Nexpose Certified Administrator

Copyright Rapid7 2020 v20.06.01

Introductions
• About your instructor
• About you
• Who are you?
• What is your experience level with Nexpose?
• What are your responsibilities/expectations?
Agenda
Day 1
• Introduction to Nexpose
• Nexpose Architecture
• Navigating the User Interface
• Scan Process/Templates
• Organizing Your Data
• Remediation
• Security Analytics
Day 2
• Planning Your Deployment
• Create and Pair Scan Engines
• Credentials and Scanning
• Exception Workflow
• Troubleshooting
• Risk Strategies and Scoring
• Reporting
• Practice Exam
Introduction to Nexpose
Objectives:
• Understand the vulnerability management lifecycle
• Understand the challenges of vulnerability management and how to address them
Vulnerability Management Lifecycle

Discover

Prioritize
Verify
Assets

Remediate Assess

Report
 Nexpose Vulnerability Management

Know Your Network Manage Risk Effectively Simplify Your Compliance

• Security assessment for
the modern network
• Identify what’s important to
your business
• Use attacker mindset to
find weaknesses
• Use critical threat
awareness from Metasploit
• Prioritize business risks
that matter
• Create concise actionable
remediation plans
• Perform fast, unified security
& compliance assessment
• Automate workflows
• Leverage built-in Audit &
PCI report templates
 Efficient Security Assessment

• Nexpose provides a holistic view of your network connected devices

• Unified scanning
• OS
• Applications
• Web
• Database
• Configuration/Policy

• Consolidated reporting
Understand Business Context
• Automatic classification
• Identify important systems and assign remediation owners
Nexpose Architecture
Objectives:
• Understand the components of the Nexpose architecture
Nexpose Components

Nexpose Security Console (nsc)

Nexpose Scan Engine (nse)

Nexpose Database (postgresql)

Nexpose API (version 1.1, 1.2 and Restfulv3)

Nexpose Security Console (NSC)
• Centralized Administration
• Configuration, Presentation
• Accessible by port 3780 by default, but changeable
• https://[Server IP]:3780
• Contains scan sites, assets, scan templates, reports, policies, asset groups,
administration, user management
• Communication needs
• To updates.rapid7.com (80)
• To support.rapid7.com (443)
InsightVM Scan Engine (NSE)
• Types:
• Local – Integrated to the Console
• Distributed – Deployed across network
• Hosted – Offered by Rapid7 to scan externally facing assets
• System requirements different for Engines vs. Consoles
• No asset information is stored on the engines
• Holds the vulnerability checks and engine specific logs
• Software and vulnerability check updates are pushed from the console
• Primary means of communication
• From NSC to NSE (40814)
• From NSE to NSC (40815)
Nexpose Database
• PostgreSQL 9.4.x
• Integrated into the console
• Can be tuned for optimal performance
• No direct database access, however…
• Contains a Reporting Data Model for ease of custom reporting
• You can run SQL Queries through the Reporting GUI

• Ability to export to other MS-SQL, Oracle and MySQL

• Data warehouse/replication to another PostgreSQL server
Nexpose API
(Application Programming Interface)
• Methods
• API 1.1/1.2 - XML over HTTPS
• RESTful APIv3 – JSON over HTTPS
• Ruby Gem (Library) - Leverages the API and AJAX
• Common Uses
• Third-party Integrations
• Workflow Automation
• Simple Utilities
• Dive Deeper in Advanced Vulnerability Manager Course
14
 DISTRIBUTED (INTERNAL)
SCAN ENGINES
TCP 40814

TCP 40815 NSE NSE

CONSOLE / LOCAL SCAN ENGINE

Console/API: https://x.x.x.x:3780
NSC
ALL TCP/UDP PORTS
TCP 40814

SCAN TARGETS
http://updates.rapid7.com:80 NSE
TCP 5432

ALL TCP/UDP PORTS

https://support.rapid7.com:443

Hosted Scan Engines TCP 40814

 Nexpose VS InsightVM

• InsightVM includes all features found in Nexpose Enterprise, including our

traditional on premise scan engines.
• As part of the Rapid7 Insight Platform
• Exposure Analytics
• Live dashboards
• Unified agent across all Insight products
• Remediation workflow and goal planning
• In-product integrations
Navigating the UI
Objectives:
• Understand components of the Nexpose Console
Accessing the Console
• https://[Console_IP]:3780
• Supported Browsers:
• Chrome
recommended
• Firefox/Firefox ESR
• IE 11/Microsoft Edge
• Others work, but not supported
• (i.e. Safari, Ice Weasel)
• Login with the credential defined during the console installation
 Top Menu Items

• Create – Shortcut to create sites, groups, tag, reports

• Search – use keyword or filtered asset searches
• Calendar – feature showing scans and reports in a timeline
• Help – Access online help and news
• Notifications – alerts when new updates are available, or content is added
• User – view/update user preferences, change color scheme, or logout
• Items – Add previously removed home page items
Left Side Navigation Menu
• Home – holistic view of assets, site, groups.

• Assets – detailed data on discovered assets

• Vulnerabilities – comprehensive vulnerability information

• Automated Actions – dynamic discovery automation

• Policies –policies to fit requirements of your environment

• Reports – create, edit, and view reports

• Tickets – basic internal ticketing system

• Administration – perform a variety of administrative tasks

Home Page

Click and
Drag to Risk and
Hamburger Zoom Assets
to Print
Over Time

Asset
Overview
 Scan
Site Now, Edit
Overview or Delete
a Site

Click to
sort
columns

Current
Scan
Statistics
 Asset
Group
Overview

Asset
Tags
Overview
DEMO - NAVIGATING
THE USER INTERFACE
The Scan Process
Objectives:
• Understand the Scanning Process
• The Importance of the Scan Template
 Scan Process Overview

Unconfirmed Confirmed
Service OS Policy
Discovery Port Scan Vulnerability Vulnerability
Fingerprinting Fingerprinting Checks
Checks Checks
NSC > NSE: Go and find all ‘alive’ devices

Using ICMP Ping, ARP Ping, TCP and/or UDP Port Scanning
NSC > NSE: What Services are running on the open ports?

Use NMAP Helper Libraries

 NSC > NSE:
What Services are we dealing with?

• Service Fingerprinting
• Nexpose will try and determine services/processes are running on open
ports detected in the previous step.
• Methods:
• Banner-grabbing
• IP Stack Analysis
• Service fingerprinting for custom configuration
• Map custom port to service name
• default-services.properties
 NSC > NSE:
What OS are we dealing with?

• OS Fingerprinting using information collected from the previous scan stages the
scan attempts to guess which operating system is running on the asset.
• Recog is a framework for identifying products, services, operating systems, and
hardware
• Matching fingerprints against data returned from various network probes
• Consists of both XML fingerprint files and an assortment of code, mostly in Ruby, that
makes it easy to develop, test, and use the contained fingerprints.
• A score indicating how certain the scan is about its guess is kept and the
highest ranked guess is used for other stages of the scan.
 NSC > NSE:
What OS are we dealing with?

• OS Fingerprinting
• Credentialed vs. Non-credentialed scans.
• Only scans using administrator/root will provide a Certainty of 1.
• Credentials with less than administrator/root privileges may show a Certainty of 0.85
• Credentialed scans are necessary for policy scans, client side and some system configuration
related vulnerability detection.

31
• Unconfirmed Vulnerability Checks
• Primarily include checks based on patch and version information. These checks determine that a version of
software etc. is known to have an issue but does not confirm the specific issue exists. An example may be
that a version of software ships with a default password. The check would determine that that version of
software is present and may have default credentials even if the credentials have already been changed.

• Confirmed Vulnerability Checks

• A confirmed check may go a step further than our Unconfirmed Vulnerability check by specifying that a
specific OS, Application, and specific version of each must be present before it tries to take an action to
verify if a vulnerability exists. For the example where a vulnerable version of software is present that is
known to ship with a known default password the check may attempt to login with those known
credentials to verify if the credentials have been changed.
• Policy Checks
• During this stage
checks focused on
determining asset
configurations and
alignment with
predefined baselines
defined in policy files.
• USGCB policies
• United States Government Configuration Baseline
• FDCC policies
• Federal Desktop Core Configuration
• DISASTIGS
• Defense Information Systems Agency Security Technical
Implementation Guides
• CIS Benchmarks
• Center for Internet Security
SCAN TEMPLATES
Objectives:
• Understand the role of Scan Templates in Nexpose
• Learn the steps to create a Scan Template
 Scan Templates
A scan template is a predefined set of scan attributes that you can select quickly rather
than manually define properties including:
• Target assets
• Services
• Vulnerabilities

Nexpose includes a variety of preconfigured scan templates to help you assess your vulnerabilities according to the
best practices for a given need.
Scan Template Configuration
• Defines ‘how’ to
discover/scan assets
• Discovery
• Vulnerabilities
• Policy Checks
• Web Spidering
• Each Scan Template can be
cloned for ease of
customization
• Depending on what type of
checks you opt for will
determine what variables
you can customize
 Demo & Lab 1:
Creating Custom Templates
Organizing Your Data
Objectives:
• Understand the role of sites and developing a site strategy
• Learn to leverage asset groups for analysis and reporting
• Learn to leverage asset tags for providing context
Site Overview

Scan
Scan Schedule
Engine
(Optional)

Scan Alerts
Templates (Optional)

Scan Nexpose Credentials

Targets Site (Optional)
 Site Strategy
• Break up your environment in a
way that:
• Is easy to manage
• Makes sense to your
organization
• Achieves your scanning
goal/objectives
• Aligns with change control
requirements
• Aligns with technical and
business owners
Site Strategy – By Location
• Geographical or Logical
• Los Angeles, Boston, New York, London
• 10.1.1.x/24, 10.1.2.x,24, VLAN10, VLAN20
• Internal, External
• Benefits
• Smaller number of sites/scans = ease of management
• Concerns
• Large number of assets per site = longer scan times
 Site Strategy – Hybrid
• By location and specific function
• HQ – Desktops
• Remote Office – Laptops
• Datacenter – Servers
• Pros
• Efficient chunks = more regular scans
• Focused scans for specific
requirements
• Flexible scheduling
• Cons
• Possibility of large number of sites
Site Configuration
Demo & Lab 2:
Creating Sites
Asset Groups
Objectives:
• Understand the difference between Dynamic and Static Asset Groups
Asset Group Overview
• Provide the ability to perform targeted asset reporting

• Provide the ability to provide or limit user access to scan data

• Aggregates assets from one or more sites for vulnerability analysis

Dynamic Static
Subject to change Constant data set

Automatically
Comparative reporting
clean/update

“Real time” perspective “Frozen time” perspective

Group Strategy
• Asset Function
• Desktops
• Mobile
• Servers
• Printers
• Database
• Web

• Platform/Product
• Windows
• Linux
• Networking Devices
 Demo & Lab 3:
Create Asset Groups
RealContext (aka Asset Tagging)
• Allows the ability to provide business context around your assets by applying
tags
• Built-in Tags
• Criticality
• Location
• Owner
• Custom Tags
• Examples: PCI, DMZ, SOC, XYZ Network, DEV, XYZ Application, etc..
RealContext - Adjust Risk By Criticality
• Apply risk multipliers to assets
• Adjust configurable risk score multiplier based on criticality

• Disabled by default
RealContext Best Practices

• Apply risk multipliers to Dynamic Asset Groups

• Examples:
• Public-facing/DMZ assets = Higher Risk
• Assets with sensitive data = Higher Risk
• Infrastructure service assets = Lower Risk
• Use Sites and Asset Groups to bulk tag assets
• Use filtered asset search to bulk tag assets
Demo & Lab 4:
RealContext
InsightVM Remediation
Objectives:
• Understand and prioritize vulnerabilities
Strategic Remediation
Threat Vulnerability Risk

A threat is any potential danger to Vulnerability describes the circumstances of a A risk is the likelihood of a threat taking
information or systems. system that makes it susceptible to damage. advantage of a validated vulnerability.
Remediation of Vulnerabilities

Analyzing the vulnerabilities discovered in scans is a critical step in improving your security
posture. Examining these will help prioritize remediation:
• Frequency
• Affected assets
• Risk level
• Exploitability
 Demo & Lab 5:
Remediation and Scanning
Security Analytics
Objectives:
• Learn about Nexpose Security Analytics
• Learn the types of automated actions
• Learn how to create and use automated actions
Security Analytics – Automated Actions
• Certain “Trigger” events initiate Full Attack Visibility and Assessment
automated actions
• Automatically discover and assess DHCP

new assets as they join the network

• Track your risk as assets come and VMWARE

go from the network

MOBILE
• No more waiting for scans to run
AWS
Automated Actions
• Automated action can be turned on/off
• You can have as many automated actions as necessary
• Best Practice: avoid conflict (adding asset to two sites, for example)
New Vulnerability Released
• Make instant decisions to scan based on
new vulnerabilities that have been
released.
• Only scans for the vulnerabilities that
meet the threshold.
• Can set threshold by Risk or CVSS Score
New Asset Discovered
• Allows you to make decisions on
scanning assets when they are first
discovered
• Filter based on asset criteria
• Actions include
• Add to a Site,
• Add to a Site and Scan Immediately
Known Asset Discovered
• You can make instant decision for assets
that are known to exist
• Filter based on asset criteria
• Actions Include:
• Tag the Asset
• Add the Asset to another Site
• Scan the Asset Now
 TIE File Reputation Event
• Integration with DXL and TIE from McAfee (formerly
Intel Security) allows your security team to gain
insight in to your assets and automatically prioritize
assets when compromises are detected

• Automatically report vulnerabilities (including title,

Nexpose vulnerability ID, CVSS score, detection time,
and ePO agent ID) as they are found, enabling other
solutions like firewalls and monitoring tools to take
actions dependent on those discoveries.
 Demo & Lab 6:
Automated Actions

End Day One

Planning your Deployment
Objectives:
• Understand various vulnerability scanning perspectives
• Make the best use of your available resources to gain the scanning
coverage needed to meet your objectives
 Deployment Architecture

Scan Engines
• Highly Scalable Backup
Console

Engine
Unified Platform &
Management
• Console Firewall

Management Console Engine

• Flexible Deployment
• Standards-based API Engine

Open API and Pre-

Build Connector
System Requirements

• Factors that feed into determining the deployment architecture and resource
requirements are:
# and
Scan Data
Frequency
Retention
of Reports

Scan Report
Frequency Retention

Total # of
Deployment Network
IP’s
Scanned Architecture Architecture
System Requirements

Minimum Recommended
Processor 2 GHz+ processor or 2 x 2 GHz QC processor or
higher higher
Memory 8 GB RAM (64 Bit) 16-96 GB (64 bit)*

Storage 80 GB 80GB – 1TB+*

(Console)
Storage 10 GB 40-80 GB*
(Engine)
Network 100 Mbs 1000 Mbs

Browser Firefox, Firefox ESR, Chrome, Microsoft Edge, IE 11

* Dependent on many factors, including number of IPs, scan frequency, data
retention policies, report quantity, and report complexity
System Scaling Best Practices

While a single scan engine is capable of scanning in excess of 20,000 assets per day, it is recommended
to distribute scans across multiple scan engines for optimal performance.
Currently Supported Operating Systems
64-bit versions of the following platforms are supported.
• Ubuntu Linux 14.04 LTS
• Ubuntu Linux 16.04 LTS
• Ubuntu Linux 18.04 LTS
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012 R2
• Microsoft Windows Server 2016
• Microsoft Windows 8.1
• Microsoft Windows 7 SP1
• Red Hat Enterprise Linux Server 7
• Red Hat Enterprise Linux Server 6
• CentOS 7
• Oracle Linux 7
Scan Perspectives
• Deployment architecture
• Scan Engine placement, in-line networking devices, types of devices
• Objectives for scanning
• Compliance, vulnerability management, validation
• Streamlining running and scheduling scans
• Asset availability, scan windows, data for reporting
• Software Coverage
• https://kb.help.rapid7.com/docs/nexpose-vulnerability-coverage
• Software list encompasses those products and services that we are
specifically committed to providing ongoing, automated coverage.
Scan Perspective - Internal

• Scan traffic from engines located behind your perimeter firewall

• Targets devices located on the company intranet
• Provides the ‘inside looking in’ perspective
• Addresses risk due to:
• Trusted insiders
• Curious/Rogue employees

73
Scan Perspective - Internal

YOUR INTERNAL
DMZ Satellite Office
NETWORK 1000 Assets
50 Assets

NSE
VPN
NSE
Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250
Assets

NSC / NSE
NSE
 Scan Perspective - External
• Scan traffic originates from an NSE located outside your perimeter firewall
• Targets devices located on the company extranet
• Provides the ‘outside looking in’ perspective
• True attacker perspective of your network
• Rapid7 offers these ‘Hosted Services’ and SONAR
Scan Perspective - External

DMZ
50 Assets Only OPEN
Ports

Rapid7
Datacenter

Headquarters
2000 Assets

TCP 40814

NSC / NSE
 Scan Perspective - Hybrid
• Scans utilize multiple strategically located NSE’s
• Can be both internal/externally located
• Use Cases for a Distributed Scanning Strategy
• Large number of target IP addresses
• Highly segmented network
• Bandwidth restrictions
Scan Perspective - Hybrid Rapid7
Datacenter

DMZ
50 Assets

NSE

Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250
Assets

NSC / NSE
NSE
Installing Nexpose
Objectives:
• Install Nexpose on a Windows/Linux Server
Windows Installation

• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-
installers-md5sum-files-and-virtual-appliances
• Console + Scan Engine or Scan Engine Only
• Services
• Nexpose Security Console - Automatic
• Download the appropriate md5sum file to ensure that the installer
was not corrupted during download.
Linux Installation

• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-installers-
md5sum-files-and-virtual-appliances
• chmod +x Rapid7Setup-Linux64.bin
• Console + Scan Engine or Scan Engine Only
• Textual-based Installer
• ./Rapid7Setup-Linux64.bin
• Disable SELinux
• Download the appropriate md5sum file to ensure that the installer was
not corrupted during download.
Installation Process
• Default Install Directory
• C:\Program Files\rapid7\nexpose
• /opt/rapid7/nexpose
• Verify you meet the minimum
requirements
• Default PostgreSQL Listener Port: 5432
• Company Info
• Uses this information to create SSL
certificates and be included in requests to
technical support
• Create an initial Admin user with strong
password
Manage Scan Engines
Objectives:
• Learn How To Create A Scan Engine
• Learn How To Manually Pair An Engine
• Learn About Engine Pooling
Scan Engine Quantity
• Not an exact science…
• How many assets do you want to scan?
• How fast do you want to scan them?
• How much resources are you allocating to your engines?
Scan Engine Placement

• For the most efficient performance and comprehensive scan results, scan engines should:
• Be located as close as possible to the assets being scanned
• Be placed inside demilitarized zones, secure network environments
• Be distributed to geographical regions/locations, depending on the number of assets to be scanned
and bandwidth between the engine and the target assets
• Be placed behind, or very least whitelisted though firewalls and other security controls
 Scan Engine Performance
• Scan times vary
• Non-credentialed scans on a single asset can take an average of 5 minutes,
depending on the device type, with no web spidering.
• Credentialed scans on a single asset can take an average of 7-10 minutes,
depending on device type, with no web spidering.
• Web spider Non-credentialed scans on a single asset can be around 15 minutes.
• Web spider credentialed scans on a single asset can be around 20 minutes.

Adjust simultaneous assets per engine count in scan template to fully utilize scan engine.

86
 Force
Scan Engine Management Update the
Engine

Engines
Current
Status

Currently
Running
Refresh Version
the Status
 Pairing a Distributed Scan Engine
• Console to engine configuration communicates on port 40814
• Engine to console configuration communicates on port 40815
• Two step pairing process:
• Generate key in Console

• Install and authorize the console on the engine

 Scan Engine Management
• Updates
• Console updates the distributed engines
• Product and Content
• Scan Engine Pools
• Combine two or more engines into a logical engine
• Distributes the load of assets in a scan
• Ideal for large number of assets in a single site
• Overlapping scans may queue causing delays, start times should be staggered.
 Demo & Lab 7:
Pair a Scan Engine

90
Credentialed Scanning
Objectives:
• Learn The Importance Of Using Credentials
• Learn The Different Types Of Credentials
• Learn How To Add Shared And Site Credentials
Credentialed Scans
• Allows target assets to be
scanned with authentication
• 100% OS/Service Fingerprint
• Identify local/client-side patch
and configuration
vulnerabilities
• Reduces false-positives
• Allow for policy/configuration
benchmark scans
Credential Management
Two types of scan credentials available:
• Shared
• Shared scan credentials allow a user
to use the same credentials across
multiple sites
• Can select which sites to apply
• Site-specific
• Site-specific credentials limit the
credentials scope to just the assets
defined in the site
Encryption Types
To ensure the security of the application, Nexpose uses the following types of encryption
algorithm keys in these areas:
• Identification/authentication: RSA
• Credential password storage: RSA
• Connection to the Web interface: RSA and HTTP over SSL
• Credential encryption: 3DES encrypted with RSA
• Zip files generated for diagnostic information to be uploaded to support.rapid7.com: PGP KeyID: 959D3EDA
• Upload diagnostic information to a server at support.rapid7.com: TLSv1.2
• Security Console to Scan Engine communication: TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
for backwards compatibility, and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
 Demo & Lab 8:
Manage Credentials
Vulnerability Exceptions
Objectives:
• Learn Why Exceptions Are Important
• Understand The Exception Workflow
• Learn How To Create And Approve Vulnerability Exceptions
Exceptions
• Prevents excepted vulns from being calculated in charts, graphs, reports
• Reason
• Compensating Control
• Acceptable Use/Risk
• False Positive
• Exception workflow allows for dual control
• Vulnerability Exception Scopes can include:
• All instances on an asset
• All instances on all assets
• All instances in the selected asset groups
• Exception Expiration
• Report created specifically for Vulnerability Exceptions
Exception Submission and Review
Exception Status
Expiration Date

Exception Scope
 Demo & Lab 9:
Create an Exception
Troubleshooting
Objectives:
• Learn How To Run Diagnostics
• Learn About The Various Log Files In Nexpose
• Learn How To Use Other Support Resources and the Administration Page
Administration
 Troubleshooting
• Administration->Troubleshooting->Diagnose->Perform
Diagnostics
• Review all items in red
• Firewall issues
• Experiencing UI inconsistencies?
• Database maintenance tasks
• Report Errors in OS Fingerprinting
• Download Log from Administration>History>Download Log
• View Statistics from Administration>Events>View
Log Locations

• Linux Console: /opt/rapid7/nexpose/nsc/logs/

• nsc.log, nse.log, access.log, auth.log, initdb.log, mem.log
• Windows Console: \Program Files\rapid7\nexpose\nsc\logs
• nsc.log, nse.log, access.log, auth.log, initdb.log, mem.log
• Engines
• Similar directory BUT nsE instead of nsC
• /opt/rapid7/nexpose/nse/logs/
Logs
ACCESS.LOG Accessed resources, i.e. the Web interface.
API call, API version and the IP address of the API client

MEM.LOG Problems with memory. mem.log shows scanning and reporting memory usage.

AUTH.LOG Log in, log off, account lockouts

NSC.LOG System and application level event tracking, scheduling of operations, or tracking any
Maintenance Mode activity
NSE.LOG Troubleshoot specific checks. If a check produces an unexpected result, you can look here
to determine how the scan target was fingerprinted

UPDATE.LOG Contains all information pertaining to update tasking.

Updates

• Nexpose can be configured to automatically receive updates for

• Product
• Vulnerability Coverage

• Patching and updating the operating system on which the security console
is installed is your responsibility.
 Project Sonar
• Project Sonar is a community effort to improve security through the active analysis of public networks.
• This includes running scans across public internet-facing systems, organizing the results, and sharing the
data with the information security community.
• Sonar regularly ‘scans the internet’ and gathered data is archived and made publicly available in
cooperation with the University of Michigan.

'Scanning' a Sonar site *does not* perform an assessment of those assets, it simply retrieves archived scan data from Sonar.
Troubleshooting
Challenge
Vulnerability and Risk Scoring
Objectives:
• Understand the importance of risk scoring
• Understand the common vulnerability scoring system (CVSS)
• Learn the various Nexpose risk scoring strategies
 Vulnerability and Risk Scoring
The Need for Standardized Scoring
• Historically, vulnerability scoring had been
done on a vendor specific level
• Created to address the need for defining &
quantifying detected vulnerabilities across
enterprise platforms
• No standardization meant that
intercommunication/integration between
enterprise security applications could not
share vulnerability information
 CVSS History
• CVSS v.1
• Research commissioned in 2003;
DHS accepted in 2004
• Public launch at RSA in 2005; Active
until 2007
• CVSS v.2
• Public launch in June, 2007; PCI
mandated in July, 2007
• CVSS v.3
• Released in late 2015
CVSSv2 Base Metrics
Exploitability Metrics
• Access Vector
• Access Complexity
• Authentication
Impact Metrics • Scored relative to overall impact
• No awareness of cases which a flaw in one app
impacts other apps
• Confidentiality • Access Vector may be unable to rate local system
• Integrity access with physical hardware attacks
• Availability • Authentication scores biased towards None/Single

CVSSv3 Base Metrics

• Scored relative to impact of affected
Exploitability Metrics Impact Metrics Scope component
• Scope supports cases which the
• Access Vector • Confidentiality • Unchanged
vulnerable entity is distinct from affected
• Access Complexity • Integrity • Changed entity
• Privileges • Availability • Local and Physical are now distinct in
Required AV
• User Interaction • Privileges required indicates greatest
privs required for exploit vs number of
authentications required
CVSSv2 Exploitability Metrics
Access Vector Access Complexity Authentication
Local (L) High(H) Multiple(M)
Scoring Value = .395 Scoring Value =.35 Scoring Value =.45

Adjacent Network (A) Medium(M) Single(S)

Scoring Value = .646 Scoring Value = .61 Scoring Value =.56

Network (N) Low(L) None (N)

Scoring Value = 1.0 Scoring Value =.71 Scoring Value =.704
CVSSv2 Impact Metrics
Confidentiality Availability Integrity
None(N) None(N) None(N)
Scoring Value =0.0 Scoring Value =0.0 Scoring Value =0.0

Partial(P) Partial(P) Partial(P)

Scoring Value =.275 Scoring Value =.275 Scoring Value =.275

Complete(C) Complete(C) Complete(C)

Scoring Value =.660 Scoring Value =.660 Scoring Value =.660
CVSSv2 Base Metric Group

BASE METRIC GROUP Vectors

AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]

Access Authentication Integrity

Vector
Access Confidentiality Availability
Complexity
CVSS Calculating Base Score

Base score for an example vulnerability:

AV:N/AC:L/Au:N/ C:N/ I:N/A:C/

Access Vector = Network = 1.0 Confidentiality = None = 0.0

Access Complexity = Low = .71 Integrity = None = 0.0

Authentication = None = .704 Availability = Complete = .66
CVSS Base Scoring Formulas

Impact = 10.41*(1-(1-Confidentiality)*(1-Integrity)*(1-Availability))

Exploitability = 20* AccessVector*AccessComplexity*Authentication

f(impact) = 0 if Impact=0, 1.176 otherwise

BaseScore = (((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))
CVSS Base Scoring - Exploitability

Calculate the Exploitability value:

AV:N/AC:L/Au:N/C:N/ I:N/A:C/
Exploitability = 20* AccessVector*AccessComplexity*Authentication

Exploitability = 20*(1.0(Network) *.71(Low)*.704(None))

Exploitability = 10.0
CVSS Base Scoring - Impact

Calculate the Impact value:

AV:N/AC:L/Au:N/C:N/I:N/A:C/
Impact = 10.41*(1-(1-0.0(None) )*(1-0.0(None))*(1-.66(Complete))

Impact =6.9
CVSS Base Scoring – f(Impact)

Calculate the f(Impact) value:

f(Impact) = 0 if Impact=0, 1.176 otherwise

Impact =6.9(calculated using Impact equation in step 2)

f(Impact) = 1.176
CVSS Calculating Base Score

Exploitability = 10.0 (Step 1)

Impact =6.9 (Step 2)
f(Impact) = 1.176 (Step 3)
BaseScore=(( (0.6*6.9)+(0.4*10.0)–1.5)*1.176)

BaseScore = 7.8
 OpenSSL “Heartbleed” Flaw (CVE-2014-0160)
CVSSv3
CVSSv2

Network-accessible, low complexity, no

Network-accessible, low exploit
complexity, no authentication, partial
impact to confidentiality, and no
impact to integrity nor availability:
Base score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
privileges needed, user interaction not
required, scope unchanged, high impact
to confidentiality, no impact to
integrity, and no impact to availability:
Base score: 6.1
(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Resources: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Vulnerability and Risk Scoring

• A practical approach to determining which

detected Vulnerabilities present the greatest
risk and likelihood of exploitation to enterprise
assets.
• Vendor specific scoring Algorithms used to
determine Risk values
Real Risk

• This default strategy analyzes potential types of exposures associated with

vulnerabilities
• The algorithm applies exploit and malware exposure metrics for each vulnerability to
CVSS base metrics for asset impact
• Confidentiality, Integrity, and Availability
• Access Vector, Access Complexity, and Authentication
• Time, Exposure, Malware, Metasploit Modules
Temporal

• This strategy indicates how time continuously increases likelihood of compromise.

• The calculation applies the age of each vulnerability, based on its date of public
disclosure, as a multiplier of CVSS base metrics for likelihood (access vector, access
complexity, and authentication requirements) and data impact (confidentiality,
integrity, and availability).
 TemporalPlus

• This strategy provides a more

granular analysis of vulnerability
impact, while indicating how time
continuously increases likelihood
of compromise and aggregation –
relative to other vulnerabilities.
• TemporalPlus risk scores have no
maximum unlike Temporal scores
because TemporalPlus expands
the risk contribution of partial
impact vectors.
Weighted
• This strategy applies user-defined site importance to a calculation of asset and
vulnerability data to reflect your unique security priorities.
• Factors include:
• Number and severity of vulnerabilities discovered on each asset
• Number and types of services running on each asset
• Class of each asset and its associated risk.
• User assigned a weight or level of importance to any sites
RD = Risk Score for a Device
NC = Number of Critical Vulnerabilities
SC = Average Severity of Critical Vulnerabilities
NS = Number of Severe Vulnerabilities
SS = Average Severity of Severe Vulnerabilities
NM = Number of Moderate Vulnerabilities
SM = Average Severity of Moderate Vulnerabilities
PO = Open Port
SR = Service Risk
RW = Risk Weighting Factor
PCI

• Scale ranges from 1 (lowest severity) to 5 (highest

severity).
• Approved Scanning Vendors (ASVs) and other users
can assess risk from a PCI perspective.

https://www.rapid7.com/solutions/compliance/pci-dss/
Demo & Lab 10:
Risk Scoring
REPORTING
Objectives:
• Learn how to create report templates
• Learn about the various types of report formats
• Discover useful reports for building a sustainable program
Report Configuration

Report
Schedule
Report
Report
Specific
Template
Configuration

Report
Report Nexpose Distribution
Scope Report and Access
Report Formats

• Nexpose provides a flexible, easy to use, reporting

• Export in a variety of formats
 Report Templates
• Customizable Templates
• Report Templates are made up of Report Sections
• You can edit the template and define which sections
to utilize
• You cannot edit the sections themselves – they are
static
• Static Templates
• Report structure/format cannot be modified
• SQL Query Export Template
• Query the Nexpose reporting data model directly
Report Templates

• Database Export Template

• Export directly to MS-SQL, Oracle or MySQL
• CSV Export Template
• Choose fields to export
• XML
• CyberScope
• SCAP
• XCDDF
Demo & Lab 11:
Create Reports
Certification Overview and
Practice Exam
Objectives:
• Prepare for the Nexpose Certified Administrator exam
 Get Certified
• This course includes one attempt at the online exam
• Accessed from the Skilljar environment
• 60 questions: 120 minutes
• Passing score of 80%
• Open book/documentation/notes/product
• https://help.rapid7.com/nexpose/en-us/
• Materials from this course (slide deck and lab guide)
• A running instance of Nexpose with global admin privileges
Directions regarding product certification:

The product training exam exists as a separate lesson within your Skilljar training environment.
After completing class, return to your Skilljar account and select the exam lesson for your class.
Results are displayed immediately upon completion.
Acclaim badges are issued weekly to the registered email address.

Partner program participants certify by taking the technical quiz from the partner portal. Your
program coordinator will notify us of successful completion for badge issue.

If you have any questions/comments/concerns, please reach out

to Education_Services@rapid7.com and we would be happy to assist.
Review and Practice Exam
 Practice Exam

1. What permissions listed allows a user to view vulnerability data for a site named
‘HQ’? (Select all that apply)

a. A role that allows View Site Asset Data and access to the ‘HQ’ site
b. A role that allows View Group Asset Data and access to the ‘HQ’ site
c. Everyone can see vulnerability findings if they have access to the ‘HQ’ site
d. Global Administrator access
e. None of the above
Practice Exam

2. Why is it recommended to use valid credentials with vulnerability scans?

a. To obtain maximum accuracy and visibility into vulnerability findings.

b. To confirm the NSC users identify before scanning
c. To ensure a secure session between the NSE and the host(s)
d. For logging and accountability purposes
Practice Exam

3. When sending your diagnostic information to support.rapid7.com you are

doing it over a TLS-encrypted session over port 443.

a. True
b. False
Practice Exam

4. The default risk model for Nexpose is:

a. Weighted risk
b. Real risk
c. Temporal risk
d. PCI ASV 2.0 Risk
Practice Exam

5. To edit a built-in scan template you would:

a. Edit the template directly

b. Delete and re-create the template
c. Copy and paste the template into a new site
d. Copy the template, make changes, and save as a new template, leaving
the old as-is
Practice Exam

6. If the error message "Not enough memory to complete scan" occurs during a
scan, which of the following actions should be considered?

a. Run fewer simultaneous scans

b. Lower the number of scan threads allocated by your scan template
c. Power off the console
d. Both A and B
e. Both A and C
Practice Exam

7. What is the minimum RAM system requirement (in GB) for Nexpose
console installations?

a. 32
b. 4
c. 16
d. 12
e. 8
Practice Exam

8. Which of the following report data export formats can Nexpose output?

a. CSV Export
b. XML Export
c. Database Export
d. CyberScope XML Export
e. All of the above
Practice Exam
9. You have configured a scan for a class C network with the asset scope of
192.168.1.0/24, used the built in scan template named ‘Full Audit’, and
enabled syslog alerts to your SIEM at 10.1.4.2. You have scheduled the
scan. Your scan has completed as scheduled, but your Policy Evaluation
report has no data. What is the likely cause?

a. The Full Audit template does not include Policy checks.

b. The Syslog alerts are not being delivered correctly.
c. The scan has likely failed.
d. You have input the scope incorrectly.
Practice Exam

10. What URL would you use if trying to reach a remote Nexpose install on
another server?

a. http://servername/nsc:3780
b. https://localhost:3780
c. https://serverIPaddress:3780
d. https://serverIPaddress:40814
Practice Exam

11. You have a single dual-processor Nexpose console with 8GB of RAM and a diverse
geographic network. You currently have no additional scan engines installed. You
are attempting to scan 12 class C networks. Your scans seem to be failing and you
are seeing ‘out of memory’ errors entries in the console log. What is the BEST
course of action that you should take to resolve the issue?

a. Increase the console's RAM.

b. Deploy Remote Scan Engines and reassign scans to the engines
c. Increase available memory by stopping unnecessary services.
d. Spread your scans over a longer period.
Practice Exam

12. Specify the items to which you can apply custom tags: (Select all that apply)

a. An individual asset
b. Asset groups
c. Sites
d. Reports
e. Scan templates
Practice Exam

13. Performing a filtered asset search is the first step in creating what type of asset
groups?

a. Full
b. Asset
c. Dynamic
d. Site
Practice Exam

14. Which of the following is a factor in the determination of vulnerability severity

levels?

a. Temporal Scores
b. CVSS Scores
c. Weighted Scores
d. SANS Vulnerability Scores
Practice Exam

15. Match the following log names to the proper description:

Log Name Description
1. access.log a. scan engine system and application level events
2. auth.log b. memory-intensive operations, such as scanning and
reporting
3. nsc.log c. resources that are being accessed such as pages in the
Web interface
4. nse.log d. maintenance mode activity
5. mem.log e. logon or logoff, authentication failures, account lockouts
Advanced Vulnerability Manager
• SQL Query Reports – understand the reporting data model and learn to create
custom queries for export

• Nexpose API – learn about Nexpose automation capabilities using the API, learn to
interact with the API to perform routine tasks.

• Scripting with the Nexpose Ruby Gem –learn the basics of Ruby scripting and
leverage the Nexpose Gem to automate routine tasks and extend functionality

• Nexpose Best Practices – learn tips and tricks to tune and optimize Nexpose to
achieve the best performance and results.

• Advanced Troubleshooting - learn the various ways to troubleshoot Nexpose

issues.
 We want your feedback!!
Please take 2 minutes to fill out this survey about the class:

https://r-7.co/2ODGuZf

https://docs.google.com/forms/d/e/1FAIpQLSdlUQwqoeSSmqoBskGgE66XW40XcaxB926UgmpH__PWPAXqJg/viewform?c=0&w=1