[unisog] OS Vuln Scanners

Stephen John Smoogen smooge at unm.edu
Wed May 7 19:18:10 GMT 2008 

Nipper, Johnny R. wrote:
> Hello all,
> 
> We are a new security department in the beginning stages of discovering vulnerabilities as well as rogue servers on our network.  We are discovering as we go and learning from our mistakes.  One issue we are tackling is departmental servers outside of our central IT.  We do not have a comprehensive list of every system.  I have been using different techniques for discovering servers and working with each administrator individually to do routine scans.  Recently we began running Nessus on the entire network one subnet at a time.  During this time, systems have crashed with our "safe scan" option set.  This undoubtedly helps us discover systems as well as vulnerabilities, but in the meantime this causes issues.  We would like to notify departmental administrators prior to each scan.  Our issue is, we did not previously know about these systems.
> 
> We have already sent out a communiqué with a protocol for every administrator to run scans on their system and report them to the security department.  The ones that are having issues now are systems that were not disclosed during our initial request several months ago.  
> 
> How would everyone tackle this situation?  Would you send out a communication to the entire campus in advance for all scans?  When would you run your scans?  Do you make this part of your change control procedure?  Any help would be very appreciated.
> 
> Thanks,
> Johnny
> 

At my former job, my first step is to get mac addresses and ip addresses 
showing up on the border routers and switches to departments. This can 
give an idea on how many systems there are and what is out there. Then 
we would do an nmap scan of the subnet to get an idea of what was there 
that might not be seen on the routers/etc.. correlate the two to see 
what works better and faster for a network.

After that, we would get a working plan of what networks were to be 
scanned, in what order and what we were going to possibly see. We would 
then send out notices to those departments with what nmap found and let 
them know when the 'authorized' nessus scan would occur. This usually 
got the "oh craps don't scan our entire network" emails which we would 
then work through the proper political channels to get it either down to 
  specific hosts, or similar agreements (well we are happy to give up 
our funds for X for you not scanning us.), etc.


-- 
Stephen Smoogen -- ITS/Linux Administrator
   MSC02 1520 1 University of New Mexico Albuquerque, NM  87131-0001
   Phone: (505) 277-8219  Email: smooge at unm.edu
  How far that little candle throws his beams! So shines a good deed
  in a naughty world. = Shakespeare. "The Merchant of Venice"

More information about the unisog mailing list