For Bandolier, we’ve talked a lot about how the Nessus compliance checks are safer than traditional vulnerability scanning in control system environments. Using authenticated sessions (SSH for UNIX, SMB for Windows) allows for interaction with the operating system that is much less taxing than a full network scan. Beyond the compliance checks, though, there are many other credential check functions available in Nessus that make use of these connections. Ron Gula has a perfect, detailed example of this over at the Tenable Network Security blog today. Didn’t think you’d ever be able to safely “scan” all 65,535 network ports on your control system servers and workstations? This post may cause you to rethink.
For more information on the Nessus credential checks, check out this document.