Tenable's CSO, Marcus Ranum, was recently interviewed on the PaulDotCom Security Weekly podcast. They discussed a wide range of topics regarding penetration testing, secure coding, Marcus's "6 Dumbest Ideas" in computer security and much more.

• Full PaulDotCom show notes.
• Direct link to the show's MP3 audio recording.
• Tenable podcast and slides on Marcus's "6 Dumbest Ideas in Computer Security" presentation from from 2006.
• Very cool image of Marcus Ranum demonstrating cutting edge computer security practices.

Microsoft recently released a critical security bulletin, MS08-067 that described a privately reported vulnerability in the Server service and provided a patch for this vulnerability. What was unusual was that this bulletin was released independently of Microsoft’s usual patch notification process and caused quite a bit of concern for many organizations. Tenable used this opportunity to help a number of organizations monitor their networks to determine if this issue had been mitigated. I had the opportunity to speak with many different customers and was surprised at the different priorities, techniques and level of response that varied from organization to organization. In this blog, I will share some of the situations and trends I ran into while working with Tenable Nessus and Security Center customers.

Tenable’s research team released two checks for MS08-067. One of them, plugin #34477, works without any credentials. It verifies the vulnerability by connecting to Windows systems on port 445 or port 139 and performs a check for it. This plugin has the advantage of being fast and not requiring credentials. The other check (plugin #34476) performs a credentialed patch audit for the same vulnerability. This plugin performs file level analysis to ensure that the right system DLLs have been patched. This technique is more accurate than relying on registry checks alone and can also identify systems that have been patched, but perhaps are waiting on a system reboot for them to truly be effective.

I found that the enterprise organizations that tended to rely on un-credentialed scans generally had immature vulnerability and patch management programs. This was by no means a scientific study, but very often, if we were working on an enterprise un-credentialed scan of several thousand hosts for MS08-067, there was no follow up patch audit or configuration audit. The following were typical comments and conversations:

• The organization doing the scanning did not have good communications with IT or the multitude of IT organizations. There was simply too much burden to manage credentials across the organization, and if the IT group(s) had some sort of patch auditing solution, it was not centralized in a way that was accessible to perform a corporate audit.
• There was a perception that MS08-067 was “worm-able” and that the best way to check for it is with an exploit. This is a very dangerous assumption. There are many different scenarios where a network exploit will not work because of a firewall rule or a system configuration. Being un-exploitable and un-patched are two different states. A configuration or firewall filter could eventually change, making the system vulnerable. 
• There were also many organizations that cited the CVSS score of 10 as the main reason for the patching. I would jokingly ask if it would help them politically if we just started putting “10s” on all of the vulnerability audits produced by Nessus so these groups could get the resources they needed. Here was the rub though – I asked about client side issues that had CVSS scores of 10 such as issues with web browsers, email clients and chat clients. The response was often that the organization was not concerned with client-side issues and they ran anti-virus solutions. I have a big issue with this because anti-virus only protects you from common viruses. It does not plug the actual attack vector. For example, anti-virus technology may prevent a malicious site from spreading the latest Trojan to your vulnerable web browser, but at the same time, it will not stop a custom exploit designed to grant access to your network from the outside or any number of scenarios an attacker could attempt.

I did run into organizations that were using the Nessus network checks for MS08-067 very efficiently:

• Some organizations had large patch-management operations and were using network scans to get an independent view of how effectively these patches had been rolled out. Tenable support has often received calls from customers when there was a discrepancy between the patch auditing software and Nessus. We’ve blogged before about the many reasons patch management systems can fail.
• They used Nessus to simulate PCI audits from their ASV and they wanted to get ahead of any potential compliance issues. I would also argue here that patch auditing with Nessus is still quicker and faster than performing a full network scan, but often production PCI systems are extremely locked down and even the auditors do not have direct access to monitor these systems. I find these situations intolerable and see many organizations restricting access to these systems to the point that there are not enough administrators to keep them patched and running. 
• Some organizations had large numbers of Windows XP (not XP Pro) systems that were not part of a domain, and not running some sort of patch auditing agent. Performing a network check on these systems was the only option.

Anytime I had the opportunity to speak with a customer, I urged them to try and take their system monitoring program to the next level:

• If they were just doing scanning, I explained that patch auditing is more comprehensive, quicker, accurate and less intrusive than a network scan. I provided specific examples such as WMI and netstat port scanning as well as Unix and Windows process enumeration. I also pointed a lot of customers to the blog “Knowing When to Patch” which really shows how to move your scanning programming from monitoring for vulnerabilities to monitoring your patch management program.
• If an organization had adopted some sort of patch auditing with Nessus (or even as a complement to an agent-based patch management solution) I suggested that configuration auditing can help minimize variance in operational system settings. This in turn can minimize outages, IT help desk calls and can also increase overall security.  A great example of this occurred when I was chatting with a customer about MS08-067 and I asked if they also could show what the password complexity and lockout polices were for all of their Windows 2003 servers. They could not. However, the point was made and the person I was speaking with is attempting to use MS08-067 to get them to be more proactive. 
• Lastly, if an organization has a good handle on patch and configuration auditing, I ask them how fast they can react to a bad network/system change or a new vulnerability. Detecting non-compliant (insecure or mis-configured) systems early enables it to be corrected quickly and reduces the chance of exploitation. For MS08-067, I asked customers how often they scan their network for new hosts that are un-patched.  Not every security group that does network scanning has access to a log analysis tool or SIM, but for Security Center customers that upgrade to the Log Correlation Engine, I spent some time showing them how they can use logs to look for change in real-time. Similarly, if a group has access to a network span port, running a product like the Passive Vulnerability Scanner allows them to see what is on their network in real-time.

The bottom line here is that although there are many different ways to monitor security, the real question is did you and your staff respond to MS08-067 proactively or reactively?

Tenable Network Security is seeking to fill a variety of technical and sales positions. These positions primarily reside in our Columbia, Maryland office. If you or someone you know would be a good fit for any of the positions I've outlined below, please have them contact us by emailing jobs@tenablesecurity.com.

• Customer Support Engineer
  Job Description: Help Tenable's customers install, configure and troubleshoot our scanning, configuration auditing, log analysis and network monitoring solutions.
  Requirements: The right candidate should have some help-desk experience, very good knowledge of Nessus and a firm understanding of networking and operating system functions. The ideal candidate will have on-the-job-experience with multiple Tenable products.
• Enterprise Security Technical Writer
  Job Description: Primary author for the Security Center documentation, knowledge base articles, quick start guides, and product release notes. This person would regularly interact with Tenable's Training, Customer Support, Sales and Development teams and would also regularly contribute to blog entries, official Tenable white papers and product webinars.
  Requirements: Must be an excellent technical writer and have 2-4 years experience working with configuration auditing, vulnerability scanning, network montioring or log analysis tools.
• Graphics Artist
  Job Description: Help our marketing, documentation and training groups produce professional charts, images, diagrams and logos.
  Requirements: 2-4 years of graphics design for web based content, technical drawings and/or online advertising. Should be comfortable working with Adobe editing tools and Microsoft Office. Should also consider themselves artistic and creative. Any experience with Flash animation such as Adobe Captivate or Camtasia Studio is also a desired, but not required.
• IT Engineer
  Job Description: Work in Tenable's IT group which supports our internal and remote workforce, a variety of custom internal applications, VMware Lab Manager, telecommunications and the nessus.org and Tenable web sites.
  Requirements: Minimum 4 years experience Unix (Linux or FreeBSD) administration with some Cisco router/switch management. Any experience with VMWare in the enterprise, Unix based mail administration, MySQL maintenance or DNS is also strongly desired.
• Nessus Vulnerabiltiy Researcher
  Job Description: Perform analysis of vulnerable operating systems, applications and network devices in order to write efficient NASL plugins for the Nessus Vulnerability Scanner.
  Requirements: Minimum 2-4 years in-depth experience auditing Unix and Windows commercial and open source applications with Nessus. Must have some experience writing or modifying NASL scripts in a production environment and a deep knowledge of Unix and Windows internals.
• Sales Engineer - West Coast, USA
  Job Description: Present technical demos to potential customers about Tenable's solutions. Assist customers in evaluations, bake-offs and other types of product testing.
  Requirements: Must have 3-5 years experience with enterprise vulnerability scanning, log analysis, NBAD and configuration auditing solutions. Must also be physically located in California and able to travel.
• Trainer/Instructor for Nessus and Enterprise Security Solutions
  Job Description: Assist in management and delivery of course material, online tests, electronic training content for multiple courses providing certification training for Nessus users and Tenable Enterprise products.
  Requirements: Must have a security background such as a researcher, consultant or security administrator and have a strong desire to teach. Experience with Nessus, Tenable solutions, log analysis, security management, network monitoring and information security and compliance is also desired.
• Unix/Windows C/C++ Developer
  Job Description: Assist in the development of Tenable's Passive Vulnerabiltiy Scanner and Log Correlation Engine for both the Windows and Unix platforms.
  Requirements: Minimum 4 years experience with C programming for .NET, C, and/or C++. Must be familiar with Linux and Windows internals. Any expertise working with network sniffing and log normalization/correlation is also desired. 

All positions are immediately available, require US citizenship and (with the exception of our west coast sales engineer position) will be located in our recently expanded office in Columbia, Maryland. 

Tenable Network Security is a unique place to work. We've been very successful in a market that has many competitors. We've been able to do this by hiring the right people for the right jobs.

If you would like to submit a resume, please email it to jobs@tenablesecurity.com and indicate which position you are applying for in your subject line.