Channel professionals can use this tip for advice on how to put Nessus scans to good use in an efficient enterprise scanning program that delivers network security for SMBs. Learn best practices such
Developing an enterprise scanning program is, by necessity, a highly customized task. You can't simply take a stock plan off the shelf and implement it in your organization. You need to consider the unique technical, regulatory, political and cultural requirements facing your enterprise before launching this inherently intrusive activity. For example, the scanning program used by a research university would necessarily be quite different from that used by an ultra-secret government agency. Both plans would differ significantly from the scanning plan used by an e-commerce retailer. Let's look at a few broad principles that apply in any large enterprise.
- Don't keep scanning secret. Over the course of my career, I've seen many organizations implement vulnerability scanning programs for the first time. With very few exceptions, the security officials responsible for the program decide that the best way to launch this effort is to treat these scans as a tightly-held secret. Invariably, this backfires. The primary reason is political -- you don't want system administrators to feel that you're policing their configuration management. On the contrary, the goal of your scanning program should be to increase administrator awareness and assist them in the secure configuration of their systems. A scan that produces very few results is a successful scan!
- Coordinate your scans widely. This advice goes hand-in-hand with the previous tip. In addition to notifying system administrators, make sure that everyone who's even tangentially affected by your scans knows what you're doing. Remember that the scanning process can have unforeseen effects on your infrastructure. You certainly don't want your company to become aware of your new scanning procedures because they brought the network to its knees! Notify system administrators, network engineers, application administrators, management and support personnel of the scans in advance -- they will serve as an early-warning system if problems arise. This is especially true the first several times you scan systems.
Read more on how to perform enterprise network security scans using Nessus.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This tip originally appeared on SearchSecurity.com.
This was first published in January 2007