Authenticated Scans Guideline

UC Berkeley security policy mandates compliance with Minimum Security Standard for Electronic Information for devices handling covered data.  The recommendations below are provided as optional guidance for continuous vulnerability assessment and remediation.

Requirement

Resource Custodians must implement authenticated scans for vulnerability assessment for core systems. Campus-provided scanning resources and campus-licensed software may be implemented to meet this requirement.

Description of Risk

Attackers can discover and compromise covered data on devices that are not secured against vulnerabilities.

Recommendations

An authenticated scan is an essential tool to obtain accurate vulnerability information on covered devices by authenticating to scanned devices to obtain detailed and accurate information about the operating system and installed software, including configuration issues and missing security patches.  The additional details provided by an authenticated scan allows resource proprietors and resource custodians to better mitigate risks on covered data and reduce the likelihood of successful attacks against covered devices.  To ensure timely discovery of vulnerabilities on covered devices, authenticated scans should be executed at least once a month on covered devices, which include sysadmin and core devices.  For additional guidance on managing vulnerability scanning programs such as remediation and scan metrics, please refer to Continuous Vulnerability Assessment and Remediation Guidelines.   

The effectiveness of an authenticated scan often hinges on access to administrative credentials on covered devices. This requires adequate planning to addresses risks associated with handling and storing administrative credentials.  The following practices should be carefully considered when implementing an authenticated scan program to mitigate such risks :

  1. Rather than using an existing user account, create a temporary operating system user account dedicated to executing authenticated scans to allow for more granular control.  The temporary user account, which we will call scanner-account, must have administrative access to all covered devices to be scanned.  For Unix based devices, scanner-account may need to be set up separately on each device to be scanned. 
  2. Confirm that the scanner-account is able to authenticate to all the covered devices as expected.
  3. Do not use clear-text authentication protocols, such as telnet.
  4. Consider man-on-the middle attacks that might expose the scanner-account’s credentials. For instance, an attacker might set up an internal SSH server to which the scanner will authenticate and give up the username and password. 
  5. Disable the scanner-account once the authenticated scan is completed.  Keeping the scanner-account enabled only for the duration of the periodic authenticated scan will reduce the likelihood that scanner-account will be exploited for malicious purposes. 
  6. Automate the tasks of enabling/disabling the scanner-account via scheduled scripts in between periodic authenticated scans.
  7. Restrict the host/ip address from which the scanner-account can be used.  For example, when scanning Unix devices, only allow the scanner-account to login from the scanner's IP address. (Scanner being the server running the vulnerability scanner software.)
Once the authenticated scan is completed, follow recommended remediation steps from Continuous Vulnerability Assessment and Remediation Guidelines to develop plans to remediate vulnerabilities.

Authenticated Scan Software

Nessus, a widely used vulnerability management software solution, is the recommended software to implement authenticated scanning programs for campus devices running Unix-based operating systems.  ISO provides Departmental Nessus Scanning Service that’s available to resource custodians and proprietors to meet the authenticated scan requirement.  To get started, please follow directions on Campus Security website to request access to the departmental scanner.  Detailed instructions for configuring authenticated scans using Nessus can be found at https://docs.tenable.com/nessus/Content/Credentials.htm.  
Due to the sensitivity and complexity of safeguarding SSH keys, we recommend using a temporary scanning account (and its password) to set up authenticated scan.  Be sure to follow recommended practices to disable temporary scanner-account(s) that are not in use.
Covered devices running Windows operating system should use Secunia PSI, a security scanner offered to campus for free.  Details about Secunia PSI can be found at https://security.berkeley.edu/content/secunia-personal-software-inspecto....  While Nessus also support Windows platform, Secunia PSI is an easier tool to administer to obtain similar vulnerability results. 
If you have any questions about implementing authenticated scan software in your network, please contact security@berkeley.edu.

Additional Resources