Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Reindl Harald]

Am 16.03.2018 um 20:41 schrieb Thomas Reinke:

LOL - you might be saying thank you as you pick up your pink slip/are
escorted out the door for impacting a production system with that
sentiment.


luckily i have the power of control the whole hardware and software 
stack and since i am not an idiot such test would happen first late at 
night where you can manage such a outage and if it happens the first 
task next day would be seek for a replacement


anyways, no attacker ever will care about this and so the outage is 
better suited at a planned schedule if it happens than at a random point 
in time where nobody expected it and can explain what happend - you get 
secorted out the door if your firewall is randomly and repeatly down and 
only god knows why because you are nice when testing your things so 
everybody but you triggers issues - worthless tests if it is vulnerable 
and can be knocked out by anybody but you don't try it



The ultimate answer is dependent upon sensitivities around your assets.
The more sensitive you are, the more you work to manage those 
sensitivities.


If nessus didn't present any issues, that's a good sign that your
system is likely robust enough, and I'd frame any plans in that
context (i.e. this is doing exactly what and how the external
contractor did it).

If additional concerns have been raised since then, you simply need
to address those - and they are specific to you (usually not a
technology problem).

In general, concerns are always around the unknowns and 'what if'.
To deal with that:

1) Know when your peak resource load times are (be it CPU, memory,
    bandwidth, whatever).   Avoid them, unless you of course are
    attempting to perform a peak test (but then, that's no longer
    a security issue).
2) Know when your peak sensitivity times are (Christmas shopping
    season? Hmmm...  Time for JD Powers to assess your reliability?
    Again...maybe avoid that.
3) Know what controls are in place to keep your assets secure even
    if you don't run an audit (regular patching?  Keeping abreast
    of advisories?).
4) If you are just starting with in-house scanning, roll out your
    scanning procedures from least important assets first to the
    most important ones last.  That will build confidence in the
    processes.  Include milestones/checks along the way that you can
    report back progress to everyone to keep them happy and confident
    that the scans will provide information without being disruptive.

There is no one-size fits all.  Tailor it to the people that have
a vested interest in what you do and why you do it, and you'll be
in good shape.

Thomas


On 03/14/2018 04:43 PM, Reindl Harald wrote:



Am 14.03.2018 um 21:06 schrieb Eero Volotinen:
I usually prefer lower scan speed as too intensive can crash firewall 
devices..


if a security scan from a single node crashs your firewall device you 
should say "thank you" for konwing that this crap needs to be replaced 
ASAP


real attackers don't care as you do

14.3.2018 22.01 "TJ" > 
kirjoitti:


    I would exclude networked printers as the scans can cause them to
    produce volumes of printed gibberish (found out the hard way)

    Yes, definitely scan during maintenance windows/non-business hours
    until you see how well it plays in your environment.  Not to mention
    with less network traffic and systems activity, the scans should
    finish a lot sooner


    On 3/14/2018 3:53 PM, Peter Collins wrote:

    (Sorry if this is a repost. I had a technical issue with my first
    attempt)

    I would like to use OSSIM's OpenVAS component to run asset and
    vulnerability scans on both prod and non-prod. Like every place,
    we want to make sure the IT infrastructure is not harmed or
    jeopardized.

    So what is due care when introducing scanning? Should I do the
    asset scans only during maintenance windows to start off, to make
    sure nothing gets broken? Or are the non destructive, non
    authenticated scans considered safe enough to run during
    production hours, on production assets?

    I should add that Nessus has been used by an outside contractor
    without issue, on our network.

    Thanks so much in advance

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Thomas Reinke]

LOL - you might be saying thank you as you pick up your pink slip/are
escorted out the door for impacting a production system with that
sentiment.

The ultimate answer is dependent upon sensitivities around your assets.
The more sensitive you are, the more you work to manage those sensitivities.

If nessus didn't present any issues, that's a good sign that your
system is likely robust enough, and I'd frame any plans in that
context (i.e. this is doing exactly what and how the external
contractor did it).

If additional concerns have been raised since then, you simply need
to address those - and they are specific to you (usually not a
technology problem).

In general, concerns are always around the unknowns and 'what if'.
To deal with that:

1) Know when your peak resource load times are (be it CPU, memory,
   bandwidth, whatever).   Avoid them, unless you of course are
   attempting to perform a peak test (but then, that's no longer
   a security issue).
2) Know when your peak sensitivity times are (Christmas shopping
   season? Hmmm...  Time for JD Powers to assess your reliability?
   Again...maybe avoid that.
3) Know what controls are in place to keep your assets secure even
   if you don't run an audit (regular patching?  Keeping abreast
   of advisories?).
4) If you are just starting with in-house scanning, roll out your
   scanning procedures from least important assets first to the
   most important ones last.  That will build confidence in the
   processes.  Include milestones/checks along the way that you can
   report back progress to everyone to keep them happy and confident
   that the scans will provide information without being disruptive.

There is no one-size fits all.  Tailor it to the people that have
a vested interest in what you do and why you do it, and you'll be
in good shape.

Thomas


On 03/14/2018 04:43 PM, Reindl Harald wrote:



Am 14.03.2018 um 21:06 schrieb Eero Volotinen:
I usually prefer lower scan speed as too intensive can crash firewall 
devices..


if a security scan from a single node crashs your firewall device you 
should say "thank you" for konwing that this crap needs to be replaced ASAP


real attackers don't care as you do

14.3.2018 22.01 "TJ" > 
kirjoitti:


    I would exclude networked printers as the scans can cause them to
    produce volumes of printed gibberish (found out the hard way)

    Yes, definitely scan during maintenance windows/non-business hours
    until you see how well it plays in your environment.  Not to mention
    with less network traffic and systems activity, the scans should
    finish a lot sooner


    On 3/14/2018 3:53 PM, Peter Collins wrote:

    (Sorry if this is a repost. I had a technical issue with my first
    attempt)

    I would like to use OSSIM's OpenVAS component to run asset and
    vulnerability scans on both prod and non-prod. Like every place,
    we want to make sure the IT infrastructure is not harmed or
    jeopardized.

    So what is due care when introducing scanning? Should I do the
    asset scans only during maintenance windows to start off, to make
    sure nothing gets broken? Or are the non destructive, non
    authenticated scans considered safe enough to run during
    production hours, on production assets?

    I should add that Nessus has been used by an outside contractor
    without issue, on our network.

    Thanks so much in advance

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss


___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[TJ]

Good to know.  I will look into going to a newer version!


On 3/15/2018 1:42 PM, Christian Fischer wrote:

Hi *,

On 14.03.2018 20:59, TJ wrote:

I would exclude networked printers as the scans can cause them to
produce volumes of printed gibberish (found out the hard way)

we have tried to work around this in the last year and implemented a few
additional mitigations which showed quite good results as long as the
printer was detected.

This is handled in the following NVT:

http://plugins.openvas.org/nasl.php?oid=12241

by excluding common ports (namely 9100-9103 and 9112-9116 / tcp) by
default which are known to print gibberish if touched.

There might be still quite a lot printers out there which we don't
detect. If you're still facing issues like this any additional
information about your printer (HTTP, SNMP SysDesc, Telnet, FTP banners
etc.) are welcome.

Regards,




___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Christian Fischer]

Hi *,

On 14.03.2018 20:59, TJ wrote:
> I would exclude networked printers as the scans can cause them to
> produce volumes of printed gibberish (found out the hard way)

we have tried to work around this in the last year and implemented a few
additional mitigations which showed quite good results as long as the
printer was detected.

This is handled in the following NVT:

http://plugins.openvas.org/nasl.php?oid=12241

by excluding common ports (namely 9100-9103 and 9112-9116 / tcp) by
default which are known to print gibberish if touched.

There might be still quite a lot printers out there which we don't
detect. If you're still facing issues like this any additional
information about your printer (HTTP, SNMP SysDesc, Telnet, FTP banners
etc.) are welcome.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Peter Collins]

Thanks everyone so far, including the omnipresent Rui. This information is
very helpful.

Peter

On Thu, Mar 15, 2018 at 4:55 AM, tatooin  wrote:

> Hi Peter,
>
> I am using OpenVAS to conduct VA in the environment of a big corporate
> network (up to /21 networks) on a regular basis, and so far I have never
> witnessed any incidents on the IT world. I'm using default OpenVAS profile,
> altough I have also tried the most impactful profiles.
> So on IT side; unless you are using very old & unmaintained assets (in
> which case, at least your scans will help identify them) this shouldn't be
> a concern.
>
> However, on OT world this is significantly different. I have witnessed
> several crashes  / reboot of OT devices, including recent ones. So I would
> be much more careful on this part of your environment.
>
> Best,
>
> On Wed, 2018-03-14 at 12:53 -0700, Peter Collins wrote:
>
> (Sorry if this is a repost. I had a technical issue with my first attempt)
>
> I would like to use OSSIM's OpenVAS component to run asset and
> vulnerability scans on both prod and non-prod. Like every place, we want to
> make sure the IT infrastructure is not harmed or jeopardized.
>
> So what is due care when introducing scanning? Should I do the asset scans
> only during maintenance windows to start off, to make sure nothing gets
> broken? Or are the non destructive, non authenticated scans considered safe
> enough to run during production hours, on production assets?
>
> I should add that Nessus has been used by an outside contractor without
> issue, on our network.
>
> Thanks so much in advance
>
> Peter
>
> ___
> Openvas-discuss mailing 
> listOpenvas-discuss@wald.intevation.orghttps://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[tatooin]

Hi Peter,
I am using OpenVAS to conduct VA in the environment of a big corporate
network (up to /21 networks) on a regular basis, and so far I have
never witnessed any incidents on the IT world. I'm using default
OpenVAS profile, altough I have also tried the most impactful profiles.
So on IT side; unless you are using very old & unmaintained assets (in
which case, at least your scans will help identify them) this shouldn't
be a concern.
However, on OT world this is significantly different. I have witnessed
several crashes  / reboot of OT devices, including recent ones. So I
would be much more careful on this part of your environment. 
Best,On Wed, 2018-03-14 at 12:53 -0700, Peter Collins wrote:
> (Sorry if this is a repost. I had a technical issue with my first
> attempt)
> 
> I would like to use OSSIM's OpenVAS component to run asset and
> vulnerability scans on both prod and non-prod. Like every place, we
> want to make sure the IT infrastructure is not harmed or jeopardized.
> 
> So what is due care when introducing scanning? Should I do the asset
> scans only during maintenance windows to start off, to make sure
> nothing gets broken? Or are the non destructive, non authenticated
> scans considered safe enough to run during production hours, on
> production assets?
> 
> I should add that Nessus has been used by an outside contractor
> without issue, on our network.
> 
> Thanks so much in advance 
> 
> Peter
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-di
> scuss___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Louis Bohm]

I have actually hit issues with scanning our hosts and what I have done is try 
to categorize the different types of hosts based on what they run (both OS and 
applications).  Then create Scanning Policies that target the category of host 
being scanned.  Since we also have machines in AWS, our local DC and other 
Cloud providers I have created slave scanners at the individual sites with a 
Central manager scanner.  This moves the scanning out closer to the host to be 
scanned and does not flood our local network where the manager scanner is.

Louis
:
Louis Bohm - Sr. Systems Engineer
Dell TechDirect Certified

> On Mar 14, 2018, at 4:43 PM, Reindl Harald  wrote:
> 
> 
> 
> Am 14.03.2018 um 21:06 schrieb Eero Volotinen:
>> I usually prefer lower scan speed as too intensive can crash firewall 
>> devices..
> 
> if a security scan from a single node crashs your firewall device you should 
> say "thank you" for konwing that this crap needs to be replaced ASAP
> 
> real attackers don't care as you do
> 
>> 14.3.2018 22.01 "TJ" > 
>> kirjoitti:
>>I would exclude networked printers as the scans can cause them to
>>produce volumes of printed gibberish (found out the hard way)
>>Yes, definitely scan during maintenance windows/non-business hours
>>until you see how well it plays in your environment.  Not to mention
>>with less network traffic and systems activity, the scans should
>>finish a lot sooner
>>On 3/14/2018 3:53 PM, Peter Collins wrote:
>>>(Sorry if this is a repost. I had a technical issue with my first
>>>attempt)
>>> 
>>>I would like to use OSSIM's OpenVAS component to run asset and
>>>vulnerability scans on both prod and non-prod. Like every place,
>>>we want to make sure the IT infrastructure is not harmed or
>>>jeopardized.
>>> 
>>>So what is due care when introducing scanning? Should I do the
>>>asset scans only during maintenance windows to start off, to make
>>>sure nothing gets broken? Or are the non destructive, non
>>>authenticated scans considered safe enough to run during
>>>production hours, on production assets?
>>> 
>>>I should add that Nessus has been used by an outside contractor
>>>without issue, on our network.
>>> 
>>>Thanks so much in advance
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Reindl Harald]

Am 14.03.2018 um 21:06 schrieb Eero Volotinen:
I usually prefer lower scan speed as too intensive can crash firewall 
devices..


if a security scan from a single node crashs your firewall device you 
should say "thank you" for konwing that this crap needs to be replaced ASAP


real attackers don't care as you do

14.3.2018 22.01 "TJ" > 
kirjoitti:


I would exclude networked printers as the scans can cause them to
produce volumes of printed gibberish (found out the hard way)

Yes, definitely scan during maintenance windows/non-business hours
until you see how well it plays in your environment.  Not to mention
with less network traffic and systems activity, the scans should
finish a lot sooner


On 3/14/2018 3:53 PM, Peter Collins wrote:

(Sorry if this is a repost. I had a technical issue with my first
attempt)

I would like to use OSSIM's OpenVAS component to run asset and
vulnerability scans on both prod and non-prod. Like every place,
we want to make sure the IT infrastructure is not harmed or
jeopardized.

So what is due care when introducing scanning? Should I do the
asset scans only during maintenance windows to start off, to make
sure nothing gets broken? Or are the non destructive, non
authenticated scans considered safe enough to run during
production hours, on production assets?

I should add that Nessus has been used by an outside contractor
without issue, on our network.

Thanks so much in advance

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Christoph Gruber]

Hi!

I am performing vulnerability testing in large scale enterprise for a while now 
and I have seen everything.
To start with:
* If a system crashes, it is not caused by the scan, there is a DOS 
vulnerability found by the scanner.
* If a system acts unpredicted, it’s an weakness found by the scanner.
* A robust piece of software MUST be able to survive a network scan, what ever 
the scanner does, but simple flooding the interface.

On the other hand, we see a lot of crap out there that does not act like this.
The printers where already mentioned.
Firewall devices may have performance issues when too many simultaneous 
sessions have to be handled.

My advice:
Be as accurate as possible with the scanning policy by categorising the targets 
as good as possible. Get the data from CMDBs or similar.
Test the policies on non-productive systems ahead.
Give the ops the red button to turn off the scan on emergency instead of have 
them call you in the middle of the night.
Scan in off-peak times, this is not always the night or the weekend.

Happy scanning.

> Am 14.03.2018 um 20:53 schrieb Peter Collins :
> 
> (Sorry if this is a repost. I had a technical issue with my first attempt)
> 
> I would like to use OSSIM's OpenVAS component to run asset and vulnerability 
> scans on both prod and non-prod. Like every place, we want to make sure the 
> IT infrastructure is not harmed or jeopardized.
> 
> So what is due care when introducing scanning? Should I do the asset scans 
> only during maintenance windows to start off, to make sure nothing gets 
> broken? Or are the non destructive, non authenticated scans considered safe 
> enough to run during production hours, on production assets?
> 
> I should add that Nessus has been used by an outside contractor without 
> issue, on our network.
> 
> Thanks so much in advance 
> 
> Peter
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

-- 
Christoph Gruber
l...@guru.at
Patience is not the ability to wait, but to have a good attitude while waiting!

PGP-Key-ID: 11C558E8
PGP-Key-Fingerprint: BC67 4E98 9B2E 70F7 C24F  A7B7 3ADD C4B4 11C5 58E8

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Eero Volotinen]

I usually prefer lower scan speed as too intensive can crash firewall
devices..

Eero

14.3.2018 22.01 "TJ"  kirjoitti:

> I would exclude networked printers as the scans can cause them to produce
> volumes of printed gibberish (found out the hard way)
>
> Yes, definitely scan during maintenance windows/non-business hours until
> you see how well it plays in your environment.  Not to mention with less
> network traffic and systems activity, the scans should finish a lot sooner
>
> On 3/14/2018 3:53 PM, Peter Collins wrote:
>
> (Sorry if this is a repost. I had a technical issue with my first attempt)
>
> I would like to use OSSIM's OpenVAS component to run asset and
> vulnerability scans on both prod and non-prod. Like every place, we want to
> make sure the IT infrastructure is not harmed or jeopardized.
>
> So what is due care when introducing scanning? Should I do the asset scans
> only during maintenance windows to start off, to make sure nothing gets
> broken? Or are the non destructive, non authenticated scans considered safe
> enough to run during production hours, on production assets?
>
> I should add that Nessus has been used by an outside contractor without
> issue, on our network.
>
> Thanks so much in advance
>
> Peter
>
>
>
> ___
> Openvas-discuss mailing 
> listOpenvas-discuss@wald.intevation.orghttps://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Eero Volotinen]

well. it depends on scan settings.

on wrong settings it can dos/crash your systems or network devices..

Eero

14.3.2018 21.53 "Peter Collins"  kirjoitti:

> (Sorry if this is a repost. I had a technical issue with my first attempt)
>
> I would like to use OSSIM's OpenVAS component to run asset and
> vulnerability scans on both prod and non-prod. Like every place, we want to
> make sure the IT infrastructure is not harmed or jeopardized.
>
> So what is due care when introducing scanning? Should I do the asset scans
> only during maintenance windows to start off, to make sure nothing gets
> broken? Or are the non destructive, non authenticated scans considered safe
> enough to run during production hours, on production assets?
>
> I should add that Nessus has been used by an outside contractor without
> issue, on our network.
>
> Thanks so much in advance
>
> Peter
>
>
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss