Tenable Network Security

Implementing Different Scan Types

Often, Nessus and Security Center users ask how often they should run a vulnerability scan, and what kinds of scans should be run. In a previous post we explored some of the different scan types, including network checks, local checks and configuration auditing. I often encourage people to run all three types of scans against their network with different frequency. All three types provide interesting and useful results that should be included in your vulnerability management program. In this post we will explore the differences, and benefits, of running the first two types of scans mentioned: network-based scans and local checks.

It’s the Small Things

Embedded systems continue to be overlooked in many environments, but often can present as much risk, if not more, than other systems on your network. Every enterprise has some form of an embedded device, from printers to routers and switches, that exists on the network and exposes services that could be exploited. Some recent examples include:

The SANS Consensus Audit Guidelines (CAG) is a compliance standard that specifies 20 "control points" that have been identified through a consensus of federal and private industry security professionals. This blog post provides a summary of the SANS initiative and an overview of how Tenable’s solutions can be leveraged to demonstrate compliance with these guidelines. Tenable has also released a technical white paper that shows exactly how our scanning, log analysis and auditing solutions can be used to monitor the SANS-CAG controls.

Setting up the Log Correlation Engine & Splunk

Tenable has recently released a new Log Correlation Engine (LCE) client that allows you to collect log data from Splunk installations to send to LCE, Tenable’s solution for log storage, normalization and correlation. If you have instances of Splunk in your environment, it’s a simple process to configure the integration. Below is an overview of the traffic flow:

This webinar will feature myself and Ron Gula and discuss how to use Nessus to perform security auditing of custom web applications.

Nessus Web Attacks

The Tenable research and development team has released a new set of plugins and options to dramatically improve the web application testing functionality of Nessus. The new plugins give the end user more control over how Nessus tests for web application vulnerabilities, and expands on the types of testing that is performed. The new testing methods implement several additional CGI tests that look for different classes of vulnerabilities such as SQL injection, remote file inclusion and more. The following plugins are now available to both ProfessionalFeed and HomeFeed clients:

• SQL injection
• Cross-Site Scripting (XSS)
• HTTP Header Injection
• Directory Traversal
• Remote File Inclusion
• Command Execution

Tenable CEO, Ron Gula, Tenable CSO, Marcus Ranum and 451 Group Vice President Nick Selby will discuss the recent 451 study which concluded that log management was more valuable to organizations than correlation. The webinar will discuss the 451 research, Mr. Selby will answer questions from Mr. Gula, Mr. Ranum and the webinar attendees, and then Tenable will demonstrate how their Log Correlation Engine can meet the needs of organizations who want to perform both log management and event correlation.

Monday, June 22, 2:00 PM to 3:00 PM EDT

Registration Link: https://www1.gotomeeting.com/register/828303984

The webinar will be recorded and placed online after the event.

Security breaches can come from those you least suspect. Have you ever wondered what would prevent a malicious insider from obtaining privileged credentials during an IT audit? It would be a simple matter of just setting up a Linux or Windows box with a sniffer or backdoor to grab the domain or root password during the audit. Tenable has written Nessus 3 and Nessus 4 to take advantage of underlying protection mechanisms in SSH and Windows authentication protocols to limit your exposure to this type of attack.

This blog entry describes how you can securely audit your Unix and Windows hosts to limit exposing these credentials to an insider and also how to use Metasploit to test any vulnerability scanner to see if it is vulnerable to this type of attack.

Recently I gave a presentation at the “SANS Penetration Testing Summit ” titled "Zen and The Art Of An Internal Penetration Testing Program". This presentation outlines the steps required to create a successful program and perform internal penetration testing. There are several key components that must exist to create a successful program:

• Getting Management Buy-In - This is the first and most important step. Management must understand the testing strategy and be kept in the loop on the results and remediation. Business units must also be consulted to determine the impact scanning will have on their environment to establish a schedule for scanning. It does not matter what kind of testing you plan to perform, from vulnerability scans with Nessus to full-blown penetration testing, you must get the approval from management.

SQL injection is a class of vulnerabilities that can plague web applications in your environment, often with devastating consequences. They can be difficult to detect and validate and are sometimes the cause of major data breaches. This is a deadly combination. Databases contain the information that attackers are after, including SSN, credit card numbers and other information associated with an individual’s identity such as name, address, phone number, mother's maiden name and more.