Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
Am 16.03.2018 um 20:41 schrieb Thomas Reinke: LOL - you might be saying thank you as you pick up your pink slip/are escorted out the door for impacting a production system with that sentiment. luckily i have the power of control the whole hardware and software stack and since i am not an idiot such test would happen first late at night where you can manage such a outage and if it happens the first task next day would be seek for a replacement anyways, no attacker ever will care about this and so the outage is better suited at a planned schedule if it happens than at a random point in time where nobody expected it and can explain what happend - you get secorted out the door if your firewall is randomly and repeatly down and only god knows why because you are nice when testing your things so everybody but you triggers issues - worthless tests if it is vulnerable and can be knocked out by anybody but you don't try it The ultimate answer is dependent upon sensitivities around your assets. The more sensitive you are, the more you work to manage those sensitivities. If nessus didn't present any issues, that's a good sign that your system is likely robust enough, and I'd frame any plans in that context (i.e. this is doing exactly what and how the external contractor did it). If additional concerns have been raised since then, you simply need to address those - and they are specific to you (usually not a technology problem). In general, concerns are always around the unknowns and 'what if'. To deal with that: 1) Know when your peak resource load times are (be it CPU, memory, bandwidth, whatever). Avoid them, unless you of course are attempting to perform a peak test (but then, that's no longer a security issue). 2) Know when your peak sensitivity times are (Christmas shopping season? Hmmm... Time for JD Powers to assess your reliability? Again...maybe avoid that. 3) Know what controls are in place to keep your assets secure even if you don't run an audit (regular patching? Keeping abreast of advisories?). 4) If you are just starting with in-house scanning, roll out your scanning procedures from least important assets first to the most important ones last. That will build confidence in the processes. Include milestones/checks along the way that you can report back progress to everyone to keep them happy and confident that the scans will provide information without being disruptive. There is no one-size fits all. Tailor it to the people that have a vested interest in what you do and why you do it, and you'll be in good shape. Thomas On 03/14/2018 04:43 PM, Reindl Harald wrote: Am 14.03.2018 um 21:06 schrieb Eero Volotinen: I usually prefer lower scan speed as too intensive can crash firewall devices.. if a security scan from a single node crashs your firewall device you should say "thank you" for konwing that this crap needs to be replaced ASAP real attackers don't care as you do 14.3.2018 22.01 "TJ"> kirjoitti: I would exclude networked printers as the scans can cause them to produce volumes of printed gibberish (found out the hard way) Yes, definitely scan during maintenance windows/non-business hours until you see how well it plays in your environment. Not to mention with less network traffic and systems activity, the scans should finish a lot sooner On 3/14/2018 3:53 PM, Peter Collins wrote: (Sorry if this is a repost. I had a technical issue with my first attempt) I would like to use OSSIM's OpenVAS component to run asset and vulnerability scans on both prod and non-prod. Like every place, we want to make sure the IT infrastructure is not harmed or jeopardized. So what is due care when introducing scanning? Should I do the asset scans only during maintenance windows to start off, to make sure nothing gets broken? Or are the non destructive, non authenticated scans considered safe enough to run during production hours, on production assets? I should add that Nessus has been used by an outside contractor without issue, on our network. Thanks so much in advance ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
LOL - you might be saying thank you as you pick up your pink slip/are escorted out the door for impacting a production system with that sentiment. The ultimate answer is dependent upon sensitivities around your assets. The more sensitive you are, the more you work to manage those sensitivities. If nessus didn't present any issues, that's a good sign that your system is likely robust enough, and I'd frame any plans in that context (i.e. this is doing exactly what and how the external contractor did it). If additional concerns have been raised since then, you simply need to address those - and they are specific to you (usually not a technology problem). In general, concerns are always around the unknowns and 'what if'. To deal with that: 1) Know when your peak resource load times are (be it CPU, memory, bandwidth, whatever). Avoid them, unless you of course are attempting to perform a peak test (but then, that's no longer a security issue). 2) Know when your peak sensitivity times are (Christmas shopping season? Hmmm... Time for JD Powers to assess your reliability? Again...maybe avoid that. 3) Know what controls are in place to keep your assets secure even if you don't run an audit (regular patching? Keeping abreast of advisories?). 4) If you are just starting with in-house scanning, roll out your scanning procedures from least important assets first to the most important ones last. That will build confidence in the processes. Include milestones/checks along the way that you can report back progress to everyone to keep them happy and confident that the scans will provide information without being disruptive. There is no one-size fits all. Tailor it to the people that have a vested interest in what you do and why you do it, and you'll be in good shape. Thomas On 03/14/2018 04:43 PM, Reindl Harald wrote: Am 14.03.2018 um 21:06 schrieb Eero Volotinen: I usually prefer lower scan speed as too intensive can crash firewall devices.. if a security scan from a single node crashs your firewall device you should say "thank you" for konwing that this crap needs to be replaced ASAP real attackers don't care as you do 14.3.2018 22.01 "TJ"> kirjoitti: I would exclude networked printers as the scans can cause them to produce volumes of printed gibberish (found out the hard way) Yes, definitely scan during maintenance windows/non-business hours until you see how well it plays in your environment. Not to mention with less network traffic and systems activity, the scans should finish a lot sooner On 3/14/2018 3:53 PM, Peter Collins wrote: (Sorry if this is a repost. I had a technical issue with my first attempt) I would like to use OSSIM's OpenVAS component to run asset and vulnerability scans on both prod and non-prod. Like every place, we want to make sure the IT infrastructure is not harmed or jeopardized. So what is due care when introducing scanning? Should I do the asset scans only during maintenance windows to start off, to make sure nothing gets broken? Or are the non destructive, non authenticated scans considered safe enough to run during production hours, on production assets? I should add that Nessus has been used by an outside contractor without issue, on our network. Thanks so much in advance ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
Good to know. I will look into going to a newer version! On 3/15/2018 1:42 PM, Christian Fischer wrote: Hi *, On 14.03.2018 20:59, TJ wrote: I would exclude networked printers as the scans can cause them to produce volumes of printed gibberish (found out the hard way) we have tried to work around this in the last year and implemented a few additional mitigations which showed quite good results as long as the printer was detected. This is handled in the following NVT: http://plugins.openvas.org/nasl.php?oid=12241 by excluding common ports (namely 9100-9103 and 9112-9116 / tcp) by default which are known to print gibberish if touched. There might be still quite a lot printers out there which we don't detect. If you're still facing issues like this any additional information about your printer (HTTP, SNMP SysDesc, Telnet, FTP banners etc.) are welcome. Regards, ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
Hi *, On 14.03.2018 20:59, TJ wrote: > I would exclude networked printers as the scans can cause them to > produce volumes of printed gibberish (found out the hard way) we have tried to work around this in the last year and implemented a few additional mitigations which showed quite good results as long as the printer was detected. This is handled in the following NVT: http://plugins.openvas.org/nasl.php?oid=12241 by excluding common ports (namely 9100-9103 and 9112-9116 / tcp) by default which are known to print gibberish if touched. There might be still quite a lot printers out there which we don't detect. If you're still facing issues like this any additional information about your printer (HTTP, SNMP SysDesc, Telnet, FTP banners etc.) are welcome. Regards, -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
Thanks everyone so far, including the omnipresent Rui. This information is very helpful. Peter On Thu, Mar 15, 2018 at 4:55 AM, tatooinwrote: > Hi Peter, > > I am using OpenVAS to conduct VA in the environment of a big corporate > network (up to /21 networks) on a regular basis, and so far I have never > witnessed any incidents on the IT world. I'm using default OpenVAS profile, > altough I have also tried the most impactful profiles. > So on IT side; unless you are using very old & unmaintained assets (in > which case, at least your scans will help identify them) this shouldn't be > a concern. > > However, on OT world this is significantly different. I have witnessed > several crashes / reboot of OT devices, including recent ones. So I would > be much more careful on this part of your environment. > > Best, > > On Wed, 2018-03-14 at 12:53 -0700, Peter Collins wrote: > > (Sorry if this is a repost. I had a technical issue with my first attempt) > > I would like to use OSSIM's OpenVAS component to run asset and > vulnerability scans on both prod and non-prod. Like every place, we want to > make sure the IT infrastructure is not harmed or jeopardized. > > So what is due care when introducing scanning? Should I do the asset scans > only during maintenance windows to start off, to make sure nothing gets > broken? Or are the non destructive, non authenticated scans considered safe > enough to run during production hours, on production assets? > > I should add that Nessus has been used by an outside contractor without > issue, on our network. > > Thanks so much in advance > > Peter > > ___ > Openvas-discuss mailing > listOpenvas-discuss@wald.intevation.orghttps://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
Hi Peter, I am using OpenVAS to conduct VA in the environment of a big corporate network (up to /21 networks) on a regular basis, and so far I have never witnessed any incidents on the IT world. I'm using default OpenVAS profile, altough I have also tried the most impactful profiles. So on IT side; unless you are using very old & unmaintained assets (in which case, at least your scans will help identify them) this shouldn't be a concern. However, on OT world this is significantly different. I have witnessed several crashes / reboot of OT devices, including recent ones. So I would be much more careful on this part of your environment. Best,On Wed, 2018-03-14 at 12:53 -0700, Peter Collins wrote: > (Sorry if this is a repost. I had a technical issue with my first > attempt) > > I would like to use OSSIM's OpenVAS component to run asset and > vulnerability scans on both prod and non-prod. Like every place, we > want to make sure the IT infrastructure is not harmed or jeopardized. > > So what is due care when introducing scanning? Should I do the asset > scans only during maintenance windows to start off, to make sure > nothing gets broken? Or are the non destructive, non authenticated > scans considered safe enough to run during production hours, on > production assets? > > I should add that Nessus has been used by an outside contractor > without issue, on our network. > > Thanks so much in advance > > Peter > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-di > scuss___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
I have actually hit issues with scanning our hosts and what I have done is try to categorize the different types of hosts based on what they run (both OS and applications). Then create Scanning Policies that target the category of host being scanned. Since we also have machines in AWS, our local DC and other Cloud providers I have created slave scanners at the individual sites with a Central manager scanner. This moves the scanning out closer to the host to be scanned and does not flood our local network where the manager scanner is. Louis : Louis Bohm - Sr. Systems Engineer Dell TechDirect Certified > On Mar 14, 2018, at 4:43 PM, Reindl Haraldwrote: > > > > Am 14.03.2018 um 21:06 schrieb Eero Volotinen: >> I usually prefer lower scan speed as too intensive can crash firewall >> devices.. > > if a security scan from a single node crashs your firewall device you should > say "thank you" for konwing that this crap needs to be replaced ASAP > > real attackers don't care as you do > >> 14.3.2018 22.01 "TJ" > >> kirjoitti: >>I would exclude networked printers as the scans can cause them to >>produce volumes of printed gibberish (found out the hard way) >>Yes, definitely scan during maintenance windows/non-business hours >>until you see how well it plays in your environment. Not to mention >>with less network traffic and systems activity, the scans should >>finish a lot sooner >>On 3/14/2018 3:53 PM, Peter Collins wrote: >>>(Sorry if this is a repost. I had a technical issue with my first >>>attempt) >>> >>>I would like to use OSSIM's OpenVAS component to run asset and >>>vulnerability scans on both prod and non-prod. Like every place, >>>we want to make sure the IT infrastructure is not harmed or >>>jeopardized. >>> >>>So what is due care when introducing scanning? Should I do the >>>asset scans only during maintenance windows to start off, to make >>>sure nothing gets broken? Or are the non destructive, non >>>authenticated scans considered safe enough to run during >>>production hours, on production assets? >>> >>>I should add that Nessus has been used by an outside contractor >>>without issue, on our network. >>> >>>Thanks so much in advance > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
Am 14.03.2018 um 21:06 schrieb Eero Volotinen: I usually prefer lower scan speed as too intensive can crash firewall devices.. if a security scan from a single node crashs your firewall device you should say "thank you" for konwing that this crap needs to be replaced ASAP real attackers don't care as you do 14.3.2018 22.01 "TJ"> kirjoitti: I would exclude networked printers as the scans can cause them to produce volumes of printed gibberish (found out the hard way) Yes, definitely scan during maintenance windows/non-business hours until you see how well it plays in your environment. Not to mention with less network traffic and systems activity, the scans should finish a lot sooner On 3/14/2018 3:53 PM, Peter Collins wrote: (Sorry if this is a repost. I had a technical issue with my first attempt) I would like to use OSSIM's OpenVAS component to run asset and vulnerability scans on both prod and non-prod. Like every place, we want to make sure the IT infrastructure is not harmed or jeopardized. So what is due care when introducing scanning? Should I do the asset scans only during maintenance windows to start off, to make sure nothing gets broken? Or are the non destructive, non authenticated scans considered safe enough to run during production hours, on production assets? I should add that Nessus has been used by an outside contractor without issue, on our network. Thanks so much in advance ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
Hi! I am performing vulnerability testing in large scale enterprise for a while now and I have seen everything. To start with: * If a system crashes, it is not caused by the scan, there is a DOS vulnerability found by the scanner. * If a system acts unpredicted, it’s an weakness found by the scanner. * A robust piece of software MUST be able to survive a network scan, what ever the scanner does, but simple flooding the interface. On the other hand, we see a lot of crap out there that does not act like this. The printers where already mentioned. Firewall devices may have performance issues when too many simultaneous sessions have to be handled. My advice: Be as accurate as possible with the scanning policy by categorising the targets as good as possible. Get the data from CMDBs or similar. Test the policies on non-productive systems ahead. Give the ops the red button to turn off the scan on emergency instead of have them call you in the middle of the night. Scan in off-peak times, this is not always the night or the weekend. Happy scanning. > Am 14.03.2018 um 20:53 schrieb Peter Collins: > > (Sorry if this is a repost. I had a technical issue with my first attempt) > > I would like to use OSSIM's OpenVAS component to run asset and vulnerability > scans on both prod and non-prod. Like every place, we want to make sure the > IT infrastructure is not harmed or jeopardized. > > So what is due care when introducing scanning? Should I do the asset scans > only during maintenance windows to start off, to make sure nothing gets > broken? Or are the non destructive, non authenticated scans considered safe > enough to run during production hours, on production assets? > > I should add that Nessus has been used by an outside contractor without > issue, on our network. > > Thanks so much in advance > > Peter > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss -- Christoph Gruber l...@guru.at Patience is not the ability to wait, but to have a good attitude while waiting! PGP-Key-ID: 11C558E8 PGP-Key-Fingerprint: BC67 4E98 9B2E 70F7 C24F A7B7 3ADD C4B4 11C5 58E8 ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
I usually prefer lower scan speed as too intensive can crash firewall devices.. Eero 14.3.2018 22.01 "TJ"kirjoitti: > I would exclude networked printers as the scans can cause them to produce > volumes of printed gibberish (found out the hard way) > > Yes, definitely scan during maintenance windows/non-business hours until > you see how well it plays in your environment. Not to mention with less > network traffic and systems activity, the scans should finish a lot sooner > > On 3/14/2018 3:53 PM, Peter Collins wrote: > > (Sorry if this is a repost. I had a technical issue with my first attempt) > > I would like to use OSSIM's OpenVAS component to run asset and > vulnerability scans on both prod and non-prod. Like every place, we want to > make sure the IT infrastructure is not harmed or jeopardized. > > So what is due care when introducing scanning? Should I do the asset scans > only during maintenance windows to start off, to make sure nothing gets > broken? Or are the non destructive, non authenticated scans considered safe > enough to run during production hours, on production assets? > > I should add that Nessus has been used by an outside contractor without > issue, on our network. > > Thanks so much in advance > > Peter > > > > ___ > Openvas-discuss mailing > listOpenvas-discuss@wald.intevation.orghttps://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > > > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network
well. it depends on scan settings. on wrong settings it can dos/crash your systems or network devices.. Eero 14.3.2018 21.53 "Peter Collins"kirjoitti: > (Sorry if this is a repost. I had a technical issue with my first attempt) > > I would like to use OSSIM's OpenVAS component to run asset and > vulnerability scans on both prod and non-prod. Like every place, we want to > make sure the IT infrastructure is not harmed or jeopardized. > > So what is due care when introducing scanning? Should I do the asset scans > only during maintenance windows to start off, to make sure nothing gets > broken? Or are the non destructive, non authenticated scans considered safe > enough to run during production hours, on production assets? > > I should add that Nessus has been used by an outside contractor without > issue, on our network. > > Thanks so much in advance > > Peter > > > ___ > Openvas-discuss mailing list > Openvas-discuss@wald.intevation.org > https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss