Professional Documents
Culture Documents
NCA_Slide_Deck_
NCA_Slide_Deck_
NCA_Slide_Deck_
Discover
Prioritize
Verify
Assets
Remediate Assess
Report
Nexpose Vulnerability Management
• Security assessment for • Use critical threat • Perform fast, unified security
the modern network awareness from Metasploit & compliance assessment
• Identify what’s important to • Prioritize business risks • Automate workflows
your business that matter • Leverage built-in Audit &
• Use attacker mindset to • Create concise actionable PCI report templates
find weaknesses remediation plans
Efficient Security Assessment
• Consolidated reporting
Understand Business Context
• Automatic classification
• Identify important systems and assign remediation owners
Nexpose Architecture
Objectives:
• Understand the components of the Nexpose architecture
Nexpose Components
Console/API: https://x.x.x.x:3780
NSC
ALL TCP/UDP PORTS
TCP 40814
SCAN TARGETS
http://updates.rapid7.com:80 NSE
TCP 5432
Click and
Drag to Risk and
Hamburger Zoom Assets
to Print
Over Time
Asset
Overview
Scan
Site Now, Edit
Overview or Delete
a Site
Click to
sort
columns
Current
Scan
Statistics
Asset
Group
Overview
Asset
Tags
Overview
DEMO - NAVIGATING
THE USER INTERFACE
The Scan Process
Objectives:
• Understand the Scanning Process
• The Importance of the Scan Template
Scan Process Overview
Unconfirmed Confirmed
Service OS Policy
Discovery Port Scan Vulnerability Vulnerability
Fingerprinting Fingerprinting Checks
Checks Checks
NSC > NSE: Go and find all ‘alive’ devices
Using ICMP Ping, ARP Ping, TCP and/or UDP Port Scanning
NSC > NSE: What Services are running on the open ports?
• Service Fingerprinting
• Nexpose will try and determine services/processes are running on open
ports detected in the previous step.
• Methods:
• Banner-grabbing
• IP Stack Analysis
• Service fingerprinting for custom configuration
• Map custom port to service name
• default-services.properties
NSC > NSE:
What OS are we dealing with?
• OS Fingerprinting using information collected from the previous scan stages the
scan attempts to guess which operating system is running on the asset.
• Recog is a framework for identifying products, services, operating systems, and
hardware
• Matching fingerprints against data returned from various network probes
• Consists of both XML fingerprint files and an assortment of code, mostly in Ruby, that
makes it easy to develop, test, and use the contained fingerprints.
• A score indicating how certain the scan is about its guess is kept and the
highest ranked guess is used for other stages of the scan.
NSC > NSE:
What OS are we dealing with?
• OS Fingerprinting
• Credentialed vs. Non-credentialed scans.
• Only scans using administrator/root will provide a Certainty of 1.
• Credentials with less than administrator/root privileges may show a Certainty of 0.85
• Credentialed scans are necessary for policy scans, client side and some system configuration
related vulnerability detection.
31
• Unconfirmed Vulnerability Checks
• Primarily include checks based on patch and version information. These checks determine that a version of
software etc. is known to have an issue but does not confirm the specific issue exists. An example may be
that a version of software ships with a default password. The check would determine that that version of
software is present and may have default credentials even if the credentials have already been changed.
Nexpose includes a variety of preconfigured scan templates to help you assess your vulnerabilities according to the
best practices for a given need.
Scan Template Configuration
• Defines ‘how’ to
discover/scan assets
• Discovery
• Vulnerabilities
• Policy Checks
• Web Spidering
• Each Scan Template can be
cloned for ease of
customization
• Depending on what type of
checks you opt for will
determine what variables
you can customize
Demo & Lab 1:
Creating Custom Templates
Organizing Your Data
Objectives:
• Understand the role of sites and developing a site strategy
• Learn to leverage asset groups for analysis and reporting
• Learn to leverage asset tags for providing context
Site Overview
Scan
Scan Schedule
Engine
(Optional)
Scan Alerts
Templates (Optional)
Dynamic Static
Subject to change Constant data set
Automatically
Comparative reporting
clean/update
• Platform/Product
• Windows
• Linux
• Networking Devices
Demo & Lab 3:
Create Asset Groups
RealContext (aka Asset Tagging)
• Allows the ability to provide business context around your assets by applying
tags
• Built-in Tags
• Criticality
• Location
• Owner
• Custom Tags
• Examples: PCI, DMZ, SOC, XYZ Network, DEV, XYZ Application, etc..
RealContext - Adjust Risk By Criticality
• Apply risk multipliers to assets
• Adjust configurable risk score multiplier based on criticality
• Disabled by default
RealContext Best Practices
A threat is any potential danger to Vulnerability describes the circumstances of a A risk is the likelihood of a threat taking
information or systems. system that makes it susceptible to damage. advantage of a validated vulnerability.
Remediation of Vulnerabilities
Analyzing the vulnerabilities discovered in scans is a critical step in improving your security
posture. Examining these will help prioritize remediation:
• Frequency
• Affected assets
• Risk level
• Exploitability
Demo & Lab 5:
Remediation and Scanning
Security Analytics
Objectives:
• Learn about Nexpose Security Analytics
• Learn the types of automated actions
• Learn how to create and use automated actions
Security Analytics – Automated Actions
• Certain “Trigger” events initiate Full Attack Visibility and Assessment
automated actions
• Automatically discover and assess DHCP
Scan Engines
• Highly Scalable Backup
Console
Engine
Unified Platform &
Management
• Console Firewall
• Flexible Deployment
• Standards-based API Engine
• Factors that feed into determining the deployment architecture and resource
requirements are:
# and
Scan Data
Frequency
Retention
of Reports
Scan Report
Frequency Retention
Total # of
Deployment Network
IP’s
Scanned Architecture Architecture
System Requirements
Minimum Recommended
Processor 2 GHz+ processor or 2 x 2 GHz QC processor or
higher higher
Memory 8 GB RAM (64 Bit) 16-96 GB (64 bit)*
While a single scan engine is capable of scanning in excess of 20,000 assets per day, it is recommended
to distribute scans across multiple scan engines for optimal performance.
Currently Supported Operating Systems
64-bit versions of the following platforms are supported.
• Ubuntu Linux 14.04 LTS
• Ubuntu Linux 16.04 LTS
• Ubuntu Linux 18.04 LTS
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012 R2
• Microsoft Windows Server 2016
• Microsoft Windows 8.1
• Microsoft Windows 7 SP1
• Red Hat Enterprise Linux Server 7
• Red Hat Enterprise Linux Server 6
• CentOS 7
• Oracle Linux 7
Scan Perspectives
• Deployment architecture
• Scan Engine placement, in-line networking devices, types of devices
• Objectives for scanning
• Compliance, vulnerability management, validation
• Streamlining running and scheduling scans
• Asset availability, scan windows, data for reporting
• Software Coverage
• https://kb.help.rapid7.com/docs/nexpose-vulnerability-coverage
• Software list encompasses those products and services that we are
specifically committed to providing ongoing, automated coverage.
Scan Perspective - Internal
73
Scan Perspective - Internal
YOUR INTERNAL
DMZ Satellite Office
NETWORK 1000 Assets
50 Assets
NSE
VPN
NSE
Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250
Assets
NSC / NSE
NSE
Scan Perspective - External
• Scan traffic originates from an NSE located outside your perimeter firewall
• Targets devices located on the company extranet
• Provides the ‘outside looking in’ perspective
• True attacker perspective of your network
• Rapid7 offers these ‘Hosted Services’ and SONAR
Scan Perspective - External
DMZ
50 Assets Only OPEN
Ports
Rapid7
Datacenter
Headquarters
2000 Assets
TCP 40814
NSC / NSE
Scan Perspective - Hybrid
• Scans utilize multiple strategically located NSE’s
• Can be both internal/externally located
• Use Cases for a Distributed Scanning Strategy
• Large number of target IP addresses
• Highly segmented network
• Bandwidth restrictions
Scan Perspective - Hybrid Rapid7
Datacenter
DMZ
50 Assets
NSE
Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250
Assets
NSC / NSE
NSE
Installing Nexpose
Objectives:
• Install Nexpose on a Windows/Linux Server
Windows Installation
• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-
installers-md5sum-files-and-virtual-appliances
• Console + Scan Engine or Scan Engine Only
• Services
• Nexpose Security Console - Automatic
• Download the appropriate md5sum file to ensure that the installer
was not corrupted during download.
Linux Installation
• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-installers-
md5sum-files-and-virtual-appliances
• chmod +x Rapid7Setup-Linux64.bin
• Console + Scan Engine or Scan Engine Only
• Textual-based Installer
• ./Rapid7Setup-Linux64.bin
• Disable SELinux
• Download the appropriate md5sum file to ensure that the installer was
not corrupted during download.
Installation Process
• Default Install Directory
• C:\Program Files\rapid7\nexpose
• /opt/rapid7/nexpose
• Verify you meet the minimum
requirements
• Default PostgreSQL Listener Port: 5432
• Company Info
• Uses this information to create SSL
certificates and be included in requests to
technical support
• Create an initial Admin user with strong
password
Manage Scan Engines
Objectives:
• Learn How To Create A Scan Engine
• Learn How To Manually Pair An Engine
• Learn About Engine Pooling
Scan Engine Quantity
• Not an exact science…
• How many assets do you want to scan?
• How fast do you want to scan them?
• How much resources are you allocating to your engines?
Scan Engine Placement
• For the most efficient performance and comprehensive scan results, scan engines should:
• Be located as close as possible to the assets being scanned
• Be placed inside demilitarized zones, secure network environments
• Be distributed to geographical regions/locations, depending on the number of assets to be scanned
and bandwidth between the engine and the target assets
• Be placed behind, or very least whitelisted though firewalls and other security controls
Scan Engine Performance
• Scan times vary
• Non-credentialed scans on a single asset can take an average of 5 minutes,
depending on the device type, with no web spidering.
• Credentialed scans on a single asset can take an average of 7-10 minutes,
depending on device type, with no web spidering.
• Web spider Non-credentialed scans on a single asset can be around 15 minutes.
• Web spider credentialed scans on a single asset can be around 20 minutes.
Adjust simultaneous assets per engine count in scan template to fully utilize scan engine.
86
Force
Scan Engine Management Update the
Engine
Engines
Current
Status
Currently
Running
Refresh Version
the Status
Pairing a Distributed Scan Engine
• Console to engine configuration communicates on port 40814
• Engine to console configuration communicates on port 40815
• Two step pairing process:
• Generate key in Console
90
Credentialed Scanning
Objectives:
• Learn The Importance Of Using Credentials
• Learn The Different Types Of Credentials
• Learn How To Add Shared And Site Credentials
Credentialed Scans
• Allows target assets to be
scanned with authentication
• 100% OS/Service Fingerprint
• Identify local/client-side patch
and configuration
vulnerabilities
• Reduces false-positives
• Allow for policy/configuration
benchmark scans
Credential Management
Two types of scan credentials available:
• Shared
• Shared scan credentials allow a user
to use the same credentials across
multiple sites
• Can select which sites to apply
• Site-specific
• Site-specific credentials limit the
credentials scope to just the assets
defined in the site
Encryption Types
To ensure the security of the application, Nexpose uses the following types of encryption
algorithm keys in these areas:
• Identification/authentication: RSA
• Credential password storage: RSA
• Connection to the Web interface: RSA and HTTP over SSL
• Credential encryption: 3DES encrypted with RSA
• Zip files generated for diagnostic information to be uploaded to support.rapid7.com: PGP KeyID: 959D3EDA
• Upload diagnostic information to a server at support.rapid7.com: TLSv1.2
• Security Console to Scan Engine communication: TLSv1.2, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
for backwards compatibility, and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
Demo & Lab 8:
Manage Credentials
Vulnerability Exceptions
Objectives:
• Learn Why Exceptions Are Important
• Understand The Exception Workflow
• Learn How To Create And Approve Vulnerability Exceptions
Exceptions
• Prevents excepted vulns from being calculated in charts, graphs, reports
• Reason
• Compensating Control
• Acceptable Use/Risk
• False Positive
• Exception workflow allows for dual control
• Vulnerability Exception Scopes can include:
• All instances on an asset
• All instances on all assets
• All instances in the selected asset groups
• Exception Expiration
• Report created specifically for Vulnerability Exceptions
Exception Submission and Review
Exception Status
Expiration Date
Exception Scope
Demo & Lab 9:
Create an Exception
Troubleshooting
Objectives:
• Learn How To Run Diagnostics
• Learn About The Various Log Files In Nexpose
• Learn How To Use Other Support Resources and the Administration Page
Administration
Troubleshooting
• Administration->Troubleshooting->Diagnose->Perform
Diagnostics
• Review all items in red
• Firewall issues
• Experiencing UI inconsistencies?
• Database maintenance tasks
• Report Errors in OS Fingerprinting
• Download Log from Administration>History>Download Log
• View Statistics from Administration>Events>View
Log Locations
MEM.LOG Problems with memory. mem.log shows scanning and reporting memory usage.
NSC.LOG System and application level event tracking, scheduling of operations, or tracking any
Maintenance Mode activity
NSE.LOG Troubleshoot specific checks. If a check produces an unexpected result, you can look here
to determine how the scan target was fingerprinted
• Patching and updating the operating system on which the security console
is installed is your responsibility.
Project Sonar
• Project Sonar is a community effort to improve security through the active analysis of public networks.
• This includes running scans across public internet-facing systems, organizing the results, and sharing the
data with the information security community.
• Sonar regularly ‘scans the internet’ and gathered data is archived and made publicly available in
cooperation with the University of Michigan.
'Scanning' a Sonar site *does not* perform an assessment of those assets, it simply retrieves archived scan data from Sonar.
Troubleshooting
Challenge
Vulnerability and Risk Scoring
Objectives:
• Understand the importance of risk scoring
• Understand the common vulnerability scoring system (CVSS)
• Learn the various Nexpose risk scoring strategies
Vulnerability and Risk Scoring
The Need for Standardized Scoring
• Historically, vulnerability scoring had been
done on a vendor specific level
• Created to address the need for defining &
quantifying detected vulnerabilities across
enterprise platforms
• No standardization meant that
intercommunication/integration between
enterprise security applications could not
share vulnerability information
CVSS History
• CVSS v.1
• Research commissioned in 2003;
DHS accepted in 2004
• Public launch at RSA in 2005; Active
until 2007
• CVSS v.2
• Public launch in June, 2007; PCI
mandated in July, 2007
• CVSS v.3
• Released in late 2015
CVSSv2 Base Metrics
Exploitability Metrics Impact Metrics • Scored relative to overall impact
• No awareness of cases which a flaw in one app
impacts other apps
• Access Vector • Confidentiality • Access Vector may be unable to rate local system
• Access Complexity • Integrity access with physical hardware attacks
• Authentication • Availability • Authentication scores biased towards None/Single
AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]
Impact = 10.41*(1-(1-Confidentiality)*(1-Integrity)*(1-Availability))
BaseScore = (((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))
CVSS Base Scoring - Exploitability
AV:N/AC:L/Au:N/C:N/ I:N/A:C/
Exploitability = 20* AccessVector*AccessComplexity*Authentication
Exploitability = 10.0
CVSS Base Scoring - Impact
AV:N/AC:L/Au:N/C:N/I:N/A:C/
Impact = 10.41*(1-(1-0.0(None) )*(1-0.0(None))*(1-.66(Complete))
Impact =6.9
CVSS Base Scoring – f(Impact)
f(Impact) = 1.176
CVSS Calculating Base Score
BaseScore = 7.8
OpenSSL “Heartbleed” Flaw (CVE-2014-0160)
CVSSv3
CVSSv2
Resources: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
Vulnerability and Risk Scoring
https://www.rapid7.com/solutions/compliance/pci-dss/
Demo & Lab 10:
Risk Scoring
REPORTING
Objectives:
• Learn how to create report templates
• Learn about the various types of report formats
• Discover useful reports for building a sustainable program
Report Configuration
Report
Schedule
Report
Report
Specific
Template
Configuration
Report
Report Nexpose Distribution
Scope Report and Access
Report Formats
The product training exam exists as a separate lesson within your Skilljar training environment.
After completing class, return to your Skilljar account and select the exam lesson for your class.
Results are displayed immediately upon completion.
Acclaim badges are issued weekly to the registered email address.
Partner program participants certify by taking the technical quiz from the partner portal. Your
program coordinator will notify us of successful completion for badge issue.
1. What permissions listed allows a user to view vulnerability data for a site named
‘HQ’? (Select all that apply)
a. A role that allows View Site Asset Data and access to the ‘HQ’ site
b. A role that allows View Group Asset Data and access to the ‘HQ’ site
c. Everyone can see vulnerability findings if they have access to the ‘HQ’ site
d. Global Administrator access
e. None of the above
Practice Exam
a. True
b. False
Practice Exam
a. Weighted risk
b. Real risk
c. Temporal risk
d. PCI ASV 2.0 Risk
Practice Exam
6. If the error message "Not enough memory to complete scan" occurs during a
scan, which of the following actions should be considered?
7. What is the minimum RAM system requirement (in GB) for Nexpose
console installations?
a. 32
b. 4
c. 16
d. 12
e. 8
Practice Exam
8. Which of the following report data export formats can Nexpose output?
a. CSV Export
b. XML Export
c. Database Export
d. CyberScope XML Export
e. All of the above
Practice Exam
9. You have configured a scan for a class C network with the asset scope of
192.168.1.0/24, used the built in scan template named ‘Full Audit’, and
enabled syslog alerts to your SIEM at 10.1.4.2. You have scheduled the
scan. Your scan has completed as scheduled, but your Policy Evaluation
report has no data. What is the likely cause?
10. What URL would you use if trying to reach a remote Nexpose install on
another server?
a. http://servername/nsc:3780
b. https://localhost:3780
c. https://serverIPaddress:3780
d. https://serverIPaddress:40814
Practice Exam
11. You have a single dual-processor Nexpose console with 8GB of RAM and a diverse
geographic network. You currently have no additional scan engines installed. You
are attempting to scan 12 class C networks. Your scans seem to be failing and you
are seeing ‘out of memory’ errors entries in the console log. What is the BEST
course of action that you should take to resolve the issue?
12. Specify the items to which you can apply custom tags: (Select all that apply)
a. An individual asset
b. Asset groups
c. Sites
d. Reports
e. Scan templates
Practice Exam
13. Performing a filtered asset search is the first step in creating what type of asset
groups?
a. Full
b. Asset
c. Dynamic
d. Site
Practice Exam
a. Temporal Scores
b. CVSS Scores
c. Weighted Scores
d. SANS Vulnerability Scores
Practice Exam
• Nexpose API – learn about Nexpose automation capabilities using the API, learn to
interact with the API to perform routine tasks.
• Scripting with the Nexpose Ruby Gem –learn the basics of Ruby scripting and
leverage the Nexpose Gem to automate routine tasks and extend functionality
• Nexpose Best Practices – learn tips and tricks to tune and optimize Nexpose to
achieve the best performance and results.
https://r-7.co/2ODGuZf
https://docs.google.com/forms/d/e/1FAIpQLSdlUQwqoeSSmqoBskGgE66XW40XcaxB926UgmpH__PWPAXqJg/viewform?c=0&w=1