Defeating Zombies

Attackers have a number of avenues leading directly into your network, and more importantly, into your data. Each week I read about new data losses, phishing scams and the release of hundreds of new vulnerabilities and exploits. Organizations are employing a rear guard action that is not necessarily tuned to today's attack techniques.

Tried and true defensive measures such as firewalls, anti-virus software, Intrusion Detection Systems provide "operational security", but even if this is running flawlessly, it is typically not enough. Security programs need to evolve with the latest attack trends and Internet technologies. A great blog post by Tim Mugherini titled, "Don't be the Smelly Kid" sums this up nicely. This defines a shift from attackers targeting network services, and moving towards attacking web application and client software. These new methods require updated education for management and the implemention of new and different security projects to protect your infrastructure.

Considering Halloween is around the corner, your security strategy can be compared to the situations in typical horror movies. When the defenseless victims are under attack from whatever threat is posed (zombies, Jason, Freddy, Michael Meyers, etc.), they often make common mistakes such as taking all of the furniture in the room and piling it in front of the door and leaving the windows unsecured. Shooting zombies in any other location other than the head is another good example (those who have read "The Zombie Survival Guide: Complete Protection from the Living Dead" know that the only way to destroy a zombie is to destroy the brain!).

I recently had the chance to be interviewed by a student from the John's Hopkins University Information Security Institute. The questions cover a wide variety of topics including hacking trends, certifications, penetration testing, compliance and patch management.

I recently worked with a customer who asked for advice on the following “virus” events:

They were seeing “virus” traffic more or less continually. If you run a network IDS, and operate a busy email server, you will likely sniff virus traffic contained in inbound email messages.

Welcome to the Tenable Network Security Podcast - Episode 9

Announcements

• New blog post & video "Using Nessus To Audit Microsoft Patches"
• Tenable placed 270th on the Deloitte Fast 500 2009 list, Nessus was awarded a Silver "Reader's Choice" award from Information Security Magazine, and another "Reader's Choice" award from WindowsSecurity.com
• We're hiring! - Visit the web site for more information about open positions
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Andrew Hay

Andrew Hay

Last week Microsoft released 13 security bulletins covering 34 vulnerabilities, much to the delight of overworked system administrators who now have to roll out and test the patches in their environment. Organizations are most likely at different stages in the patch deployment process, some may still be testing and some may have the patches rolled out to the entire environment. What all organizations have in common is the need to verify that patches have been installed properly. Nessus has several features, including credentialed scanning and plugins that list missing patches and can assist in the patch verification process. We have produced a short video that demonstrates how to run this type of scan:

Wired magazine recently ran an excellent story detailing how Walmart suffered a deep intrusion. The story provides many examples of cliché security lapses such as not disabling a remote VPN account for a former Walmart worker. This blog entry describes how customers using Tenable Unified Security Monitoring solutions can learn from these mistakes and get more value out of their investment with Tenable.

Tenable Network Security was ranked 290th on the Deloitte 2009 Technology Fast 500™ program. This program ranks the fastest growing companies in technology, media, telecommunications, life sciences and clean technology in North America. Rankings are based on the percentage of fiscal year revenue growth during the past five years. Tenable’s revenue grew 441% during this period.

Welcome to the Tenable Network Security Podcast - Episode 8

Announcements

• New blog post Microsoft "Patch Tuesday" - The Aftermath
• Tenable Appliance 1.0.3 is the latest appliance release. It supports VMware ESX versions 3.5 and older, vSphere/etc. 4.0 versions, and VMware Player, Server, Workstation and Fusion.
• An article on our blog went up about Louisville Infosec conference

Interview: Casey W. O'Brien - Community College of Baltimore County

Casey O'Brien, Co-Director of the Cyberwatch Center

Black Tuesday

This month Microsoft released 13 new security advisories. While 13 sounds like a moderate number, digging into each of the security advisories reveals that each one actually patches multiple vulnerabilities, bringing the grand total to 34 individual vulnerabilities. Couple that with the recent Adobe announcements disclosing 29 vulnerabilities with the Adobe Reader product and release of the associated patches and administrators have their work cut out for them (note that Nessus plugins have been released to detect these vulnerabilities, refer to plugin id 42119 and 42120). Assessing the risk for your organization when there are this many patches in common software can be a daunting task, but an important one. While both Microsoft and Adobe attach a severity rating to each advisory, organizations need to evaluate the risk each vulnerability poses to their specific environment and implement a patching cycle that is most effective at reducing risk for them. For example, the Microsoft IIS FTP server remote exploit vulnerability has a “critical” rating, but if you are already implementing mitigating factors, or are not running IIS on mission critical systems, then you will want to focus your efforts on getting other patches tested and installed first.

A Small Conference with a Big Presence

Last week I attended the Louisville Metro Infosec conference that was held at Churchill Downs in Louisville, Kentucky. The sold out event hosted 375 people and 28 sponsors. Although this was a small local event, it had the feel and energy of a much larger conference.

Louisville is the home of the "Louisville Slugger" factory where they still provide the bats for major league baseball players.

Welcome to the Tenable Network Security Podcast - Episode 7

Announcements

• New blog post going up today on the experiences at Cyberdawn, a cyber exercise that puts hackers against defenders in a realistic environment.
• Attention Security Center customers! A new version of Security Center, 3.4.5, has been released and is available for download in the customer support portal (Security Center customers can find the release notes the discussion portal). It includes such improvements as web application scanning support.
• Paul Asadoorian was interviewed on Securabit Episode 40 and discusses all things Nessus and some of the features in our enterprise products such as Security Center and the Passive Vulnerability Scanner (PVS)
• Paul Asadoorian spoke at the Louisville Infosec conference on web application security on October 7, 2009
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Interview: John Bos - Cybrex, LLC

John Bos joins us to talk about his 10 years of experience with the Defcon CTF and his team "sk3wl0fr00t".

I recently observed a SSH worm in progress at one of the research sites running our suite of products. I was looking into a spike of SSH events that had been alerted on by the Log Correlation Engine’s stats daemon. Filtering on the remote IP address (that came from the 240.0.0.0/8 Class A address space) that was causing the anomalies, displayed this screen:

Passwords are just so easy to abuse...

It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required.

Hacker "ftp" at work, winning the game using built-in tools such as bash, python and SSH.

I recently had the opportunity to write an in-depth article for issue #22 of (IN)Secure magazine. The article discussed how the results and reports from your real-time network monitors can be used to make better decisions on how your vulnerability scanners are used.

In short, there should be a feedback loop between your scanners and your event monitors. Both processes can help refine each other and ensure you are performing the correct level of montioring. This is also a basic component of our Unified Security Monitoring strategy. Read the full article here.

Cyber Exercise

Over this past weekend I attended Cyberdawn, a cyber exercise that was hosted by Battlefield High School in Haymarket, Virginia.

Welcome to the Tenable Network Security Podcast - Episode 6

Announcements

• New blog post going up today on the experiences at Cyberdawn, a cyber exercise that puts hackers against defenders in a realistic environment.
• Attention Security Center customers! A new version is due to be released soon, 3.4.5 will include improvements such as web application scanning support.
• We are looking for feedback on the new Nessus client version 4.2, so head on over to our Nessus discussion forums and let us know what you think!
• As always be sure to check out our blog at http://blog.tenablesecurity.com

Nessus, the Security Center and Passive Vulnerabiltiy Scanner were awarded a Reader's Choice award from Information Security magazine and SearchSecurity.com. The winners “were selected based on extensive, in-depth discussions and interviews between the editors of Information Security magazine and SearchSecurity.com and over 1,700 information security executives and managers, who were asked to assess and rate products deployed within their organizations from a listing of more than 380 products spanning 17 product categories. The judging panel then selected Gold, Silver and Bronze award winners within each product category.”

When analyzing network traffic it’s typically not as important to look at the contents of the packets; rather the information about them, where they are going and how they got there. This “network metadata” (often referred to as NetFlow data) can reveal interesting information about your network and often uncover misconfigurations, policy abuses and security incidents. I relate it to the movie "The Matrix". In the movie there is a scene where the characters are looking at computer screens displaying “the matrix”. Those who are not accustomed to looking at the matrix will not see "The Blonde" or the "Brunette", but will just see a bunch of green characters.