This is the most discussed topic in the last 3 months: Security in the field of remote access. The need to protect your data during the COVID-19 contingency is crucial. Especially when talking about Vulnerabilities. Protecting your scanning credentials is key to achieve this.
Many companies use default scans for their unauthenticated remote testing. These are remote non-authenticated scans.
These types of external evaluations are good to test your network services, but they are not infallible.
Although they can detect vulnerabilities or incorrect settings that can expose confidential information, you must be careful.
In some cases, these scans may not provide much detail about critical conditions on your systems.
What are the most common problems with unauthenticated scans?
In the case of unauthenticated scans, we are talking about flaws that can destabilize entire systems. These scans may not detect missing operating system crashes or third-party patches. They may even skip compliance-related benchmarks like CIS or DISA STIGs.
Why? Because they cannot examine the system, and run the appropriate tests at the same time.
Authenticated scans use scanning credentials to log in to devices and examine them from the inside out.
Because authenticated scans review devices thoroughly, they collect more information about software and vulnerabilities.
Advantages of authenticated scans
By analyzing and comparing results, the vulnerability response in authenticated scans is superior. There’s a 10-fold increase in the number of vulnerabilities after using authenticated scans.
These vulnerabilities always existed; yet only authenticated evaluations provide the visibility that default evaluations cannot.
Although being able to detect more vulnerabilities is good, you should also design a strategy to encompass all the results.
Tenable.io customers, for example, can use Predictive and VPR prioritization. These tools help you manage any vulnerability overload.
How can I protect the scanning credentials used for vulnerability analysis?
Protecting your scanning credentials is an important process your analysts must take seriously. However, as an organization, there are things you can do to ensure credentials are secure across the board.
Tips to strengthen the protection of your scanning credentials
Use a single account for your vulnerability assessments
Sharing the account used for vulnerability assessments is unnecessary. With each new evaluation carried out, create a new account for this purpose.
If you don’t want to create an account for each scan, create many accounts depending on your organization’s size. These accounts should only exist in the systems to which they apply, and with the corresponding permissions.
Tenable.io allows you to specify as many accounts as necessary to run evaluations.
Protect your settings
Storing network passwords in a text file or spreadsheet is a bad idea, to say the least. It is best to use a system created and designed to store this data securely.
Store scanning credentials in encrypted data stores and / or with privileged user access.
Use secure protocols for authentication on your network systems
Currently, there are many ways to authenticate within a network system. However, some protocols are clear-text or have known and exploitable vulnerabilities. This makes them not only trivial for attackers, but easy to compromise.
Not using these protocols to authenticate your systems is the first step. The next is to define how to do it safely. You can use plain text protocols, although we recommend the Nessus scanner security protocols.
Control the use on your scanning credentials : when and how?
Let’s say, for example, you schedule your vulnerability scanning account every Saturday morning. In this case, there is no reason for the account to activate on a Tuesday from someone else’s laptop.
Some platforms allow you to restrict accounts to use only certain protocols. If you can restrict the use of scan accounts to specific dates, do it. This way, you ensure that nothing out of place happens with these accounts.
Track accounts that present anomalies
If you are using a dedicated account to scan at certain times, then it’s usage o should be predictable. We talk about knowing both where and when you are trying to log into these accounts.
Do not overlook any anomaly in any of these cases. We recommend that you install a verification component to strengthen your security controls.
3 things to avoid
Some strategies or ideas can put your remote operations at risk. Here are some things to avoid if you want to better protect the integrity of your assets:
- Do not reuse accounts between vulnerability scans. It is also recommended to change users, not only for scans but for other IT operations.
- Do not use repetitive, weak, or recycled passwords. In this case, the best thing you can do is put in place a system that allows you to check the strength of your passwords.
- Because humans will never use these passwords manually, they don’t need to be easy. Be sure to use complex, long and unique passwords.
A great tip: Don’t change the passwords of your scanning credentials too often
Changing passwords often can lead to scan errors and frustration on your IT teams. Whenever possible, only change passwords in the event of an incident or irregularity.
A complete tool
Tenable.io is a complete tool that offers, with a single license, access to a huge variety of functionalities like:
- Vulnerability management
- Container security
- Web application scanning
If you want to know more about this tool and how to protect your scanning credentials, contact us. Although in the face of the current pandemic, GB Advisors works 24/7 to provide you with the best tools and strategies to perfect your digital security.