Network Security

Question 23

Suggest an IT policy for using Nessus internally?

Nessus should not be installed in a permanent location on the network. If you find Nessus on the network, people - administrators included - will run it when not supposed to. A test using the Nessus tools must be run once a month (on diffent week days) and actions based on the Nessus output must be documented in a report.

I (bjarne) don't agree with the above.

Designate at least two persons who have the exclusive rights to run Nessus. Their job description needs to be specified in detail as to what they are allowed to do in order for neither them nor the company to get into legal trouble (people have been fired for exceeding their job description even though it was done in the interest of the company [i92]). Each network segment should have it's own dedicated Nessus Server. [B1] recommends scanning once a day because the time from publication of an exploit to implemetation of said has decreased to under a month. If a daily scan can't be implemented, then scanning should be done in a round robin fashion so that each day of the week gets a scan on a regular basis.