We are excited to announce that SANS is partnering with Tenable Network Security to bring you “Advanced Vulnerability Scanning Techniques Using Nessus” as part of the SANS Hosted Series of courses. This class is part of a brand new series of vendor specific classes SANS is offering to compliment your needs for training outside of SANS vendor neutral courses.

Welcome to the Tenable Network Security Podcast - Episode 87

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher, Jack Daniel, Product Manager

Announcements

• Several new blog posts have been published to the Tenable Blog:
• 4 out of 5 CISOs Don't Scan for Off-Port Web Servers
• Comparing the PCI, CIS and FDCC Certification Standards
• Firewall and Boundary Auditing Best Practices
• Risky Business #198 - Tenable CEO Interview on Cybercrime Insurance
• Microsoft Patch Tuesday Roundup - June 2011
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.


• We're hiring! - Visit the Tenable web site for more information about open positions.


• You can subscribe to the Tenable Network Security Podcast on iTunes!


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Stories

• WordPress plugins Trojanised, spotted, fixed - I get nervous when the application I am using supports plugins and add-ons that are not written or even checked centrally. It compromises the security of the framework.

An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.

As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry, the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.

Recently, I had the chance to work with several larger Tenable enterprise customers who were charged with figuring out what the perimeter of their network really looked like.

I showed them how multiple Nessus scanners and Passive Vulnerability Scanners deployed throughout their infrastructure could be leveraged to provide near real-time visibility into every boundary or enclave.

With the rise in popularity of the SANS Consensus Audit Guidelines, which specifically call out "Boundary Monitoring", and the increased number of Tenable federal customers deploying 20+ active and passive scanners to perform CyberScope scanning, I decided to write a best practices paper on how network boundaries can be monitored and understood.

The paper starts out with simple concepts such as comparing what a scanner on the inside of a firewall can find compared to what one on the outside scanning inbound can find. It finishes with how distributed scanning and sniffing can help identify trust relationships and poor firewall rules between enclaves. There is also a lot of great artwork that facilitates understanding of these complex ideas:

 The paper is available for a free download here. If you have feedback or want to send me a note about it, feel free to post comments to our Tenable Discussions Forum and reach me on Twitter @RonGula.

In this week's Risky Business podcast, Patrick Gray and I chatted about the recent rise in cyber insurance. Insurance companies have been working on a variety of insurance packages for years and the recent rash of RSA, Sony and other high-profile attacks have raised the interest level and demand for this. The key point here is that if an insurance company can offer this type of coverage, they need to understand the risk much better than the customers buying the service. 

• Listen to Risky Business #198

Keeping Tabs On Patches

Let’s face it; we all have to deal with patches. Everyone from an IT systems administrator to your grandma has to face the challenges of patches. Whether you have a home computer that you use to browse the web, a phone that you occasionally check email from, or 10,000 enterprise desktops spread across three continents, you're dealing with patches. Regardless of your situation, you need to be able to answer two basic questions:

• Which patches are missing?
• Which patches have been successfully installed?

If you only have one computer in the house, it probably annoys you to some degree when it’s time to apply patches, indicating that you are in fact missing patches. This answers the first question above, but the operating systems themselves have few measures for success. There are many situations that cause patches to fail, or leave vulnerable software behind after an update, that can easily be missed by the average user. Your so-called "smart-phone" is even worse. Since most users do not connect their phones to their computers, or the carrier is blocking operating system updates, you may never be able to answer the first question (I guess that's one reason why RIM maintains a prominent presence in the enterprise, as they answer both questions very well with respect to Blackberry users in your environment). Never knowing that you even require patches to be installed is a big problem, as well as knowing if they even applied successfully.

A Much Larger Problem

Enterprises with 10,000 or more desktops exacerbate the problem of patch tracking. With so many devices that require patches, things are bound to go wrong! Lately I've been using dashboards in Tenable's SecurityCenter, and thanks to Tenable CEO/CTO Ron Gula, I have some interesting SecurityCenter 4.2 "dashboards" to help me track patches. Here's just one example:

Click for larger image

Welcome to the Tenable Network Security Podcast - Episode 86

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

Stories

• Dan Kamsinky On The RSA SecurID Compromise - "I recommend replacing devices in an orderly fashion, possibly while increasing the rotation rate of PINs. I dismiss concerns about source compromise on the grounds that both hardware and software are readily reversed, and anyway we didn’t change operational behavior when Windows or IOS source leaked." It's true, when entire operating systems' source code has leaked, no one really panicked or changed the way they do business. Yes, you should be replacing all your tokens and, of course, have some other forms of security and authentication other than SecurID.

Download Tenablepodcast-episode85.mp3

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

Stories

• RSA finally comes clean: SecurID is compromised - It turns out to be true: attackers possess the seed values for the tokens and the encryption algorithm is already public. RSA says they withheld the information because they did not want to tell attackers how to implement attacks, but it turns out evil bad guys figured it out and used it to attack Lockheed Martin. RSA is now offering to replace all 40 million+ SecurID tokens worldwide. Ouch. This is a breach that cost RSA dearly, in terms of money and reputation.

Welcome to the Tenable Network Security Podcast - Episode 84

Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher

Announcements

• Two new blog posts have been published this week:
  • Hardening OS X Using The NSA Guidelines
  • Announcing The Nessus Android App
• Check out our video channel on YouTube that contains the latest Nessus and SecurityCenter 4 tutorials. The latest two videos are updates to older videos and cover basic vulnerability scanning and local patch checking using Nessus.
• We're hiring! - Visit the Tenable web site for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics and more!

Discussion