Office of Information Security
System Vulnerability Scanning with SecurityCenter/Nessus
In an effort to expedite the identification and remediation of system vulnerabilities on the Penn State network, the University deployed a vulnerability scan manager/aggregator/analyzer called SecurityCenter.
Console access is given to select IT staff, allowing them to manage and analyze vulnerability scans within their unit’s assigned IP space. This allows them to secure hosts prior to deployment and to secure existing assets against newly identified threats. It also allows units to identify and remediate vulnerabilities prior to submitting requests for compliance scans performed by the Office of Information Security. OIS continues to be the final arbiter for all compliance scans, including AISGI and PCI scans.
SecurityCenter is not a scanner. It manages scans across multiple Nessus vulnerability scanners and then aggregates the data for analysis. Scans are governed by asset lists (which consist of IP ranges) and repositories, which are used to store the vulnerability data collected by the scanners. In our deployment, each unit is assigned a root access list (consisting of all the IP Ranges assigned to the unit by ENCS) and one repository.
(Click question to expand content.)
don't modify this so accordion stays closed
My Windows server is fully patched but Security Center is still finding SPECTRE / Meltdown vulnerabilities. How do I address these vulnerabilities?
You may have the patch installed, but Microsoft elected not to enable the SPECTRE / Meltdown mitigation on servers by default (due to the potential performance hit). You must set a registry key to enable it. Once enabled, upon the next scan Security Center will treat the vulnerability as “resolved.” Additional details are available here, and a Powershell script to confirm the fix was enabled is available from Microsoft as well.
I’m seeing more vulnerabilities listed in the Security Dashboard than I see in Security Center. Why?
There could be many reasons, but the most common reasons are:
- Security Center is unaware that your unit “owns” a particular asset. For example, IP 18.104.22.168 is being associated with your unit in our reporting processes, but Security Center is unaware that 22.214.171.124 is owned by your unit. The process for updating a unit’s asset list is manual right now, so please reach out to us with any discrepancies and we’ll resolve them. Moving forward, we’re investigating methods for dynamically updating the asset lists using data from ENCS’s Proteus and VM Hosting, so please confirm your information is accurate in these systems by requesting a network contact update (see below).
- Vulnerabilities listed in the Security Dashboard are updated every 24 hours. This is a vendor-imposed limitation and we’ve been working with them to modify their software; we will begin beta testing an updated app that greatly reduces this lag.
- Your filters on the Analysis screen within Security Center are too restrictive, and are filtering out some of your results. For example, you may be specifying a specific repository of vulnerability results to look at (e.g. UNIT_REPO), and not seeing Enclave system vulnerabilities stored in a separate repository.
I patched a vulnerability on my Enclave system and ran a “remediation scan,” but the vulnerability is still showing in Security Center. Why?
Enclave systems run the Nessus Agent, and there is no such concept as a “remediation scan” within the Agent. Instead, remediation scans use the network-based scanner, and many of the patch-level checks simply cannot be checked with this type of scan. Unfortunately, you need to wait until the next Agent scan runs. For Enclave systems the Agent scan runs at 6 p.m., and the results are imported into Security Center at 8 p.m.
How do I request an exception for a vulnerability I simply cannot fix (but I have mitigated as much as possible)?
Please email email@example.com with the specifics (IP address, port number, protocol, plugin ID, and your mitigating factors/rationale for the exception request).
How do I view vulnerabilities found by the Nessus Agent (e.g. within an Enclave)?
Within Security Center, go to the Analysis menu at the top and select Vulnerabilities. Select the filter panel on the left (it looks like >>). Select the Repositories filter. If you don’t see that filter, scroll to the bottom and click Select Filters and from that pop-up window, select Repositories. In the Repositories filter, select Nessus_Agent-ENCLAVES_Repo.
UPDATE NETWORK CONTACTS
The automation that OIS employs around vulnerability data is dependent upon contact information. If you are not receiving the desired communications, please review our page explaining how we determine the owner of a system OIS uses automation to send notifications on compromised hosts, vulnerabilities, etc.
The contacts for a system are retrieved from official systems:
- If you use VM Hosting, OIS uses VM Hosting’s contact database.
- Otherwise, OIS uses ENCS’s IPAM system (a.k.a. Proteus or BlueCat Networks).
- OIS also leverages the Security Email field as a method for notifying a mailing list rather than specific individuals.
OIS does not maintain these systems, so if modifications are necessary, please contact the appropriate owner using the links below.
When visiting the Proteus Network Contact Update request, you will need to first select “I am requesting or changing IP Address Management (IPAM) which includes DNS and DHCP” and then “Request consultation.”