLCIs would like an account on the Tenable platform to scan assets under your control, please contact security@mit.edu. Please specify the Kerberos IDs of those needing to scan and which IP addresses they should have access to scan.

Once you have an account, login to https://securitycenter.mit.edu, you will need to first log in to the MIT VPN.

The steps below outline how to conduct an Active scan and view scan results using the tool. An Active Scan in SecurityCenter is a scan initiated from a Nessus scanner, not from a Nessus agent running on a host.

Creating and running a scan

1. Before you can run a scan, you must create one. Navigate to Scans > Active Scans and click on the +Add button or “Add an Active Scan"
2. On the General tab, give the scan a Name and a Description, and select a Policy. The Basic Network Scan Policy should already be in your account. You can create new policies under Scans > Policies. If you would like the scan to run on a schedule you can set that here, or leave it “On Demand”
3. Under Settings, choose the appropriate Scan Zone and Repository. This is one of the most confusing parts of using SecurityCenter, and if you don’t choose the correct option your scan might not run or you may have trouble understanding your scan results. If you have any questions, please don’t hesitate to contact security@mit.edu.
   1. The Scan Zone determines the universe of IP addresses that you are going to scan and what pool of Nessus scanners will be used. When your account is created, you will supply security@mit.edu with IP addresses that are under your control that you would like to scan. You will only be able to run scans on those IP addresses, and they must be within the scan zone you choose.
      1. MIT Cloud and MIT On Prem are both able to scan MITnet (18.0.0.0/9), but the MIT Cloud Scan Zone uses Nessus Cloud Scanners (external to MITnet), and the MIT On Prem Scan Zone uses Nessus Scanners that we have installed on MITnet (for an “internal” view of the network). The Non MIT Scan Zone contains IP addresses that are not in the 18.0.0.0/9 network range but still controlled by MIT users.
   2. The Repository defines where the scan results will be stored. This is also important later when trying to analyze the results of scans, because it is the only way to know if the scan was launched from the Nessus Cloud, Nessus On Prem, from a Nessus Agent or if the scan used credentials. 
      1. You most likely will not be using a credentialed scan, or scanning for compliance, but if you are interested please contact security@mit.edu. For example, if I wanted to scan the web.mit.edu server (18.9.22.69) and see what vulnerabilities are exposed to an attacker from inside MITnet without access to credentials, I would choose the MIT On Prem Scan Zone and the MITnet On Prem Uncredentialed Repository.
4. Next define the targets of the scan. You have the choice between Assets, IP/DNS Name or Mixed.
   1. Assets - a predefined list of IP addresses, these can be defined statically (18.7.0.0/16, eg) or dynamically based on scan results (Apple Computers, eg)
   2. IP/DNS Name – an ad-hoc list of targets
   3. Mixed – a combination of Asset lists and IP/DNS names
5. We can now hit Submit to create the scan template. If you want to supply credentials or setup a report to run after the scan, you can enter those on the Credentials and Post Scan tabs.
6. After you create an On Demand scan you must actually run it to see results. Click on the play icon on the far right to start the scan.
7. Navigate to Scan Results, and you will see the progress of your scan

Vulnerability Analysis (viewing scan results)

1. When a scan is complete, you can click on the name of the scan to view results under Scans > Scan Results. Another way to access scan results is under Analysis > Vulnerabilities.
2. To filter (query) results, you have to expand the Filters menu on the left, by clicking on the >>. Click Select Filters to show the list of available fields to filter on, check the box next to the field you are interested in and click Apply. Then in the Filters menu you will see a box for each field and you can specify the search. Then you must click Apply All to filter the results based on your settings. 
   1. You can save a query under the Options drop down in the upper right. At this point, you are only looking at results from the particular scan that you selected. If you would like to view and search on all scan results that you have access to, you can select Switch to Cumulative View under Options.
   2. This is where choosing the right repository comes into play. If you are in the cumulative view and want to see vulnerabilities discovered by just external or just internal scans, you can filter by repository but you can’t filter by scan source IP.
3. There are many predefined views of the scan results. The Vulnerability Summary is the default, and if you click on that you will see a list of views. We encourage you to explore these to find which might be of value to you.
   1. The Vulnerability Detail List gives you the most verbose view of scan results, and you can export them as a csv under the Options menu.
   2. The Remediation Summary calculates the percentage risk reduction for each solution within your vulnerability list. For example, it might tell you that 20 of your hosts need the same patch and applying the patch will resolve 50 vulnerabilities associated with 350 CVEs and reduce your risk by 20%.