I was recently working with a Log Correlation Engine customer who had gone through a typical deployment. Tenable advises customers to carefully consider which system and application logs they want their LCE Clients to send to the LCE server, in addition to a variety of Snort, Firewall and network activity logs. In this case, the customer had recently configured their system to send SSH logs to the LCE whereas before, they were only getting "network" events. When I had the opportunity to chat with them, they were very concerned about various worms or potential intruders performing a network scan such as those shown below:

The story:

Spies Penetrate Pentagon's Joint Fighter-Jet Project (April 21, 2009)
Cyber spies have stolen tens of terabytes of design data on the US's most expensive costliest weapons system -- the $300 billion Joint Strike Fighter project. Similar breaches have been found in the Air Force's Air Traffic Control System. The attacks began as far back as 2007 and continued into 2008. The spies encrypted the data that they stole, making it difficult for investigators to know exactly what data was taken. The fact that fighter data was lost to cyber spies was first disclosed by U.S. counterintelligence chief Joel Brenner. Brenner also expressed concern about spies taking control of air traffic control systems, saying there could come a time when "a fighter pilot can not trust his radar."
http://online.wsj.com/article/SB124027491029837401.html

I've touched before on the topic of data leakage and national security; now it seems that the national security establishment is banging the same drum, albeit louder than I ever could. Such an embarrassing "slip" would normally be deeply buried - the fact that it's being outed by the  "U.S. Counterintelligence Chief" ought to tell you something: this is part and parcel of the government's new "yellow terror" cybersecurity red scare. I don't know about you, but I'm on the fence about this - part of me wants to be happy that cybersecurity is being taken seriously, whereas the other part of me remembers the disastrous Department of Homeland Security and War On Terror. I detect a distressing pattern of our government saying "be afraid, be very afraid. and, oh, yeah, pull out your wallet."

While Nessus has traditionally been a network vulnerability scanner, it contains quite a bit of functionality that can be used to identify vulnerabilities in custom web applications. This is not to say that Nessus will replace your favorite web application testing tool (or methodology), but it does provide useful information that can be used as the foundation for web application assessments or to indicate that deeper testing is warranted.

There are two different approaches when performing web application testing. The first is part of a larger so-called "blind" test, where you are given a range of IP addresses and asked to test the devices and systems within those ranges. The web applications running within this space will usually be tested generically, but they may not specifically test for web vulnerabilities in a general scan. You need to first find and enumerate which web applications are running and then run targeted scans that specifically look for web vulnerabilities. The second form of testing is when you are given the URL, and typically credentials, to the web application and asked to test it specifically. Nessus can help with both of these tasks, and provide valuable information that will help with your testing. Nessus provides some of the first steps to web application testing, such as identifying the web server software and technologies, detecting vulnerabilities in common/popular web application software and rudimentary CGI application testing. This post focuses on using Nessus for network-based testing, and describes several compliance based checks that provide very thorough testing of web application environments, including scanning to test for the OWASP PHP security specifications and Apache CIS Benchmarks.

Stacking Up to CIS Benchmarks

The Center for Internet Security (CIS) establishes consensus benchmarks for a large variety of applications and operating systems. These benchmarks are a valuable aid to evaluate the security of your systems. Tenable has produced a number of Nessus audit files that have been certified by the Center for Internet Security to perform audits against the CIS standards. These audit files are available to ProfessionalFeed and Security Center customers through the the Tenable Support Portal.
To use these audit files, you will need to provide Nessus with credentials to login to the target host to compare the configuration against the CIS standards. Scans that use login credentials run much faster than network-based scans and the results often provide more detailed vulnerability
findings and information on configuration issues.

Conficker Attacks UPnP

The Conficker worm behavior has been analyzed by many security professionals who have shared their findings with the community (the paper from SRI is a great example). One of the common findings is that Conficker will connect to the local route/gateway via UPnP and make changes to the firewall, if the firewall supports unauthenticated UPnP. If so, it uses UPnP to open a high numbered port in the firewall, allowing access to that port from the Internet. It then opens the same port on the infected host, and uses it to distribute the worm further across Internet. The use of UPnP as well as insecure UPnP devices can be detected by Tenable's Nessus and PVS products.

PCI-DSS Scanning

The effectiveness of the Payment Card Industry (PCI) standards to secure systems responsible for credit card transaction processing is a question of debate among information security professionals. Regardless of the hype or negativity surrounding PCI, it remains a requirement for many organizations to follow. Nessus has built-in PCI-DSS compliance checks that compare scan results with the PCI standards and produce a report on your compliance posture. It is very important to note that a successful compliance scan does not guarantee compliance or a secure infrastructure. Compliance scanning is just one tool to be used as part of a comprehensive program that includes the appropriate policies and procedures to ensure that assets are appropriately protected.

Tenable has published official performance comparisons between Nessus 4, Nessus 3 and Nessus 2. We strongly encourage anyone interested in performing this type of performance analysis to follow the comprehensive methods we used in testing. The major findings of our testing include the following:

• Nessus 4 was up to five times faster than Nessus 3 on Windows.
• Not only does Nessus 4 use less memory, its shorter scan times reduces processing time.
• Nessus 4 is ten times faster than Nessus 2.

Of course, every network is different and quantifying performance for a network scanner is not an easy task. While we found the performance gap to be quite significant in our testing, results may not be typical in your environment - your mileage may vary. In particular, slow web server scan targets and increased network latency will limit any performance improvement. You are encouraged to share your experience about performance on the Nessus Discussion Portal.

Today there are more than 25600 plugins covering 10160 unique CVE IDs and 7073 Bugtraq IDs available to Nessus HomeFeed and ProfessionalFeed users. We expect this number to keep growing and are confident that Nessus will remain the premier scanning solution for performing network scanning, patch auditing and configuration testing of desktops, servers, databases and network devices.

XSLT Reporting

A new feature in Nessus 4 is the ability to use XSLT stylesheets to create custom reports. The stylesheets read the .nessus XML file and allow you to create a number of different report styles, such as HTML and CSV, as well as extract or sort specific data from the scan results. Nessus 4 comes with several built-in stylesheets that can sort results and display a report based on several criteria, including:

• Sort By CVE
• Sort By IP Address
• Sort By Port
• Sort By Vulnerability

You can use this feature in conjunction with the report filtering to more easily create custom reports.

Tenable is pleased to announce the release of Nessus version 4! This blog post highlights some of the enhancements and new features available in Nessus 4.0. One of the most notable features is the ability to create custom XSLT reports based on your scan results. Nessus now also supports a fully multi-threaded scanning engine, which is improves performance and decrease your scan times. Nessus ProfessionalFeed and HomeFeed customers can upgrade to the latest version by visiting the Nessus Web Site. Please review the updated Nessus 4.0 Installation Guide and NessusClient 4.0 User Guide for installation and upgrade instructions and a complete list of new functionality and features. The following is a highlight of some of the features and improvements:

Nessus Scanning Through Firewalls

A number of factors can inhibit a successful Nessus scan: busy systems, congested networks, hosts with large amounts of listening services and legacy systems with poor performance all contribute to scan failure(s). However, firewalls (or other types of filtering devices) are one of the major causes of slow or inaccurate scans. Firewalls are essential for an organization’s perimeter protection and internal network segregation. Host-based firewalls are now common on both Linux and Windows systems. Scanners can be placed on network segments behind a firewall to avoid these problems, but this may not be feasible in your network, create extra burden moving a scanner around and is ineffective against host-based firewalls. Even if you allow the scanner's IP address through the firewall, connection tracking and stateful inspection can interfere with the scan. There are two strategies for dealing with firewalls when using Nessus to perform internal or external vulnerability scans.

Default vendor logins and passwords are a common security issue that Nessus can scan for. Some of these default accounts can pose a serious security risk, depending on the type of access they permit. Nessus plugin id 35029 ("Dell Remote Access Controller Default password (calvin) for 'root' account") is a great example of this. It looks for a default username and password present on DRAC (Dell Remote Access Controller) devices which provide remote systems management for Dell servers.

The Tenable research team has been steadily working on creating accurate checking for Conficker infected hosts. Over the weekend researchers Felix Leder and Tillmann Werner of the University at Bonn released details on how to detect Conficker using network-based checks. This checking methodology was used as a basis for Nessus plugin 36036 as well as the Nmap NSE script created for the same purpose.

Penetration testers spend a lot of time searching for software vulnerabilities, such as buffer overflows or SQL injection. However, there are many other ways in which networks and systems can present vulnerabilities. Open SMB file shares can disclose sensitive information about an organization: I've found everything from student grades to bank account numbers using this technique. A great way to check for the presence of open SMB shares is to run a quick Nessus scan from the command line as follows: