Last month I mentioned briefly that there are additional functions of Nessus credential checks beyond the policy compliance plugins we’re using for Bandolier. The example in that blog post allowed you to “scan” all 65,535 ports safely and with minimal network traffic. Another example is the ability to check for the MS08-067 vulnerability announced by Microsoft last week. In fact, there are a number of plugin families and “local security checks” that verify patch levels for the OS and many client applications. They are available for Windows and most of the popular UNIX and Linux distributions.
The same arguments we use for the safety of the Bandolier audit files versus traditional scanning also apply to the broader category of Nessus credential checks. The risk of crashing a service or causing other problems associated with scanning control systems is drastically reduced. The credential checks, as the name implies, require a valid user and password, The packets that are sent to the remote machine are normal and expected: SSH for *nix, SMB for Windows, and (once authenticated) normal OS-level queries for information. Contrast that against traditional scanning where the machine can encounter high levels of unexpected traffic.
If you are in charge of security for control system server and workstations, the credential checks are definitely worth a look — even if there is not a Bandolier audit file for your specific application. You can gain insight on patch levels and, indirectly, vulnerabilities. You can also use the baseline audit files to measure your configuration against NIST or CIS benchmarks.
Traditional vulnerability scanning certainly has its place; you need to know what your system looks like from a network perspective. But where safety, speed, and accuracy are concerned, it’s hard to beat the credential checks.