Tenable is pleased to announce the availability of the Nessus On Demand training.

Below is a short "FAQ":

• What is On Demand training and how does it work? - The On Demand training represents training content, slides and audio that you can take anytime you like. Marcus Ranum (and the Tenable training team) has narrated nearly 20 hours of training material and lab exercises. This also includes full access to the online labs associated with the Nessus course.
• What products are currently being offered via On Demand? - Currently the "Nessus Vulnerability & Compliance Auditing" course is available On Demand and covers all aspects of using Nessus, including network vulnerability scans, authenticated patch auditing, configuration auditing and introducing the Nessus API and NASL scripting.

Welcome to the Tenable Network Security Podcast - Episode 76

Hosts: Paul Asadoorian, Product Evangelist, Marcus Ranum, Tenable's CSO and Dave Poynter, Tenable Training Team

Announcements

• One new blog post has been published this week:
  • APT - There.. I Said It.
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Marcus Ranum Interview

Marcus comes on the show to discuss risk management pitfalls, "APT" and more!

Recently I attended the Secure World Boston conference to sit in on a panel with industry experts about APT (Advanced Persistent Threat, for a great write-up on the definition see Richard Bejtlich's article titled, "What Is APT and What Does It Want?"). Following are some of my thoughts on the topic:

• Is APT something that everyone should be worrying about and planning for (is APT pervasive or just hype)? – APT is a new buzzword, but of course such threats have been around as long as there have been computer networks. It makes me think back Clifford Stoll’s book titled “The Cuckoos Egg”. I love Cliff’s analogy of “jiggling” the keys over the communications lines to disrupt the attackers just enough, but still give them enough access to keep an eye on them.

• Explain how APT works (reconnaissance, phishing, infection, exfiltration)? – The recon phase is the toughest to defend against and the most important phase to an attacker. Pre-texting is so important, yet much of the information has to be public and it’s tough to detect when someone is doing recon. This may turn into targeted phishing attacks, which are increasingly more successful. No matter how hard we try, we can’t educate all our users and expect them to catch 100% of the attacks - we have to rely on technology and training to ward off these attacks. Inevitably, people get into our systems and we need to have measures to detect unauthorized access to our systems. It’s presumptuous to think that your organization will never have a breach.

Welcome to the Tenable Network Security Podcast - Episode 75

Hosts: Paul Asadoorian, Product Evangelist & Dennis Brown, Research Engineer and "Malware Aficionado"

Announcements

• Several new blog posts have been published this week, including:
  • Mid-Atlantic CCDC - Lessons Learned in Communication
  • Botnet Reputation and Content Scanning in Nessus
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Hacker gets Microsoft Kinect to work with Sony Playstation 3

The CCDC 2011

The Collegiate Cyber Defense Competition (CCDC) is always a fantastic and educational event, and this year was no exception. Hundreds of people converged to share ideas, learn how to hack, learn how to defend and talk about security. Below is a brief summary of the happenings at the event:

• The Attackers - Many of the same people as previous years filled the role of the "hackers". They did a great job this year and showed how much they've learned over the years. The big takeaway from the Red Team is sharing. Using a new tool called "Armitage", they were able to share shell access to the Blue Team hosts, proving that sharing truly is caring.
• The Defenders - By design, the Blue teams are put at a disadvantage. This is meant to emulate the real world, where attackers have vast resources and often stay a step ahead. However, the Blue teams were very creative, employing reverse sabotage by leaving pieces of paper around the event with usernames and passwords written on them, which were completely fake.





The Red Team was able to re-configure the Blue Team's phones and leave them messages on the display, a digital "love note" if you will. Phones for the Blue Team were ringing throughout the event, playing random WAV files from a server as well.

With today’s plugin updates, Nessus now has the capability to warn you of hosts that are being controlled by botnets or hosting links to known malware or phishing sites.

Nessus uses a list of botnet infected hosts that is updated daily to search for your scan targets and report if the host is a known botnet zombie or is in command and control node. This is done regardless of the plugins or credentials specified and does not require sending any packets to the host to perform this check. Such hosts have been previously observed as sending malicious traffic to third-party systems across the Internet or taking an active role in attempting to control or compromise hosts for the botnet.

In addition to checking for inclusion in a botnet, Nessus will also report if a scan target is hosting links to web site addresses and specific URLs that are used by known botnets to propagate or re-directing to sites hosting phishing content. During the testing of CGI scripts, Nessus will scan the content of web pages looking for references to this type of malicious content. The ability to discover if an asset hosts botnet related malware or pages designed to steal credentials from unsuspecting users (e.g., fake eBay or banking login pages) is an incredible way to augment vulnerability scans.

To leverage this feature, make sure that your Nessus scans are looking at web site content. To enable this feature, set the Preferences -> Global Settings -> Enable CGI Tests setting to “enabled”. 

The following Nessus plugins perform the botnet and malicious website content analysis:

• 52670 – Web Site Links to malicious Content
• 52669 – Host is listed in Known Bot Database

This update is available to all Nessus users including the Nessus ProfessionalFeed and HomeFeed subscriptions, the Nessus PerimeterService and SecurityCenter customers. Tenable also offers a variety of log analysis, NetFlow analysis and passive network traffic analysis solutions which can help identify system events, user behavior and network traffic that is indicative of a botnet. To learn more about these solutions, please visit our web site or watch any of the following on-demand webinars: 

• Putting a Virus under the SIEM Microscope
• Monitoring Users and Botnets with DNS
• Tracking Application Execution for Compliance and Security
• Finding and Stopping APT

Welcome to the Tenable Network Security Podcast - Episode 74

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher and Ron Gula, Tenable CEO/CTO

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - March 2011
  • Leveraging Wake-On-LAN Support to Audit Powered-Off Hosts with Nessus
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Penetration Testing Execution Standard - A group has been formed to define what a penetration test really is and means. Several standards and compliance documents reference a "penetration test", but yet no one has really taken the time to define it. Carlos and I are involved with this effort, myself on the vulnerability scanning portion and Carlos on the post-exploitation side.

Have you ever been charged to perform a security audit for a set of hosts that has been turned off? If those hosts have been configured to be “woken up” with a “Wake-on-LAN” packet, you can now leverage this capability with your enterprise Nessus scans. This blog entry describes how organizations that leverage Nessus or SecurityCenter to scan their infrastructure can audit systems that have been powered off.

Another Microsoft Patch Tuesday is upon us. This month I was surprised that two vulnerabilities making headlines recently were not included in this Microsoft Patch Tuesday, namely the 0-day Windows SMB Vulnerability and the reported “Pwn2Own” IE vulnerability. The best way to remediate any vulnerability is to apply a patch provided by the vendor, and it’s puzzling why Microsoft is delaying the release of patches for these widely publicized vulnerabilities.

To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:

• MS11-015 - Vulnerabilities in Windows Media Could Allow Remote Code Execution - Nessus Plugin ID 52583 (Credentialed Check)

Welcome to the Tenable Network Security Podcast - Episode 73

Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher and Ron Gula, Tenable CEO/CTO

Announcements

• Several new blog posts have been published this week, including:
  • Agentless FDCC, USGCB and CyberScope Reporting Webinar - March 23 2:00 PM EST
  • Event Analysis: Detecting Compromises, Javascript, Backdoors, and more!
  • The Nessus Port Scanning Engine: An Inside Look
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Outbound SSH Traffic from HP Blade Servers - In this case it appears to be a bug, but what if it wasn't? I believe we need to keep close tabs on network connections in our environment. I'm a huge fan of Netflow analysis, largely because if you are attacking anything on the network, you need to make a connection. It's a difficult thing to get around (provided you do not have physical access to a medium that is not being monitored, such as 3G or some other wireless protocol). Also, it raises a scary situation where devices are pre-owned, meaning that during the manufacturing process attackers placed backdoors on the systems. Network monitoring can help identify these channels. For example, you should be able to spot your networking gear's management interfaces attempting to make connections out to the Internet.

I will be hosting a webinar that presents Tenable's strategy for agentless auditing and reporting of various US Government standards including FDCC, USGCB, CyberScope and a variety of DISA STIG specifications. The webinar will include:

• Nessus configuration and vulnerability assessment capabilities 
• How to use the Passive Vulnerability Scanner to perform continuous monitoring 
• Performing enterprise configuration audits for FDCC, USGCB and a variety of DISA STIG policies 
• Working with XCCDF FDCC content and generating an FDCC report 
• Creating CyberScope reports based on active or passive discovery of vulnerabilities and applications 

The webinar will last approximately 40 minutes followed by a question and answer section. To register, visit the following gotomeeting link: 

• https://www1.gotomeeting.com/register/694506168

I'll also be showing some of the new reporting and dashboard capabilites of SecurityCenter 4.2 which enables several different approaches to configuration auditing, continuous monitoring and Cyberscope reporting.  

There are a variety of indicators that a system has been compromised, ranging from the obvious to the very subtle.

Less obvious indications of a compromise include increased bandwidth, subtle IDS alerts (such as those indicating anomalous behavior) and mysterious configuration changes on systems. The questions that are typically asked include "How did they get in?" and "What did they do?" Tenable's Passive Vulnerability Scanner (PVS) provides useful information for answering these questions. Following are some of the alerts PVS may generate during an intrusion:

Port Scanning Never Dies

While information security threats constantly evolve from client-side attacks to web application vulnerabilities, there is one activity that is always effective: port scanning. Determining if a port is open or closed is a critical step in the discovery process associated with successfully attacking systems. For example, if port 80 or 443 is not open, it is likely there will not be a public web site associated with that system. Of course, this leads into service identification, which detects web servers listening on non-standard ports. However, you must be able to test if a port is open in the first place before you can determine which service may be running. Therefore, port scanning maintains its position as a necessary practice, even when referencing client-side attacks that can turn the remote client systems into port scanners using JavaScript.

Given the importance of port scanning, I want to cover some of the features and functions of the various port scanners included in the Nessus vulnerability scanner. The Nessus port scanner system has three network-based port scanners:

• TCP Scanner - The TCP scanner sends sequence of packets to initiate a full TCP connect to the target hosts, completing the TCP three-way handshake each time. The TCP port scanner uses a balance of speed and accuracy while using logic to tune itself as the scan progresses. The TCP scanner does not operate on Windows and Mac OS due to operating system limitations, so Nessus initiates the SYN scanner on these systems instead. However, when Nessus is installed on Linux it will implement a full-connect scanner in user space (i.e., without requiring root-level privileges). Early versions of the scanner consisted of a couple of pages of C source code. Over time it has grown in features and complexity to handle many different situations and types of networks. The TCP scanner will dynamically estimate the RTT (Round Trip Time) and make multiple passes on unresponsive ports to determine if there was a problem during the initial attempt. The TCP scanner will also read banners for some services and place this information, along with the open ports, in the Nessus knowledge base where the service identification routine and plugins can find the list of open ports for each host.

Welcome to the Tenable Network Security Podcast - Episode 72

Hosts: Paul Asadoorian, Product Evangelist and Carlos Perez, Lead Vulnerability Researcher

Announcements

• Nessus 4.4.1 has been released! Includes several improvements and a new option for SYN port scanning.
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, provide Nessus plugin statistics and more!

Stories

• Throwing Star LAN Tap - I have to admit, I'm a big fan of ninjas. Ever since I was a kid (in some ways I still am) I've been fascinated with ninjas. It's a combination of things that fuel my fascination: smoke bombs, swords, poison and, of course, throwing stars. Any time I can arm myself with a ninja-like tool that pertains to my job, I'm in. The LAN tap throwing stars allow you to monitor network traffic passively (e.g. there is no send, only receive) between a host and the network. This comes in handy for troubleshooting, forensics, and even to collect some data using Tenable's Passive Vulnerability Scanner.

Tenable is pleased to announce the release of Nessus 4.4.1! This is a point release (moving from 4.4.0 to 4.4.1), containing several enhancements and minor bug fixes.

From a user perspective, there is a new feature that allows the SYN scanner to be selectively throttled. A new setting, nessus_syn_scanner.global_throughput.max can be added to the nessusd.conf file. The option sets the maximum number of packets per second that Nessus will send during a SYN port scan (regardless of how many hosts are scanned in parallel).