Tenable Security Center templates

Database Application Visibility & Exposures One-Stop-Shop

John Thounhurst — Thu, 26 Mar 2026 14:32:47 -0400

A benefit of an effective database security program is that organizations are better positioned to safeguard against the risks of compromise, and to thwart attacks such as malware and ransomware. Steps to building such a program include following best practices and regulatory requirements. Key initiatives include conducting and reviewing vulnerability assessments and compliance audits.

Databases typically contain sensitive material such as financial data, personnel information, business intelligence, client information, and more. Organizational secrets were once contained in a locked file cabinet, within secure rooms, or entombed deep within an organization. Access was controlled with a key requiring on-site access, and copying or removing files was difficult at best. Today, this information is commonly stored in a database that is connected to a wider network. Configuration errors can inadvertently provide access to a global audience. This practice makes a database a primary target of threat actors. Compromised databases are a common element of most data breaches, resulting in the exfiltration or loss of massive amounts of privileged information.

Information that is collected and stored in a database is important, and safeguarding that data is critical to business continuity. Costs associated with damages, fees, legal considerations and loss of reputation resulting from damaged and corrupt databases can be a financial burden for any organization. Depending on the type of data being stored, many established regulations and standards exist, which reduce the risk that information will be mishandled. Successful implementation means that customer confidence is maintained and organizations avoid costly financial ramifications.

Organizations are obligated to protect sensitive data and must frequently comply with laws and regulations regarding the data being stored. To best accomplish this, database teams require vulnerability details which easily identify the most significant vulnerabilities and provide guidance towards mitigation. The ability to act quickly in mitigating database vulnerabilities requires information to be presented in a manner which focuses on findings that should be prioritized and mitigated first. As a result, vulnerability remediation is more successful, the attack surface is reduced, and efforts can be visually tracked and measured against established goals.

Enumerating and securing your databases across the modern attack surface is especially critical related to 3-Tier Web Applications and AI. Nearly every Web Application has some flavor of database on the backend, and the internal and cybercriminal usage of GenAI and Agentic AI significantly raises the stakes for data security. GenAI prompts can be tied to your internal data, and AI agents can be granted a significant range of autonomy. AI agents can operate constantly, and adversaries can leverage low-and-slow attacks via these AI Agents and GenAI prompt-based crescendo attacks to gain access to your sensitive data. In this new world of AI, a strong database security program is not just about checking a box for compliance. It is a fundamental requirement to protect an organization's reputation and ensure AI remains an asset instead of a liability.

Tenable Security Center provides a risk-based view of your IT, security, and compliance posture, allowing database teams to analyze findings, remediate identified risk, track progress, and measure success. Designed with the principles of the Cyber Exposure Lifecycle in mind, this report assists database teams in maintaining a high level of awareness and vigilance. The report is tailored to guide the database team in detecting, predicting, and acting to reduce risk across their entire attack surface. The components provide a glance over detected Databases. From supported databases to unsupported databases, and exploitable databases that have been active for a long time, this report allows a database team to prioritize which assets/databases to patch first. The report also includes database compliance components that assist database teams by presenting pass/fail compliance results. It is important to note that the severity fields in the components can either be based on CVSS or VPR, depending on what the user selected in the settings. The report components do not require specific asset list filters to be applied prior to use. However, organizations that have teams that do focus on a specific group of assets will benefit from using custom asset lists. Database teams can visualize findings against database assets within the organization using this method.

Chapters

Executive Summary: This chapter empowers the risk manager to quickly understand current database exposures across the network. Protecting sensitive information requires constant vigilance because adversaries leverage autonomous artificial intelligence agents to exploit hidden vulnerabilities. By transforming complex scanning data into accessible visual formats, the executive summary chapter allows the risk manager to understand the current impact of database vulnerabilities and misconfigurations. Furthermore, the provided insights guide the security operations team to effectively prioritize remediation efforts. Implementing a strong vulnerability management program ensures the organization protects critical data against unauthorized access while maintaining a resilient defense posture against evolving threats.
Database Detection: This chapter guides the risk manager in understanding why maintaining a precise database software inventory remains fundamentally critical. Because adversaries increasingly deploy autonomous artificial intelligence agents and generative artificial intelligence prompts to exploit backend infrastructure, the organization must possess complete visibility into all deployed databases. Cataloging active database installations enables the security operations team to verify authorized applications, confirm active support status, and ensure the prompt application of security patches. Furthermore, discovering undocumented or unnecessary databases reduces the overall attack surface and removes unmonitored access points. By leveraging the insights presented in this chapter, the risk manager establishes a strong defensive posture, ensuring sensitive information remains protected against relentless cyber threats.
Exploitable Database Vulnerabilities First Seen More Than 365 Days Ago: This chapter provides the risk manager a clear perspective regarding unresolved relational database vulnerabilities. When vulnerabilities remain active for over a year, the organization is exposed to substantial risk of unauthorized data access and system compromise. As the attack surface is prolonged, modern adversaries are able to take advantage of autonomous artificial intelligence agents and generative artificial intelligence prompts to exploit aging backend infrastructure. By identifying these neglected vulnerabilities, the risk manager is able to create a mitigation plan or strategy to close these exposure gaps across core database systems.
Other Useful Database Findings: This chapter provides the risk manager a broader perspective regarding indirect vulnerabilities affecting relational database systems. Adversaries frequently exploit third-party applications and assets interacting with backend infrastructure. Because such supply chain exposures present a substantial risk of unauthorized data access, the organization must maintain complete visibility into the entire interconnected database ecosystem. By reviewing the structured findings within the chapter, the risk manager gains a comprehensive understanding of security gaps existing outside traditional database boundaries. Addressing the database-related vulnerabilities empowers the security operations team to strengthen internal defenses and protect sensitive information against relentless cyber threats.
Audit Benchmarks Collected using Database Checks: This chapter empowers the compliance manager to comprehensively evaluate database configuration health against established compliance standards. Because databases secure sensitive organizational data, proper configuration remains essential to prevent unauthorized access and data breaches. Compliance authorities prescribe stringent frameworks, such as 800-53 and PCI-DSS, to guide secure configurations. To maximize effectiveness, the organization must establish a customized best practice configuration policy guide and modify scanning audit files to strictly enforce approved internal standards. When interpreting the findings within the chapter, the compliance manager must understand that severity levels carry specific meanings for audit results. A high severity finding indicates a failed audit check, an informational severity signifies a successfully passed check, and a medium severity dictates a manual review is required. Grasping these distinct severity definitions empowers the system administrators to accurately measure compliance and strengthen overall network defenses.

Java Visibility and Exposures

John Thounhurst — Thu, 26 Mar 2026 14:06:18 -0400

Hidden weaknesses in unpatched Java installations expand the organizational attack surface and expose the environment to severe operational disruptions. Visualizing impacted assets allows the organization to grasp how unmanaged applications increase overall risk exposure. A resilient defense posture requires continuous awareness of deployed infrastructure to prevent adversaries from exploiting network vulnerabilities. The Java Visibility and Exposures report resolves these challenges by transforming complex scanning data into accessible visual formats, guiding the risk manager to proactively identify hidden flaws and secure vulnerable assets.

A strong software asset management program serves as the foundation for identifying unauthorized or end-of-life applications across the network. Without a robust software asset inventory, the security operations team cannot properly evaluate network health. The report enables the risk manager to map out deployed applications, revealing potential blind spots within the infrastructure. Mapping such installations ensures the organization proactively identifies unsupported environments where vendors no longer supply security patches. Modern adversaries frequently leverage artificial intelligence to exploit unmanaged cyber risks, meaning accurate visibility into the asset landscape remains paramount for preventing unauthorized access.

Once assets are identified, prioritizing risk effectively ensures the security operations team addresses the most critical Java vulnerabilities first. Relying solely on traditional static scoring often creates overwhelming workloads. Conversely, utilizing dynamic Vulnerability Priority Ratings (VPR) focuses organizational resources on exposures associated with active threat intelligence and the highest likelihood of exploitation. Addressing high-risk exposures proactively prevents attackers from launching successful campaigns against vulnerable infrastructure. Implementing a robust vulnerability management strategy guided by threat intelligence ensures maximum risk reduction and creates a strengthened security posture.

Identifying and mapping network exposures empowers the risk manager to direct remediation efforts across affected subnets and individual host environments. Cybersecurity has evolved into a global security imperative, requiring a strategic shift toward risk-based, outcome-focused governance that elevates cyber risk discussions to the boardroom. By targeting the highest-priority threats, the organization can neutralize Server-Side Request Forgeries (SSRF) in the Java transport layer handshakes, before they can be exploited to disrupt operations. Resolving highly targeted vulnerabilities efficiently builds collective defense capabilities. Mastering detailed network visibility ultimately strengthens organizational security maturity and reduces overall cyber exposure.

Chapters

Executive Summary: This chapter allows the risk manager to quickly identify and analyze current Java exposures across the network. Understanding how the attack surface sustains impact from assets with Java installed remains essential for a proactive defense, especially since threat actors now frequently use machine learning tools to uncover blind spots. By transforming complex scanning data into accessible visual formats, the chapter helps security leaders visualize the true impact of existing exposures. Provided insights guide the security operations team to prioritize remediation efforts effectively. Establishing a comprehensive exposure management practice guarantees the enterprise shields sensitive information while maintaining a resilient defense posture against evolving threats.
Java Installation Visibility: This chapter equips the risk manager to confidently map the organizational attack surface by identifying existing Java installations across the network. A strong software asset management program remains foundational for maintaining a resilient security posture. Without proper visibility into installed applications, hidden weaknesses can remain unpatched and expose the organization to crippling network outages. Implementing robust software asset management ensures the security operations team maintains continuous awareness of deployed assets. Such awareness allows the organization to proactively secure infrastructure, enforce governance policies, and mitigate emerging threats effectively.
Top Java Exposures Sorted by VPR: This chapter assists the risk manager to effectively prioritize mitigation efforts across the network. Utilizing CVSS base risk scores frequently buries security analysts under unactionable data. Conversely, applying risk-based prioritization guides security personnel to address weaknesses with the highest probability of exploitation. Addressing high-risk exposures proactively prevents adversaries from leveraging hidden weaknesses, such as Server-Side Request Forgery flaws in cryptographic handshakes, to launch devastating cyberattacks. Executing an intelligence-driven remediation workflow allows the business to rapidly mitigate critical flaws.
Unsupported Versions of Java: This chapter guides the risk manager to confidently identify end-of-life installations across the network. Locating legacy software is a critical step in building a hardened defense because vendors no longer release security patches for outdated products. Without regular updates, hidden weaknesses remain unpatched and may expose the organization to crippling attacks. Today's attackers routinely deploy automated scripts to target neglected endpoints. To mitigate associated risks, the security operations team must continuously monitor the attack surface and upgrade legacy installations to actively supported versions. Implementing robust vulnerability management practices guided by advanced scoring algorithms direct attention to the most pressing and actionable dangers, ensuring a proactive defense.
Hosts with the Java Vulnerabilities: This chapter enables the risk manager to comprehend the organizational attack surface by mapping Java installations across network assets. An effective vulnerability lifecycle strategy is essential for sustaining a robust defense. Unmanaged applications create cyber risk, exposing the organization to critical system failures. Visualizing affected assets allows the security operations team to maintain continuous awareness of network health and assess how severe flaws impact individual host environments. Implementing robust software asset management ensures the organization proactively secures infrastructure and mitigates emerging threats guided by dynamic predictive ratings.

Operating System and Application Inventory with Data Troubleshooting

John Thounhurst — Mon, 23 Mar 2026 14:35:23 -0400

The risk manager and security operations team need full visibility of all vulnerabilities within the organization. By leveraging the continuous asset scanning and automated risk prioritization capabilities of Tenable Security Center (formerly Tenable.sc), the security operations team is able to discover operating system and application instances, software vulnerabilities, misconfigurations and other exposure details. This report provides a high-level summary of asset counts per operating system and discovered applications, with the added benefit of helpful queries to identify troublesome areas in scan fidelity.

A key first step in establishing an exposure management program is to separate findings by operating systems and applications. This discovery process helps to assess the technology in the environment and discover gaps in exposure management. The components in the report focus on either operating system vulnerabilities or application vulnerabilities by leveraging the CPE (Common Platform Enumeration) strings that are defined by NIST (National Institute of Standards and Technology) and provide a unique, standardized name for IT products. Using this comprehensive approach to data analysis, the risk manager is able to obtain visibility into the network and prioritize mitigation efforts accordingly.

Once the vulnerabilities are known to the risk managers, the risk prioritization begins. In cases where a vendor-supplied patch is available, patch management solutions are able to increase efficiency by distributing and applying the patches. However, there are many cases where unsupported operating systems or patches have not been released yet. Oftentimes unpatchable vulnerabilities are identified as exploitable, and to remediate the risk requires a configuration change such as a registry key change, disabling insecure or deprecated protocols, and upgrading to a supported operating system version or new operating system.

As the exposure management program matures, the security operations team needs to begin to measure data collection and the remediation processes. To allow for accurate measurements, the fidelity of the scanning program needs to be reviewed and monitored. To assist in this process, the report has several chapters that enable the understanding of scan health by identifying gaps in the scan activities. Organizations that utilize both agent scans and network scans are able to benefit from each method and begin to close the gaps in scan coverage. The report helps to show the health of credentialed network scans, also known as an authenticated scan (which provides a deeper insight into the risk posture of the asset), as compared to discovery scanning. If credentialed network scans are not available, the organization can leverage the Tenable Agent to collect vulnerability data. While agents are not designed to perform network checks, certain settings cannot be checked or obtained, therefore combining network scans with agent-based scanning eliminates this gap. The key thing to keep in mind is that scanning with credentials will provide the most complete asset info, vulnerability and patch auditing picture with a regular scanning cadence and depth. Local Check Scans with the Tenable Agent or working credentials will provide the more complete and hi-fidelity data set to ensure the good data passes downstream for reporting, workflows and stakeholders.

Tenable Security Center provides the ability to know the vulnerabilities on the network and provides full visibility with continuous asset scanning and automated risk prioritization capabilities. The data on this report helps to expose gaps and facilitate the process in which the risk manager is able to quickly find highly exploitable, business-impacting vulnerabilities using risk-based threat intelligence and critical asset identification. As the risk mitigation efforts increase their effectiveness, the CISO is able to close the critical exposures and make rapid, decisive decisions that direct actions to mitigate high-risk vulnerabilities and communicate to leadership and stakeholders the current state of the exposure management program.

Chapters

Executive Summary: This chapter provides the risk manager with a high-level overview of scan health and vulnerability metrics across the organization. By analyzing charts and tables the risk manager and the security operations team are able to observe at a high level the status of routine scanning and risk mitigation activities. The components help to categorize unresolved flaws within software and infrastructure based on severity, exploitability, and patch availability to pinpoint areas requiring immediate remediation.
Tenable Agent Findings: This chapter provides details related to Tenable Agents. Details include informational data, such as the detection of Tenable Agent installations, as well as Tenable Agent vulnerability data, such as out-of-date or software end-of-life (SEoL) Tenable Agents, including potential third-party induced vulnerabilities to Tenable Agents from other products.
Asset Inventory: This chapter provides summary counts for operating systems and applications detected within a network over a thirty-day period. The tables utilize Nessus and Tenable Agent to identify active platforms, including an extensive list of installed software and libraries.
Scan Health: This chapter provides a summary of the authentication status and scanning processes across different subnets. Monitoring scan health is essential, as routine system and network device scans ensure compliance with regulatory and organizational requirements for vulnerability and configuration management. The chapter highlights the assets with credentialed scanning problems.
Operating System Exposure: This chapter filters for operating system vulnerabilities last seen within the past 30 days, categorizing the vulnerabilities across critical, high, medium, and low severity levels. While the resulting data reveals unresolved flaws across the network, a risk manager uses the information to establish a valuable baseline.
Exploitable Operating System Exposure: This chapter filters for exploitable operating system vulnerabilities last seen within the past 30 days, categorizing the findings across critical, high, medium, and low severity levels. While the resulting data reveals unresolved flaws across the network, the information establishes a valuable baseline and highlights an exploitable vulnerability backlog.
Security End of Life (SEoL) Operating Systems: The data in this chapter reveals unresolved flaws across various unsupported platforms and provides the operations team with a list of risk mitigation steps. Operating systems that have reached their end-of-life date are a major cause of data breaches as vendors stop offering support, which causes security and stability to decrease over time. Risk managers performing analysis of end-of-life systems are able to guide the security operations team away from a reactive state and into a prioritized, proactive posture hunting for actively unsupported operating systems.
Unpatchable and Exploitable Operating Systems: This chapter serves as a critical diagnostic tool, guiding the risk manager to identify severe exposures across the organization. The chapter specifically filters for operating system vulnerabilities detected over the past thirty days lacking a published patch but possessing known exploits. By highlighting assets suffering from unpatchable flaws, the data reveals problems the organization cannot currently solve through traditional patching.
Application Exposure: This chapter functions as a foundational resource guiding the risk manager to uncover software vulnerabilities across the network. The risk manager uses the data in this chapter to establish a comprehensive view of the attack surface and pinpoint severe exposures challenging the organization.
Exploitable Application Exposure: This chapter empowers the risk manager to uncover critical software vulnerabilities across the network. By leveraging authenticated scans, the chapter filters for findings using the Application CPE string 'cpe:/a' last observed within the past thirty days, categorizing unresolved application flaws with an available exploit across critical, high, medium, and low severity levels. The risk manager uses the resulting data to establish a comprehensive view of the attack surface and pinpoint severe exposures challenging the organization
Security End of Life Applications: This chapter enables the risk manager to effectively identify unsupported software across the organization. When applications reach an end-of-life status, software vendors permanently cease offering support and halt all releases of new security patches. Consequently, operating unsupported software causes security and network stability to continually degrade over time, leaving the organization increasingly vulnerable to cyber attacks. By identifying unsupported applications, the risk manager guides the security operations team to mitigate risks that surface from the severe dangers of utilizing outdated products.
Unpatchable Exploitable Application Exposure: This chapter equips the risk manager to proactively identify highly dangerous software vulnerabilities across the organization. Recognizing unpatchable and actively exploitable software presents an essential mentoring opportunity. When researchers publish a new vulnerability, a delay often occurs before the vendor develops and releases an official patch. Malicious actors highly value the unprotected time gap, utilizing readily available exploit frameworks to launch targeted attacks against the organization before a permanent fix exists.

Post Quantum Ciphers Analysis

Josef Weiss — Thu, 29 Jan 2026 13:02:15 -0500

Public-key cryptography is the invisible trust fabric which secures web browsing, VPN connectivity, cloud authentication, software updates, and identity verification. For decades, the global economy, national security apparatus, and critical infrastructure have relied on asymmetric cryptography—specifically RSA and Elliptic Curve Cryptography (ECC)—to secure this data. Their security rests on the mathematical difficulty of factoring large integers or solving discrete logarithm problems within any realistic timeframe. Quantum computing changes that assumption. Quantum computers utilize qubits, which combined with quantum entanglement, allows for massive parallelism in calculation. Tenable’s Research team has developed a series of plugins to help identify an organization's progress in mitigating this future threat.

While quantum systems, capable of shattering current encryption standards may be years away, there is a significant threat operational today, through a strategic doctrine of "Harvest Now, Decrypt Later" (HNDL). Adversaries can identify and capture and store encrypted data now, awaiting for future decryption when quantum decryption becomes readily available, and the data can be decrypted retroactively. For security leaders this creates a familiar strategic problem. Public-key cryptography is embedded everywhere: certificate authorities, TLS stacks, VPN gateways, secure email, identity providers, firmware signing, code pipelines, and cloud key management. The implications are catastrophic for current standards:

RSA-2048 and RSA-4096: Completely broken.
ECDH and ECDSA (Elliptic Curve): Completely broken.
Diffie-Hellman: Completely broken.

Tenable has a number of plugins that assist organizations, including:

277650 - Remote Services Not Using Post-Quantum Ciphers.
277652 - Target Cipher Inventory.
277653- Remote Services Using Post-Quantum Ciphers.

Understanding the impact of the transition to using Post Quantum Ciphers is where security teams need actionable insight, understanding where vulnerable cryptographic algorithms are deployed across their infrastructure. To support this visibility, Tenable provides the Post Quantum Ciphers Dashboard. This Tenable Security Center report is designed to help organizations identify systems relying on cryptographic algorithms that will be vulnerable in a post-quantum world. Key features are the identification where RSA and ECC are currently deployed across your infrastructure, supporting prioritization of modernization efforts. Information within the report assists organizations identify remote services using/not using post-quantum ciphers, including the identification of ciphers in Web Application Scanning (WAS) environments, and identifies potentially vulnerable ciphers, certificates and assets.

Organizations need a coherent operational strategy to navigate the migration. Based on NIST SP 1800-38 and CISA guidance, the following phased approach is recommended.

Phase 1: Automated Discovery -> Phase 2: Prioritization and Risk Assessment -> Phase 3: Remediation and Crypto-Agility -> Phase 4: Continuous Verification

This approach begins with establishing the baseline. Tenable Plugin 277652 (Target Cipher Inventory) Extends detection capabilities to cover cryptographic ciphers and algorithms discovered during the scan as a machine parsable JSON file attachment. Tenable Plugins 277653 (Remote Services Using Post-Quantum Ciphers) and 277650 (Remote Services Not Using Post-Quantum Ciphers) help filter the signal from the noise. Identify systems with the highest risk and the most critical data, allowing organizations to move quickly into the remediation phase. Regression is prevented naturally with Tenable’s ability to provide Continuous Verification by incorporating this assessment into regular scanning intervals.

Bottom line, these tactics allow for the surfacing of cryptographic dependencies across the environment, security teams gain the operational intelligence needed to begin structured migration planning today. Organizations that begin assessing exposure now, establish migration roadmaps, and integrate post-quantum readiness into security strategy will move through this transition deliberately and safely.

This Report contains the following Chapters:

Executive Summary: This chapter is designed to help organizations identify systems relying on cryptographic algorithms that will be vulnerable in a post-quantum world. Key features are the identification where RSA and ECC are currently deployed across your infrastructure, supporting prioritization of modernization efforts. Information within the chapter assists organizations identify remote services using/not using post-quantum ciphers, including the identification of ciphers in Web Application Scanning (WAS) environments, and identifies potentially vulnerable ciphers, certificates and assets.
Target Cipher Inventory Details: This chapter provides the details of plugin 277652 which collects the cryptographic ciphers and algorithms discovered during the scan and then present the data in an iterative table for deeper analysis.
Remote Services Not Using Post-Quantum Ciphers Details: This chapter provides the details of plugin 277650 which identifies the network services that do not offer post-quantum ciphers. Tenable makes no attempt to determine whether the remote service would be vulnerable to a post-quantum attack. The chapter presents the collected data in an iterative table for deeper analysis.
Remote Services Using Post-Quantum Ciphers Details: This chapter provides the details of plugin 277652 which collects cryptographic ciphers and algorithms discovered during the scan and then presents the data in an iterative table for deeper analysis.
Encryption Ciphers Detected by Nessus Details: This chapter displays any detected Cipher plugins that were seen by Nessus. The widget utilizes the Plugin Name filter with a match on 'Cipher Suites, SSL Ciphers, Weak Kerberos, and Deprecated Ciphers'. The widgets of the chapter provide the details of cipher related findings such as weak cipher suites such as NULL or RC4, blockchaing issues, recommended changes and other common issues that are impacted by the Post-Quantum Ciphers issue.
Certificate Information Detected by Nessus Details: This chapter displays any detected SSL Certificate information collected by Nessus. The widgets of the chapter provide details for certificate related findings such as Certificate Chain issue, Certificate Expiry, Certificate Key issues other common issues that are impacted by the Post-Quantum Ciphers issue.
Encryption Ciphers Detected by WAS Details: This chapter displays the most prominent SSL/TLS plugins which were detected by WAS. The widgets of the chapter provides the information by using the plugin name filter to look at plugin names containing 'SSL/TLS' in the name. The widgets provides the details for SSL/TLS issues such as weak or insure cipher suites, expired certificates and other common issues that are impacted by the Post-Quantum Ciphers issue.
SSH Algorithms Detected by Nessus Details: This chapter displays any detected SSH algorithm information. The widgets of the chapter provides the details for SSH issues such as weak or insure algorithms suites other common issues that are impacted by the Post-Quantum Ciphers issue.

Monitoring Internal Scans for PCI 11.3.1

Cody Dumont — Mon, 20 Oct 2025 08:00:00 -0400

The Payment Card Industry Security Standards Council (PCI SSC) maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe. The PCI SSC provides technical and operational requirements for organizations accepting or processing payment transactions. The guidance also applies to software developers and manufacturers of applications and devices used in those transactions.

PCI DSS helps entities understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. The standards have historically been revised on a 2-3 year cycle, but the PCI SSC is transitioning to a posture of revising the PCI DSS as required based on changes to the current threat landscape. The current standard revision is PCI DSS Version 4.x. Any organization that handles payment card information must comply with the PCI DSS and must demonstrate compliance annually. Tenable Security Center is able to help organizations monitor ongoing PCI DSS compliance.

As part of the PCI DSS version 4.x the requirement for authenticated internal vulnerability scanning was introduced. Tenable has always emphasized that credentialed scanning is required to get the most accurate information, now the PCI Council requires credentialed scanning where possible. The Council recognizes that all systems may not be accessible as part of a credentialed vulnerability scan, but those systems must be clearly documented. As part of the vulnerability scanning, Tenable uses two methods to perform elevated vulnerability scans, Nessus and Nessus Agents. Nessus vulnerability scans access the system over a network protocol such as SMB, SSH, and etc, while the Nessus Agents run a local version of the Nessus scan engine as a system level service. (Note: When using Nessus Agent, uncredentialed port scans are still required to identify open ports) There are benefits to each method, however each provides the ability to enumerate vulnerabilities based on the operating system, system configurations, and installed software.

As part of the requirement 11.3.1.2 (Internal vulnerability scans are performed via authenticated scanning), the internal systems located within the Cardholder Data Environment (CDE) are to be documented as accessible with and without credentials. Using Nessus to scan devices on the network will provide the necessary information as to the accessibility of a system using the defined protocols and supplied credentials. Nessus will report on the success of authentication and the status of collecting vulnerabilities. Once authenticated, Nessus will enumerate vulnerabilities found on the system. The vulnerabilities detected are identified using industry-recognized vulnerability databases and our research teams.

As directed in the 11.3.1 (Internal vulnerability scans are performed), the organization must conduct internal scans every three months and perform rescans to confirm all high and critical vulnerabilities are resolved. Tenable Security Center supports the scheduling of scans, allowing the assessment teams to continuously monitor the CDE accordingly. The report provides a high level summary covering the systems and related vulnerabilities that will follow in the pages to come. Following the affected systems table, is an iterative list of all systems along with several tables that identify the vulnerabilities with different risk levels and factors. The first table is a detailed list of the scan health and assessment plugins. Each plugin has the plugin description along with relevant plugin output so the assessor is able to verify the scan of the system. The following tables show the finding, severity, state, and detection dates. The tables provide a list of critical and high vulnerabilities, along with accepted and recast findings. The last two tables provide a list of the mitigated findings, along with first seen and fixed dates.

Chapters

Executive Summary - As directed in the 11.3.1 (Internal vulnerability scans are performed), the organization must conduct internal scans every three months and perform rescans to confirm all high and critical vulnerabilities are resolved. Tenable Security Centers supports the scheduling of scans, allowing the assessment teams to continuously monitor the CDE accordingly. The report provides a high level summary covering the systems and related vulnerabilities that will follow in the pages to come. This chapter provides an executive level review of the vulnerabilities and scan health related findings.

Authentication Summary - The chapter establishes host counts in local authentication as well as overall host counts of authentication status. Local checks in Windows systems and other systems are also highlighted. Finally, this chapter serves as a preamble to chapter three, the detailed chapter.

Risk Finding Per Asset - As directed in the 11.3.1 (Internal vulnerability scans are performed), the organization must conduct internal scans every three months and perform rescans to confirm all high and critical vulnerabilities are resolved. Tenable Security Center supports the scheduling of scans, allowing the assessment teams to continuously monitor the CDE accordingly. This chapter provides a high level summary covering the systems and related vulnerabilities that will follow in the pages to come. Following the Identified Assets table, is an iterative list of all systems along with several tables that identify the vulnerabilities with different risk levels and factors.

Cyber Essentials Section 5 - Patch Management

Josef Weiss — Mon, 22 Sep 2025 15:07:00 -0400

The Cyber Essentials is a UK government-backed framework which is designed to assist organisations in protecting themselves against common threats. The Cyber Essentials provides a basic cyber security foundation that can serve as a stepping stone to a more comprehensive zero-trust approach. The Cyber Essentials is built on 5 key components that, when implemented correctly, can reduce cyber risk. The five key components are:

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

Tenable has released a series of reports, that focuses on each of the five basic technical controls, which organisations can use to help strengthen their defences against the most common cyber threats.

The focus of this report is Section 5 - Patch Management. Organisations which comply with Section 5 ensure they are actively fixing vulnerabilities before attackers can exploit them, reducing risk, and demonstrating responsible security practices. In addition to reducing risk, compliance demonstrates that organisations take security seriously, improving trust with customers, partners, and regulators.

This key component applies to all the following in scope devices: Boundary Firewalls, Desktop Computers, Laptops, Routers, Servers, Iaas, PaaS, and SaaS devices. Some items to focus on within this key component are:

Reducing exploitable weaknesses
Keeping devices and software secure
Limiting the window of risk (enforcing timely updates)

This report contains the following chapters:

Unsupported Products - The Unsupported Products chapter focuses on products that have been identified as being unsupported.
Missing Microsoft Patches - The focus of this chapter is to present missing Microsoft Security Updates.
Outstanding Patches - The focus of this chapter is to present all known outstanding patches.

Cyber Essentials Section 4 - Malware Protection

Josef Weiss — Thu, 18 Sep 2025 18:25:54 -0400

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

Tenable has released a series of reports that focuses on each of the five basic technical controls, which organisations can use to help strengthen their defences against the most common cyber threats.

The focus of this report is Section 4 - Malware Protection. Malware threats are one of the most common and damaging cyber threats. The primary objective is to defend against threats, such as malware, viruses, ransomware, and others. Section 4 ensures you have an active protection in place for protection. Active protection helps prevent business disruptions from downtime, and costly recovery efforts.

Compliance with Section 4 builds trust with customers and suppliers by demonstrating that your organisation takes cyber security seriously. Compliance also assists in meeting contractual and regulatory obligations, and may provide a competitive advantage.

Ensuring Anti-Malware software is in use
Ensuring Anti-Malware software is kept up to date
Ensuring applications are protected against malware and exploitation

This report contains the following chapters:

Executive Summary - The Executive Summary provides several tables displaying an overview of malware protection compliance checks, top 100 malware vulnerable hosts, outdated anti-virus clients, and a malware exploitability matrix.
Anti-Virus Details - The Anti-Virus chapter provides a summary table of the top 10 anti-virus concerns, followed by an iterator providing anti-virus details captured from plugin output. Details include anti-virus signature information, version information, and information related to the anti-virus installation, as available for each product identified during a scan.
Malware Details - The Malware Details chapter provides a summary table of the top 10 malware concerns, followed by an iterator providing detailed information on malware related concerns that have been identified in the environment. Cross references, and remediation steps are included when available for each identified malware concern.

Cyber Essentials Section 3 - Access Control

Josef Weiss — Thu, 18 Sep 2025 18:23:16 -0400

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

The focus of this report is Section 3 - Access Control. This key requirement supports the goal of reducing an organisation’s risk from the most common cyber threats. The Cyber Essentials focuses on preventing high impact attacks, such as phishing, malware infection, and unauthorized access. Strong access control can limit the number of accounts which attackers can compromise, ensuring that individuals only have access which is required to perform job functions.

This key component applies to all the following in scope devices: Boundary Firewalls, Desktop Computers, Laptops, Routers, Servers, Iaas, PaaS, and SaaS devices.

This report contains the following chapters:

Executive Summary - The Executive Summary contains a table of the Top 50 account related concerns. This table provides a quick overview of the top concerns in the environment along with the total count for each concern that has been identified.
Users and Groups - The Users and Group section contains a summary component and host iterator displaying host details such as the IP, DNS Name, OS CPE, and MAC address of the host in question, followed by a table displaying the any users and groups which have been identified on the host. User Accounts, System Accounts, Domain Accounts and additional information may be available, including Plugin details which collected the data.
Default Accounts - The Default Accounts section contains a summary component and details related to default accounts, credentials, users, and/or passwords. The information contains host data as well as plugin output, synopsis, descriptions, and steps to remediate, if data is available. The plugin output contains detailed information related to the finding. Information is only displayed for failed findings or findings which require manual intervention.
Account Compliance Concerns - The Account Compliance Concerns section contains a summary component and details related to compliance findings related to any account related compliance check. The information contains host data as well as plugin output, synopsis, descriptions, and steps to remediate, if data is available. The plugin output contains detailed information related to the finding. Information is only displayed for failed findings or findings which require manual intervention.

Cyber Essentials Section 2 - Secure Configurations

Josef Weiss — Thu, 18 Sep 2025 18:20:30 -0400

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

Misconfigured systems are often easy targets for attackers. The focus of this report is Section 2 - Secure Configurations which focuses on ensuring that computers and network devices are set up in the most secure method to reduce vulnerabilities and reduce organisations risk of exposure.

Secure Configuration (also called security hygiene) is ensuring that devices and software are configured in the most secure way possible to reduce vulnerabilities and exposure to cyber threats. Unused software or services can introduce exploitable vulnerabilities. Default accounts and passwords are widely known and easy to exploit. The focus of this section applies to: servers, desktop computers, laptops, tablets, thin clients, mobile phones, IaaS, PaaS and SaaS.

A secure configuration is your first line of defense. Default configurations and installations are not always secure. Secure configuration begins with the identification and removal/disabling of unnecessary accounts, applications, and services, organisations can minimize vulnerabilities.

This report contains the following chapters:

Software - The software section contains details related to installed software, software that End of Life, and Security End of Life (SEoL) software.
User Accounts - The user accounts section contains details related to default credentials, account weakness, and other insecurities.
Compliance Scanning - The compliance scanning section contains details related to audit checks and compliance scanning.

Cyber Essentials Section 1 - Firewalls and Internet Gateways

Josef Weiss — Thu, 18 Sep 2025 17:51:51 -0400

Firewalls and Boundary Devices
Secure Configurations
Access Control
Malware Protection
Patch Management

The focus of this report is Section 1 - Firewalls and Internet Gateways. Key components of this section apply to all the following in scope devices: Boundary Firewalls, Desktop Computers, Laptops, Routers, Servers, Iaas, PaaS, and SaaS devices. Devices must be secure and only necessary network services should be able to be accessed from the Internet. The objective of this key component is the control of inbound/outbound traffic.

This requirement applies to every in scope device, and can be achieved using Boundary Firewalls to restrict inbound or outbound traffic, a software firewall which is installed and configured on each end point device, or for cloud services, data flow policies. Most end point devices, such as desktops and laptops come with software firewalls pre-installed, and the Cyber Essentials recommends that these services be enabled. Essentially, every in scope device must be protected by either a properly configured firewall, or a network device with firewall functionality.

This report contains the following chapters:

Firewalls and Internet Gateways - This section displays information related to the identification of Firewalls and Internet Gateways,
Firewall Compliance Details - This section displays information regarding firewall compliance checks, and firewall rule enumeration for a number of firewall audits.
Port Details - This section presents details on port summaries for all active and well known ports.
Services Details - This section provides details on running services.