This section discusses "recipes" for sites to suit common needs. By selecting an appropriate template, assets, and configuration options, you can customize your site to suit specific goals.
The default scan template is Full Audit without Web Spider.
This scan template gives you thorough vulnerability checks on the majority of non-Web assets. It runs faster than the scan template with the Web spider.
To check thoroughly for vulnerabilities, you should specify credentials. See Configuring scan credentials for more information.
As you establish your vulnerability scanning practice, you can create additional sites with various scan templates and change your Scan Engine from the default as needed for your network configuration.
Summary: The first step in checking for vulnerabilities is to make sure you are checking all the assets in your organization. You can find basic information about the assets in your organization by conducting a discovery scan. The application includes a built-in scan template for a discovery scan.
If there is an asset you do not know about that can be exploited, attackers can use that to bypass the Virtual Private Network (VPN) and corporate firewall, and launch attacks from within the local network. If you are new to your role, you might not already be aware of every asset you are responsible for securing. In any case, new assets are frequently added. You can conduct discovery scans to find and learn more about those assets, in preparation for developing an ongoing scanning program.
Your discovery scan may vary depending on your organization’s network configuration.We recommend conducting a discovery scan on as wide a range of IP addresses as possible, in case your organization has items outside the typical range. Therefore, for the initial discovery scan, we recommend initially checking the entire private IPv4 address space (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0) as well as all of the public IP addresses owned or controlled by the organization. Doing so will help you find the largest possible number of hosts. We recommend this certainly for organizations who actually make use of all the private address space, but also for organizations with smaller networks, in order to make sure they find everything they can.
Note: Scanning so many assets could take some time. To estimate how long the scans will take, see the Planning for capacity requirements section of the administrator's guide. In addition, a discovery scan can set off alerts through your system administration or antivirus programs; you may want to advise users before scanning.
To conduct the initial discovery scan in Nexpose:
Summary: In addition to conducting thorough scans of your network, we recommend to use a Scan Engine outside your network to check what can be found. Once you have a Scan Engine ready, you can add it in the Site Configuration.
If you have external IP addresses, you can check on what someone could access from outside. You can set up a Scan Engine outside your network perimeter and see what it can find. If you would like to get an "external" view of your firewall, perform a scan from an engine that is external to the organization and treated the same as other external machines.
We recommend the following configurations:
We recommend the following prioritization for remediation:
In the case of newly announced, high risk vulnerabilities, you may want to scan for just that specific vulnerability, in order to find out as quickly as possible which of your assets are affected.
You can create a custom scan template that checks just for specific vulnerabilities, and scan your sites with this special template. You can use the Common Vulnerabilities and Exposures Identifier (CVE-ID) to focus only on checks for that vulnerability.
Note: Check the Rapid7 Community for additional guidance related to recently-announced major vulnerabilities.
To scan for specific vulnerabilities:
If you have assets in multiple locations, there are several factors to take into consideration:
To scan large numbers of assets, you may want to take advantage of Scan Engine pooling. A Scan Engine pool can help with load balancing and serve as backup if one Scan Engine fails. To learn more about configuring Scan Engine pools, see Working with Scan Engine pools.
To scan Amazon Web Services (AWS) virtual assets, you need to perform some preparation in your AWS environment and create a discovery connection specific to this type of assets. To learn more, see Preparing for Dynamic Discovery in an AWS environment.
To scan VMWare virtual assets, you will need to perform some preparation steps in the target VMWare environment, and then create a discovery connection specific to this type of assets. To learn more, see Preparing the target VMware environment for Dynamic Discovery.
If your systems process, store, or transmit credit card holder data, you may be using Nexpose to comply with the Payment Card Industry (PCI) Security Standards Council Data Security Standards (DSS). The PCI internal audit scan template is designed to help you conduct your internal assessments as required in the DSS.
To learn more about PCI DSS 3.0, visit our resource page.
The following is an outline of a suggested process to use with Nexpose to help with your internal PCI scans. (For more information on how to use any of the features in the application, see the Help or User’s Guide.)
The application includes built-in scan templates that can be used for policy benchmarking. These include CIS, DISA, and USGCB. Each of these templates contains a bundle of policies to be used for different platforms; only the ones that apply are evaluated. Of the three, CIS contains support for the widest variety of platforms. For more information on these templates, see Scan templates.
All policy scan templates require a username and password pair used to gain access to assets such as desktop and server machines. Typically this account will have the privileges of an administrator or root user. For more on credentials, see Configuring scan credentials.
The CIS scan template includes policy checks specific to databases, and requires a username and password for database access.