Nessus is a great vulnerability scanner. I know very few really good security departments who don’t use it in some form. It’s output however can be a little bit… shall we say unwieldy? (Those who use it are either laughing or crying at that statement). Where I work, I’ve set up a weekly meeting where we go over the scan with the engineers and developers and talk about the items. Going through a spreadsheet with 60-600 thousand lines during a meeting can be dauting but we are now able to do it in 15-20 minutes each week and feel really good about the progress we are making.
This won’t happen overnight. It takes a few meetings before you will have the pattern. It also will require a good bit of prep work. I would like to talk about how I prepare the spreadsheet to get it ready for a video call and how I use it during the meeting.
The first thing you need to do is build a mindset. You won’t be able to talk about everything. You need to hit the major points. It needs to be simple enough for everyone to look at and quickly know what it is they are looking at and how to respond. In addition it all needs to fit on their computer screen. You don’t want to scroll across columns during the meeting, that takes up time which could be used by your team for better things.
The output you get will be a csv more than likely. Convert that over to xlsx. I know some of you are going to say “use google sheets” or “use Libre office.” And they are great pieces of software; I use them both a lot but for this particular task I’ve found excel works the best.
Get a copy of IP Tools for Excel. This tool can do reverse lookups on the list of IP addresses and create a new column with the hostnames. You’re engineers will thank you and it will make the meeting go much smoother with both the IP and the Hostname listed on the spreadsheet. (this tool is super cheap and absolutely worth every penny.)
Turn on filters. Highlight the top row (titles) then in excel click the data tab and then click on the filter tool. This will allow you to filter out each column using a dropdown.
Sort. Now sort by the IP address. This will group together the same IP so you’re not going over the same device again and again.
Hide duplicate and large columns. This is where you want to be very liberal. Hide any column which isn’t needed in the meeting. During this meeting you shouldn’t be talking about any one item for more than a few seconds. This means many of the details of the vulnerability need to be left out. You need to keep hiding columns until everything can be read in 1920 pixels across the screen (all your engineers should have a resolution of at least 1920×1080). You’ll also need to leave space for four additional columns which I will get to later. If someone needs more information, they can refer to the full file after the meeting. This should be brief. Here are the columns I leave:
- Risk – Crit, High, Medium, Low, None
- Host – The IP Address
- Hostname – The reverse looked up name from IP Tools
- Port – The port it was found on
- Name – Name of the vulnerability
- Synopsis – Very brief description of the vulnerability
That’s it. I extend the columns so it reaches the end.
Widen each column until everything inside the column can be read. This keeps you from having to resize during the meeting.
Add notes columns. I have 4 note columns I add
- Who – person working on this
- Status – Status of fixing the vulnerability
- Plan – What you plan to do (patch, decom) and the time period
- What – Category of what this device is (Database server, Switch)
Keep all your notes very short, 1-3 words max. This will cut down on width.
Filter known. There are many systems or errors you don’t want to talk about during the meeting. Remember, these are things you don’t want to talk about, it’s not that they aren’t important. These are not false positives. Those you should ignore within Nessus. These are actual vulnerabilities you aren’t going to talk about at the meeting. I usually only have 1 or 2 items for every 100 devices. Everything else we will talk about.
There is one other scenario which I filter out. If a device has so many vulnerabilities you use a separate part of the meeting to talk about it, there is no reason for it to be in this spreadsheet. Those devices tend to be hundreds of lines. You don’t need to take up so much of the meeting scrolling (I’ve had meetings where a single device was 2/3’s of the total lines. I removed it from the spreadsheet and we talked about the separately.)
Rename and copy the tab.
*This is where things get very specific to your particular case. If you have a LOT of both High and Critical, you may want to split them up (this is how a lot of groups start). Most of the time, you will have very few high and critical and a lot of medium.
Rename the tab “High & Critical” then make a copy of it. the new tab (probably named “High & Critical(2)”) rename to “template”.
In the High & Critical tab, go into your ‘risk’ column and filter for only items listed as High or Critical.
In the template tab, go into your ‘risk’ column and filter for only items listed as ‘medium’
Copy previous notes. This will take some time. Copy over the notes from the previous meeting over to the high and critical tab for this meeting. Anything which shows up new, highlight it and put it in as new so you’ll be sure to add new notes during the meeting.
Create medium tabs. In the template tab you should have all your medium risk items. You are going to create some categories and filter the “name” column. For example, I would like all SSL vulnerabilities. I go into the filter, remove all then add back in just the vulnerabilities which have to do with SSL or TLS.
Once this is done, highlight the results, copy them and paste them into a new tab named with the filter. For example I have an SSL-TLS tab and only the items from the filter for SSL-TLS will show up. Now rename the tab.
Make sure you copy and paste the data. If you duplicate the tab and use the filter you will be copying ALL the data into the new tab. These files can get huge, in the hundreds of thousands of lines. If you have all the data in 15 different tabs your computer is going to just give up and go home. You’re already going to notice a significant slowdown with just the regular report.
Your categories will vary. Here are some I use:
- apache
- apache tomcat
- DNS
- JQuery
- Remote Desktop/Terminal Services
- NTP
- SSH
- SSL/TLS
- PHP
- IKE
Delete the template. Once you have that all done, delete the template.
*EXTRA – reverse lookup. I like to go through the spreadsheet and highlight any server name which shows up as “host not found.” This will allow the DNS engineer to figure out any reverse lookup problems (which are common but don’t show up as Crit, High or Med risk)
During the meeting
These meetings can get out of control fast, more so than most meetings. Make sure you have a plan and move quickly through the items.
Go over caveats
- Make sure you mention when the scan was run and that any changes after this scan will not show up. I do this at every meeting.
- Mention any special cases which will not show up on the spreadsheet
- Talk about anything that happened between the last meeting and this one. For example, a new version of apache, or a new exploit which was released. Don’t dwell on this though, mention it and move on.
Start on the Critical/High Risk tab, or the tab you set up as your highest priority. Go through one item at a time but go through them fast. ask the status, add or change notes and move on. Make sure you acknowledge things that have fallen off and been fixed.
Go over lower risk as a group. Don’t go over your low risk individually. Do it as a group. “These are the SSL vulnerabilities, who is looking at these?” Put a name on the group and move on.
Ask for questions or concerns When you’re done always ask if there are any questions or concerns.
Make the file available. Make sure both the original file and the meeting file are available to everyone at the meeting. That could be in an email, on a wiki, in chat, on Sharepoint… however you do it. Just make sure everyone knows how to get to it and they can do so easily.
That’s your vulnerability meeting! I suggest having these at least once a week for even a small network. If you do your prep-work it will go smoothly and quickly and not be too much of a burden for your staff!