LAB: Basic Vulnerability Management with Nessus
In this lab I will go over the process and issues I came across while vulnerability scanning and vulnerability remediation. I used Nessus Essentials to scan a local VM/s hosted on both VMWare Workstation as well as VirtualBox (I’ll get into why I used both later)- where I used credential scans to discover vulnerabilities, which helped grasp the severities of each vulnerability as doing a test scan without them at first shows a very different story in comparison:
Now, during this process of scanning for vulnerabilities, I was having issues with my first VM from Oracle’s VirtualBox. I had one successful scan at the beginning, then every scan after that showed 0 results for host and vulnerabilities. Unfortunately, I never got to fully understand specifically what had happened (must’ve been either plugin issue or just an issue with VirtualBox and Nessus, found out Nessus doesn’t like virtual machines sometimes so maybe there was some issue there) but that is when I switched to VMWare Workstation and luckily the problem didn’t persist. After that unfortunate event I went onto compare the difference of vulnerabilities between the default credential scan and another credential scan where in this case, I installed a very old version of Firefox. Any old software product would give similar results because of its age; the software doesn’t run as well and is more susceptible to attacks since the product isn’t up to date. Here is evidence of that:
As you can see the main threat that is presented to us is Mozilla Firefox (with a few Windows threats as well) where Nessus is pretty much telling us to update the browser, otherwise the client will be stuck with an abundance of security issues that are too long to list. As to what happens now, is to simply uninstall the unneeded old Firefox web browser, and update Windows on the VM so that we can remediate as much as we can in order to have a better protected client:
After restarting the VM a few times and updating Windows more, the threats and vulnerabilities went down significantly. There are still a few random system things that need to be updated but the percentage of medium to high risk threats went down to just over 10%.
Overall this was a great lab to try out and learn from. I was able to grasp the basics of Nessus, vulnerability scanning, and vulnerability remediation which has no doubt boosted my growth in this field of knowledge.