Welcome to the Tenable Network Security Podcast - Episode 48

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Tenable Network Security on the Inc 5000 List
  • The Three Legged Stool Of Vulnerability Management
• New Nessus training is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.


• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.


• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Ron Gula

Ron and Paul discuss web application testing using Nessus!

Don't Fall Off The Stool

When I developed the course "Advanced Vulnerability Scanning Techniques Using Nessus", I wanted to mention some of the trade-offs we make when we perform vulnerability scans using different configurations. Nessus creator Renaud Deraison helped point out that it seems to come down to three factors: speed, intrusiveness and comprehensiveness. What I found was that these three factors were extremely important throughout the duration of the class, and I realize that for vulnerability scanning and vulnerability management, these factors must be taken into consideration.

As the CEO and co-founder of Tenable Network Security, I am very proud to announce our inclusion in the 2010 Inc 5000 list of fastest growing companies in the United States. We placed #1369 out of 5000 ranked companies. Tenable is very unique on this list as being one of the only security companies present that is neither public nor has raised external investment capital. Tenable is approaching our eighth year of business and we have every intention of continuing to grow, continuing to innovate and most of all, continuing to help our customers enhance and monitor their state of security and compliance. If you want to join our winning team, Tenable has many open positions helping to support customers, perform security research and much more. 

Welcome to the Tenable Network Security Podcast - Episode 47

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• A new blog post was published this week:
  • Nessus Web Application Scanning - New plugins & Configuration
• New Nessus training is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.


• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as a Nessus overview and future plans, the advantages of pairing active and passive scanning, an overview and discussion of current security strategies and new industry trends, the past, present and future of regulatory compliance, and a Tenable Network Security product/solutions overview.


• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Passive Vulnerability Scanning Segment with Ron Gula

Ron joins us to discuss some new features added to the Passive Vulnerability Scanner, including:

• VxWorks and QNX passive vulnerability detection
• New passive patent
• New PVS licensing options for network address spaces

Zen and the Art of Nessus Web Application Scanning

Tenable’s research and development teams have been steadily adding new features and plugins to the web application scanning functionality in Nessus to detect web application vulnerabilities. These can be grouped into two categories:

• Known Web Application Vulnerabilities - Nessus contains over 1,700 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses : XSS" plugin families is written to enumerate vulnerabilities that have been previously reported in a web application product (open-source or commercial). To enable these plugins you MUST enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute if CGI scanning is not enabled.
• Previously Unknown Web Application Vulnerabilities - This level of scanning uses various fuzzing and other enumeration techniques to detect vulnerabilities that may not yet have been discovered. Each parameter of the web application is tested for SQL injection, cross-site scripting and a large number of other common web application attacks. Nessus has a comprehensive list of different attack strings and methods to find vulnerabilities in web applications. More information about these can be found in the Nessus User Guide.

The following sections provide more detailed information on how to enable features within Nessus to perform more exhaustive web application scans. Please note that use of these features will cause your scans to run longer!

Web Application Test Settings

Highlighted in red are two options that direct Nessus to be more comprehensive:

Welcome to the Tenable Network Security Podcast - Episode 56

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Two new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - August 2010 - "Geronimo!" Edition
  • San Francisco Security Showcase - Sept 15, 2010
• New Nessus training is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.


• Ron, Marcus, and Renaud present the San Francisco Security Showcase on September 15, 2010! This is a free event that will feature topics such as Nessus overview and future plans, The advantages of pairing active and passive scanning, An overview and discussion of current security strategies and new industry trends, The past, present and future of regulatory compliance, and Tenable Network Security product/solutions overview.


• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Tenable Network Security presents a unique opportunity to see three of the industry’s visionary leaders during one free event at the Embarcadero Center in San Francisco. 

Scheduled to present during this half-day event are:

• Renaud Deraison (Creator of Nessus®, Tenable Co-founder and CRO)
• Ron Gula (Creator of the Dragon IDS, Tenable Co-founder and CEO/CTO)
• Marcus J. Ranum (Creator of the proxy firewall, NFR founder and Tenable CSO)

Topics covered will include:

• Nessus overview and future plans
• The advantages of pairing active and passive scanning
• An overview and discussion of current security strategies and new industry trends
• The past, present and future of regulatory compliance
• Tenable Network Security product/solutions overview

This month's Patch Tuesday has been described by some as a "hot mess of vulnerabilities". This record-breaking Patch Tuesday contains 15 security bulletins that fix 34 vulnerabilities. While many people have been quick to classify which of these are "critical", I believe that criticality and risk are best determined by the affected organization, not third parties. However, I do recommend that everyone review the information presented, especially the resources prepared by the Internet Storm Center and the Open Source Vulnerability Database. Both of these sources pull in all of the relevant information about each security bulletin, providing a more complete picture to help evaluate your own prioritization efforts. The bulletins prepared by Microsoft are still not exploring the various aspects of each vulnerability and specifically do not always specify whether or not vulnerabilities can be exploited.

The "Mitigating Factors"

In the MS10-047 and MS10-048 security bulletins, which cover eight separate vulnerabilities, Microsoft states the following as a mitigating factor:

"Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users."

I don't like to point fingers or call people out, but Microsoft’s statement is not true. The statement that an attacker "must have" valid logon credentials is a bit concerning. If "logon credentials" are something that you have in your possession, such as a pen or a mouse, then the attacker does not need them. An attacker can certainly convince an already logged in user to execute the code to perform the privilege escalation. In this scenario, the attacker does not "have" the logon credentials. They are currently able to execute code as a non-privileged user, which is a completely different situation. The vulnerability can be executed remotely, provided you have already exploited a vulnerability that has granted you permissions to execute code as a non-privileged user. This is a very common method of attack, as users can be tricked into running all sorts of programs, code from a web site, email attachments and more. There are certain advantages to being logged in to a system as an administrator or with SYSTEM privileges, such as accessing files, installing keystroke loggers and sniffing the network.

Welcome to the Tenable Network Security Podcast - Episode 45

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Blackhat 2010 Round Up -
  • Security Metrics - Is This Network Getting Better?
• The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions. There are currently 10 open positions listed:
  • Sales Engineer
  • Regional Sales Manager
  • Inside Sales Representative
  • Tenable Nessus Trainer
  • Customer Support Engineer
  • Quality Assurance Analyst/Engineer
  • Compliance Auditor
  • Vulnerability Research Engineer
  • Linux Appliance Engineer
  • Flex/Flash Developer
• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Metrics that show risk are an excellent way to communicate security information to different people and groups within an organization. However, trend lines can hide a lot of details and nuances. This blog entry discusses an example network where a month’s worth of scan data is used to trend overall vulnerabilities, those that have been around longer than thirty days and correlating systems needing a reboot with residual security issues.

Tenable was in attendance for Black Hat 2010 in Las Vegas last week. In addition to having a vendor’s booth, we presented four days of Nessus training, our very own Carole Fennelly organized Hacker Court and we hosted a party at Margaritaville. Below are some pictures and more details on the events:

Welcome to the Tenable Network Security Podcast - Episode 44

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Scanning Large Networks with Nessus
  • Plugin Highlight - Web Application Tests : Load Estimation (ID 33817)
  • 10 Devices Attackers May Think About Attacking
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" will be at BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.


• We're hiring! - Visit the web site for more information about open positions. There are currently 8 open positions listed, including a Digital/Web Strategy Coordinator.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, list Nessus plugin statistics and more!

Stories

• More Badge Hacking Fun! - Dennis Brown had some fun with the Ninja Party badges, which all used ZigBee with little authentication, meaning you could change player levels and messages on other people's badges.
• GSM Catcher gets a run at Defcon - I saw a Tweet this weekend that describes GSM as Telnet and 3G as SSH. This is pretty scary as GSM is still in widespread use.
• VxWorks Vulnerability Details Released - VxWorks is a very popular embedded operating system. Vulnerabilities were recently discovered that allow a remote attacker to read memory from a device over a UDP port. This also allows you to gain access to the device and trivially crack the password hash that uses proprietary encryption (which is a no-no). I also found this to be the scariest part: "it became obvious that an unknown party had already spent most of 2006 scanning for this service". While we all hem and haw about disclosure, I've always had a sneaking suspicion that the real bad guys are one step ahead of us, and in this case they were about four years ahead.
• Malware for Nintendo DS and Wii - Researchers demonstrated how they could upload code into these devices and then in turn cause them to attack the network. Most people don't think about their gaming console getting a "virus", but I am glad someone is doing this research and publishing it because I've always speculated about this attack vector.
• Android Rootkit - Really cool use cases, like reading all phone history and text messages, make calls on the phone without the user knowing (e.g. 900 numbers). The rootkit is a Linux kernel module that can hide its presence.
• Marcus Ranum: Be Serious About "Cybersecurity" - Pretty neat interview with Marcus covering a lot of different topics. One thing that bothers me though is the two-factor authentication and using to protect endpoints. I think if the endpoint is compromised, it doesn't matter how many factors of authentication you have: your data is compromised. Since I can compromise an endpoint and gain direct access to memory, the network traffic, and keyboard strokes it means I can bypass all the security you have in place.

Download Tenable Podcast Episode 44

Intro

The first time I was asked to scan a Class B network, my initial reaction was “Are you kidding me?” I actually thought it was a trick question to see how I reacted to unexpected situations. I had just two weeks to develop a strategy and perform the scan. This seemed to be a daunting task.

Ten years later, I had provided assessments for Class B (or bigger) networks over a dozen times, mostly for government agencies and the occasional university. Performing an audit of tens of thousands of IP addresses is no different from any other audit, unless time is restrictive. Large IP blocks in small time periods require you to revise your normal assessment methodology. Where you typically scan 65,535 ports on a machine, you may only be able to scan a dozen or two. Instead of examining every open port on a machine, time constraints may force you to focus on low-hanging fruit and services that are prone to high-risk vulnerabilities.

Developing a Methodology

Thinking about the polar opposites in assessment, you have a single IP address on one side, and a Class B network on the other. Adjusting your methodology to account for the number of machines becomes a balancing act between allotted time and number of targets. As the number of systems to scan increases, while the time allocated to scan remains constant, the amount of time per system must decrease.