Welcome to the Tenable Network Security Podcast - Episode 1

Announcements

• New video site! http://tenablesecurity.blip.tv
• The academy pro posted a new video on load balancing multiple Nessus servers
• Be sure to check out our blog at http://blog.tenablesecurity.com

A "Rogue" Access Point

Detecting and preventing rogue wireless access points is a major concern for many organizations. It is important to ensure that all wireless networks are established and configured in compliance with the organization’s policies and standards for wireless networks. The problem is that it is very easy for a user to establish a rogue wireless access point either inadvertently or deliberately. A wireless access point plugged into your network will typically have an Ethernet connection tied into some part of your LAN, and provide wireless access to an attacker that bridges the connections. Users could put one on the network for convenience, or a company provisioned access point could be misconfigured by the IT department. Recently the PCI standards council has produced a document called "The Information Supplement: PCI DSS Wireless Guideline", that outlines the recommendations for securing wireless networks for PCI DSS compliance. This is a good reminder of the importance for organizations to continually seek out rogue access points in their environments and remove them.

Recently, Tenable CSO, Marcus Ranum participated in a Whitehat World webinar with Chris Nickerson, CEO of Lares Consulting. They debated the positive and negative aspects of network penetration testing.

If you are an organization currently running a penetration team, outsourcing a penetration test, or contemplating setting up your own team, this debate will provide you with great deal of insight and information on the subject.

• Watch webinar

Scanning web applications with Nessus offers the end user several new configuration options in the Nessus client. You should take into account:

• Number of web servers and applications being scanned
• Size of the applications (e.g. how many parameters does each CGI application have?)
• Depth and scope of the scan with respects to the type of tests being performed and how exhaustive they should be

This video demonstrates how to setup Nessus to scan a web application using the new options:

You can visit our You Tube video channel at http://www.youtube.com/tenablesecurity for more exciting video tutorials!

Episode #162 of the PaulDotCom show featured an interview with Renaud Deraison. Renaud discussed creating Nessus, performing network scans, the evolution of Nessus, what it takes to keep Nessus up to date with the latest vulnerability checks and some of the new features of Nessus 4.2 which is currently in development.

• Full Show Notes
• Direct MP3 Audio

Security and usability do not mix

PHP has a horrible reputation in the security industry based on a long history of vulnerabilities and vendor resistance to fixing them and improving security practices. It suffers from a common problem; the technology is designed to be easy to use, and therefore a high level of security is difficult to achieve. Many who are new to web application programming use PHP, but often do not pay attention to security. In addition poor developer coding practices, PHP itself presents many vulnerabilities in its default configuration even when seemingly harmless coding practice is in use. This leaves a plethora of vulnerable applications, some home grown, many open-source and some commercial. As a result, many of these applications suffer from web application specific vulnerabilities. To give you an idea of just how many PHP specific vulnerabilities there are, I ran some searches on the OSVDB web site. Below are the results:

Last week I made an appearance on epispde 119 of the Risky Business podcast with Patrick Gray. I spoke with Patrick about training and certification, specifically how it applies to the Information Security field and its importance in your career development.

We're also joined by a special guest in our sponsor segment this week, Paul Asadoorian, the host of the PaulDotCom Security Weekly podcast. Paul's dayjob is as Tenable's "Evangelist". He won't be evangelising anything this week though, he's popping by to talk about training. Paul did work for SANS, and we'll be asking Paul what he thinks training and certification are good for.

You can download the full episode from the http://risky.biz website.

Finding the Needle in the Haystack

It is important to know what applications and services are in your environment to properly evaluate risk. Recently, a question was posed about detecting phpMyAdmin, a popular application for managing MySQL databases. We've previously explored how this application could be used to take over a system, demonstrating the risk this application may pose. There are several actions to perform when searching for applications on your network (in this case we are searching for a web application). This blog post describes how Nessus can be used to perform the following actions:

1. Detect if the application is running
2. Test for known vulnerabilities
3. Detect if the application is patched
4. Evaluate the authentication mechanism
5. Find any unknown flaws
6. Check the security configuration of the host

Nmap continues to be a powerful tool for port scanning, operating system identification, service identification and now supports extended information with NSE (Nmap Scripting Engine) scripts. A recently released NASL script allows you to import the Nmap results into Nessus. For example, you can run Nmap with the following switches:

Backtrack 4 is a Linux distribution and “Live CD “ (a bootable operating system on CD or DVD) that is designed for penetration testers. It contains a wide array of tools for performing penetration tests, web application assessments and reverse engineering. It is a simple process to get the latest version of Nessus installed and running on Backtrack 4.

There are two ways to create a Backtrack 4 bootable drive: create the partitions manually or run the install.sh program. I highly recommend running the install.sh program to perform a full installation of Backtrack 4. While you can boot the distribution from a manually partitioned CD or USB thumb drive, the file system is only temporary and you will lose changes on certain partitions. To avoid having to install Nessus each time you boot, you can install Backtrack 4 on any device, hard drive or USB thumb drive, and have a completely writable file system. You will need to boot Backtrack 4 and click on the "install.sh" icon on the desktop: