Next up on our Nessus top ten list is #9, which covers how to use Nessus configuration auditing to discover information about your system configurations. The following video presents use cases and examples, from PCI compliance to detecting viruses:
Please visit Tenable's YouTube channel for more Nessus and SecurityCenter videos!
All but one of this month's Microsoft Patch Tuesday updates relates to Microsoft Office applications and/or Windows components that handle documents (such as RTF, TXT, and Word Document files as described in MS11-071). The three Office-related bulletins are listed as "important" on the Microsoft site, despite the fact that they allow for remote code execution. Another bulletin, MS11-074, announces issues with Microsoft's SharePoint, a server application for sharing information and managing documents.
While I don't recommend completely ignoring Microsoft's risk categories, developing your own metrics for risk classification can go a long way to improving your defenses and patch management programs. Vulnerabilities that target Microsoft Office users who have access to sensitive data are a higher priority to patch. It’s critical to know where sensitive data lies so that you can identify if the data is at risk from these vulnerabilities. SecurityCenter's management and Nessus's auditing capabilities provide you with valuable information to identify where sensitive data resides in your network and help you prioritize your patch schedule.
For example, Nessus can perform a variety of content checks to look for credit card, financial, personal, copyrighted and other types of sensitive data. The dashboard below summarizes a variety of different types of sensitive data audits:
One of the things I like best about the dashboard shown above (which can be downloaded from this entry on the SecurityCenter Dashboard Site) is that you can overlay other types of results, such as the systems that contain vulnerabilities for which an exploit exists. If I had to prioritize a patch rollout, I might start with systems that have access to sensitive data and also have vulnerabilities that can be easily exploited.
To help evaluate the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:
Continue reading "Microsoft Patch Tuesday Roundup - September 2011" »
Welcome to the Tenable Network Security Podcast - Episode 96
Continue reading "Tenable Network Security Podcast - Episode 96" »
Welcome to the Tenable Network Security Podcast - Episode 95
Continue reading "Tenable Network Security Podcast - Episode 95" »
Welcome to the Tenable Network Security Podcast - Episode 94
Hosts:
Continue reading "Tenable Network Security Podcast - Episode 94" »
We are pleased to announce that Tenable has been ranked in the Inc 500/5000 for the second year in a row. In the 2011 rankings, we were ranked the fastest-growing private company in the enterprise security software market. We ranked 934th overall, and 17th among all security companies.
As a company, we’re changing the way that enterprises think about information security solutions by helping them move from ‘point-in-time’ security to ‘continuous’ security and compliance monitoring. There’s no such thing as ‘good enough security,’ which is why we’re consistently developing new resources and innovative solutions to help our clients stay ahead of emerging threats. This approach has been the cornerstone of our success.
See more about our Unified Security Monitoring platform at http://www.tenable.com/solutions
See more about the Inc. 5000 on their website: http://www.inc.com/inc5000/welcome
Tenable has authored a collection of plugins to identify Juniper Junos devices and perform local patch checking. By providing SSH or SNMP credentials, Nessus will log into a device running Junos and check for missing patches, such as:
You can enable these plugins by selecting the "Junos Local Security Checks" plugin family when creating policies in Nessus (or SecurityCenter) as shown below:
Plugin ID 55392, Junos Version Detection, was added to identify the operating system version of the device being scanned:
Continue reading "Junos Local Patch Checking Support Added to Nessus" »
Being the Product Evangelist for Tenable Network Security gives me some interesting insight into how the community views the features of our products. I meet some people who provide us with awesome suggestions for improvements and I also meet some people who scan their networks at semi-regular intervals using the default set of policies, unaware of the huge variety of features that Nessus includes.
Hence the project I have been working on: with help and support from the community and my fellow co-workers at Tenable, I have developed what we understand to be a list of the top ten things that people may not know about Nessus.
In part one, I want to explore the differences between traditional network-based scanning and scanning with credentials. So, in traditional David Letterman top ten fashion, we’ll start with number 10!
Welcome to the Tenable Network Security Podcast - Episode 93
Hosts:
Continue reading "Tenable Network Security Podcast - Episode 93" »
Welcome to the Tenable Network Security Podcast - Episode Episode 92
Hosts:
Continue reading "Tenable Network Security Podcast - Episode 92" »
I attended the Black Hat Briefings this year after teaching the "Advanced Vulnerability Scanning Using Nessus" course. There were several really great presentations covering a wide range of topics. My only wish is that I could have cloned myself and attended more of the talks! Following is a recap of the presentations I attended:
Several of the presentations this year centered on the topic of embedded systems. This is right up my alley, as I've always had a fascination with embedded computing. Don gave some great examples of embedded systems, including:
Continue reading "Black Hat 2011: The Rise Of The Machines" »
A few interesting notes on this month's Microsoft Patch Tuesday release:
To further aid in your efforts to evaluate the exposures presented by the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published Nessus plugins for each of the security bulletins issued this month:
Continue reading "Microsoft Patch Tuesday Roundup - August 2011" »
This is the third in a series of posts that describe the use of Nessus on BackTrack 5. Previous posts covered how to activate Nessus on BackTrack 5 and how to integrate Nmap, Hydra, and Nikto with Nessus. In this post we will cover initiating Nessus scans from within Metasploit. Beginning with Nessus 4, Tenable introduced the Nessus API, which lets users programmatically interface with a Nessus server using XMLRPC. Zate Berg took the initiative to write modules in Metasploit that, among other things, can launch a Nessus scan and import the results into the Metasploit database. From there, we can find which hosts are vulnerable to exploitation, exploit them, harvest the password hashes, and then use those password hashes to initiate credentialed Nessus scans.
The first step needed to use Nessus with Metasploit is to log into Nessus and create a user for Metasploit. In this example, I created a user called "msf" with a password of "metasploit".
BackTrack 5, code name "Revolution", is a very popular Linux distribution used primarily for penetration testing. It contains a lot of different tools for scanning, testing, and exploiting everything from web applications to wireless networks. Since the creators of BackTrack 5 included such a vast array of tools, I thought it would be interesting to show how some of those tools can be integrated with your Nessus server to extend functionality and import results.
There are many occasions where Nmap is used to scan specific hosts or a large network of hosts. The XML results from Nmap can be imported into Nessus and used as the basis for vulnerability scanning. If you are going to use Nmap results this way, you can disable Nessus's built-in port scanners and host identification functionality, relying solely on your Nmap results to perform the scan:
Continue reading "Integrating Nessus with BackTrack 5's Tools" »
Welcome to the Tenable Network Security Podcast - Episode 90
Hosts:
Continue reading "Tenable Network Security Podcast - Episode 90" »
Recently I've been planning and executing a plan to fix some of the landscaping around my house (as a side note, try not to plan this to happen in the middle of July when it’s 90 degrees). In talking with people who have experience with landscaping projects we seem to always hit the topic of digging up and burying stumps, and whether this is a good idea or a bad idea. For the short term, it seems like a good idea. The stumps take up space in the ground so you need less fill (which saves money), burying is cheaper than grinding them down or having them hauled away, and you don't have to look at an ugly stump. The downside is that 7-10 years down the road, the stumps begin to rot and you are left with sinkholes in your yard.
Continue reading "Security, Log Management & Burying Stumps" »
Nessus 4.4.1 now comes pre-installed on BackTrack 5 and requires that the user activate the installation. Before you activate Nessus on your BackTrack 5 installation, be certain you have installed Nessus either to the hard drive on the computer you plan to use or inside of a virtual machine that you plan to keep on the same host system. If you activate Nessus on a bootable USB thumb drive, DVD or a virtual machine and move it to a new host system, the Nessus activation code will no longer be valid. The Nessus activation ties itself to the physical system on which it is installed. If you do decide to move the virtual machine to a new system, or jump around to different systems using a bootable USB thumb drive or DVD, you will have to re-activate Nessus. If you are using a Nessus ProfessionalFeed, you are allowed to reset your activation by clearing the current connection between a host and an activation code. By logging into the Tenable Customer Support Portal and going to "Activation Codes", you can reset the activation code-to-host pairing. ProfessionalFeed users are currently limited to one reset every 30 days. HomeFeed users will need to re-register Nessus when moving between physical hosts.
Continue reading "Enabling Nessus on BackTrack 5 - The Official Guide" »
Remote exploits come in many different shapes, forms and sizes. Listening services, web browsers and wireless technologies can all contain vulnerabilities that allow for "remote exploitation". The difficult part is defining just how "remote" an attacker needs to be. Obviously, the exposed network service could theoretically be exploited by anyone connected to the Internet. Web browser exploits require that a user visit a site (by choice or surreptitiously) that loads malicious code. Wireless technologies such as Bluetooth require that you be in range. Here's where it gets interesting! There are many situations where end users could be in range of attackers, including conferences, coffee shops, airports, or even right in your own facility. Having said that, it would be difficult for these attacks to target a specific organization unless you were physically on-site, which occurs less frequently than someone attacking you over the Internet. However, we should note that Bluetooth uses the 2.4 GHz spectrum for communications and can be extended using the same or similar gear as WiFi.
Continue reading "Microsoft Patch Tuesday Roundup - July 2011" »
Welcome to the Tenable Network Security Podcast - Episode 89
Hosts:
Continue reading "Tenable Network Security Podcast - Episode 89" »
Welcome to the Tenable Network Security Podcast - Episode 88
Hosts: Paul Asadoorian, Product Evangelist
Jesse Kornblum is a Computer Forensics Research Guru with the Kyrus Technology
Continue reading "Tenable Network Security Podcast - Episode 88" »
We've covered the advantages of credentialed vulnerability scanning and configuration auditing in previous blog posts, but I want to recap some of the benefits:
Continue reading "Making It Easier To Perform Credentialed Scanning & Auditing" »
We are excited to announce that SANS is partnering with Tenable Network Security to bring you “Advanced Vulnerability Scanning Techniques Using Nessus” as part of the SANS Hosted Series of courses. This class is part of a brand new series of vendor specific classes SANS is offering to compliment your needs for training outside of SANS vendor neutral courses.
Continue reading "Advanced Vulnerability Scanning Using Nessus Course" »
Welcome to the Tenable Network Security Podcast - Episode 87
Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher, Jack Daniel, Product Manager
Continue reading "Tenable Network Security Podcast - Episode 87" »
An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.
Continue reading "4 out of 5 CISOs Don't Scan for Off-Port Web Servers" »
As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry, the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.
Continue reading "Comparing the PCI, CIS and FDCC Certification Standards" »
Recently, I had the chance to work with several larger Tenable enterprise customers who were charged with figuring out what the perimeter of their network really looked like.
I showed them how multiple Nessus scanners and Passive Vulnerability Scanners deployed throughout their infrastructure could be leveraged to provide near real-time visibility into every boundary or enclave.
With the rise in popularity of the SANS Consensus Audit Guidelines, which specifically call out "Boundary Monitoring", and the increased number of Tenable federal customers deploying 20+ active and passive scanners to perform CyberScope scanning, I decided to write a best practices paper on how network boundaries can be monitored and understood.
The paper starts out with simple concepts such as comparing what a scanner on the inside of a firewall can find compared to what one on the outside scanning inbound can find. It finishes with how distributed scanning and sniffing can help identify trust relationships and poor firewall rules between enclaves. There is also a lot of great artwork that facilitates understanding of these complex ideas:
The paper is available for a free download here. If you have feedback or want to send me a note about it, feel free to post comments to our Tenable Discussions Forum and reach me on Twitter @RonGula.
In this week's Risky Business podcast, Patrick Gray and I chatted about the recent rise in cyber insurance. Insurance companies have been working on a variety of insurance packages for years and the recent rash of RSA, Sony and other high-profile attacks have raised the interest level and demand for this. The key point here is that if an insurance company can offer this type of coverage, they need to understand the risk much better than the customers buying the service.
Let’s face it; we all have to deal with patches. Everyone from an IT systems administrator to your grandma has to face the challenges of patches. Whether you have a home computer that you use to browse the web, a phone that you occasionally check email from, or 10,000 enterprise desktops spread across three continents, you're dealing with patches. Regardless of your situation, you need to be able to answer two basic questions:
If you only have one computer in the house, it probably annoys you to some degree when it’s time to apply patches, indicating that you are in fact missing patches. This answers the first question above, but the operating systems themselves have few measures for success. There are many situations that cause patches to fail, or leave vulnerable software behind after an update, that can easily be missed by the average user. Your so-called "smart-phone" is even worse. Since most users do not connect their phones to their computers, or the carrier is blocking operating system updates, you may never be able to answer the first question (I guess that's one reason why RIM maintains a prominent presence in the enterprise, as they answer both questions very well with respect to Blackberry users in your environment). Never knowing that you even require patches to be installed is a big problem, as well as knowing if they even applied successfully.
Enterprises with 10,000 or more desktops exacerbate the problem of patch tracking. With so many devices that require patches, things are bound to go wrong! Lately I've been using dashboards in Tenable's SecurityCenter, and thanks to Tenable CEO/CTO Ron Gula, I have some interesting SecurityCenter 4.2 "dashboards" to help me track patches. Here's just one example:
Continue reading "Microsoft Patch Tuesday Roundup - June 2011" »
Welcome to the Tenable Network Security Podcast - Episode 86
Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher
Continue reading "Tenable Network Security Podcast - Episode 86" »
Download Tenablepodcast-episode85.mp3
Welcome to the Tenable Network Security Podcast - Episode 85Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher
Continue reading "Tenable Network Security Podcast - Episode 85" »
Welcome to the Tenable Network Security Podcast - Episode 84
Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher
Continue reading "Tenable Network Security Podcast - Episode 84" »
Tenable Network Security is proud to announce the immediate availability of SecurityCenter 4.2. SecurityCenter is used to centralize and report on system and event data such as vulnerabilities, logs, NetFlow, configurations and more.
Continue reading "SecurityCenter 4.2 and Community Dashboard Site Released " »
The National Security Agency (NSA) has developed security hardening guidelines for various operating systems and technologies. I remember when I first started in information technology and used these guides to harden my Windows servers. I was met with mixed success; some systems would run better, and some would cease to function due to configuration changes. This taught me about my systems and their configurations, and knowing what your systems do and how they are configured is the true key to successful systems administration. Remember, the “guidelines” are just that, a guide to configuring and securing your systems. Ultimately, it is up to you to determine which changes you will implement, and most importantly test those changes in a lab/QA environment.
Mac OS X's popularity has been growing rapidly, and so has its use in corporate environments. The NSA has released a new hardening guide for OS X. Tenable has created a configuration audit that will compare the configuration of your OS X systems with the NSA's guidelines, and below are some of the example results from an audit:
Continue reading "Hardening OS X Using The NSA Guidelines" »
Tenable is pleased to announce the official release of the Nessus Android app! The application can be downloaded for free from the Android Market and contains the following features:
Welcome to the Tenable Network Security Podcast - Episode 83
Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO, Carlos Perez, Lead Vulnerability Researcher
Continue reading "Tenable Network Security Podcast - Episode 83" »
I was recently talking to my good friend Ed Skoudis about computer security incident response. An interesting question he asks organizations that are in "incident response" mode is, "Do you run PsExec?" PsExec is part of the Windows Sysinternals’ suite of tools and implements a service that allows users to administer Windows systems remotely using the command line. More information can be found on the PsExec download page. It also contains functionality described as:
"PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig that otherwise do not have the ability to show information about remote systems."
Welcome to the Tenable Network Security Podcast - Episode 82
Hosts: Paul Asadoorian, Product Evangelist
KC works for Level3, the world's largest Internet service provider. He uses Nessus, and in a big way. They scan hundreds of thousands of IP addresses every day, customize NASL, and make extensive use of the API. KC is also a big fan of credentialed auditing and tells us how he uses that to help maintain security on some of the busiest networks in the world.
Tenable’s 3D Tool v2.0 is a Windows application that queries data from a SecurityCenter 4 server and presents it in an interactive visual console to facilitate presentations and security analysis.
It can help better communicate different types of information available in SecurityCenter, such as:
For more information, see Ron Gula's post to the Nessus Discussion Portal titled "3D Tool Creation and Walk-Through" (login required).
The following screenshot shows hosts on the network and their operating system type:
It was reported late last month that attackers had penetrated Sony's PSN (PlayStation Network) platform. It has been rumored that reverse engineering the PlayStation firmware, coupled with vulnerabilities in Linux servers and unencrypted data traversing the network, led to the exposure of over 77 million users’ information being leaked, possibly including 2.2 million credit card numbers.
WINS, or Windows Internet Name Service exists so that NetBIOS hosts can communicate with TCP/IP hosts. Wait, did we just step into the network protocol time machine? In fact, we did! NetBIOS was developed for IBM in 1983 by a company called Sytec, and later adopted by Microsoft (See "Understanding NetBIOS and Windows Server 2003" for more historical information on our journey back in time). So the big question remains, why are people still running WINS and/or NetBIOS? My guess is that a vendor provided you a solution, stuck you with an operating system that is old and outdated, and now you’re stuck maintaining the application and operating system (refer to Rafal Los's great post: Supporting "Unmaintainable" Applications).
Any time you can enable yourself to rid the network and systems of old protocols, it’s a win for security. The harder part is ridding your network of the things that rely on those protocols. Once you get there however, not only will you have a network that is easier to maintain (lets face it, WINS was one more thing to go wrong with Windows networking), it will be slightly more secure as well.
MS11-035 addresses a privately reported, remotely exploitable, vulnerability in WINS, as if the attackers need something else they "could" exploit.
Continue reading "Microsoft Patch Tuesday Roundup - May 2011" »
Welcome to the Tenable Network Security Podcast - Episode 81
Hosts: Paul Asadoorian, Product Evangelist, Ron Gula, CEO/CTO
Continue reading "Tenable Network Security Podcast - Episode 81" »
The Tenable research team recently published a few new plugins that contribute to how Nessus performs OS identification. When scanning devices and systems I am always amazed at how many different services will hint at, or even flat out reveal, the operating system and version.
HNAP is the Home Network Administration Protocol developed by Cisco Systems. It is designed to allow remote support personnel to manage devices on users networks using a SOAP-based protocol. An unfortunate side-effect is the information being leaked across the network that can be accessed without authentication. A new plugin was developed to collect this information and use it to determine the remote operating system:
Continue reading "Plugin Spotlights: New Nessus OS Identification Plugins" »
Welcome to the Tenable Network Security Podcast - Episode 80
Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher, Ron Gula, CEO/CTO
Continue reading "Tenable Network Security Podcast - Episode 80" »
Welcome to the Tenable Network Security Podcast - Episode 79
Continue reading "Tenable Network Security Podcast - Episode 79" »
Please join Tenable's CEO/CTO Ron Gula, Tenable CRO & creator of Nessus, Renaud Deraison and Tenable CSO Marcus Ranum, and Paul Asadoorian for a Security Showcase on May 17, from 8:30am to 2:00 pm at the New York Marriott East Side, 525 Lexington Ave. at 49th Street in New York City.
Breakfast and lunch will be provided during this half-day FREE event.
Topics covered will include:
During lunch you will also be given a live demonstration of our enterprise solutions as they relate to the themes above.
Space is limited for this event. We hope you can make it as the showcase is a rare opportunity to receive firsthand insight from four leading experts. RSVP to dmcrae -at- tenable.com or call (410)-872-0555 x 224.
It's very exciting (depending on your perspective) when there is a record-breaking Microsoft Patch Tuesday! April 2011 is the largest Patch Tuesday release in history, with 17 bulletins covering 64 different vulnerabilities across several products. While everyone is beating the "Microsoft Patch Tuesday Crisis Drum", attackers are continuing to have success breaking into major organizations using the "exploit du jour", some social engineering methods or a combination of both.
What I would like to suggest is a weekly, or even daily, "patch rally". Patching needs to be an ongoing process of checking to see if patches are available, applying the patches, and then verifying that the patches have been applied and installed properly. I don't think we need to "take time to stop and patch"; we just need to patch as a normal, everyday, regular business operation. It's sad that we have to install more software to fix broken software, but it has become the way of the IT world. If your business cannot sustain being patched, the you've probably chosen the wrong software and configurations and your business will likely be negatively affected. The negative effects happen in two ways: 1) you install the patches and your system and/or software fails as a result of a bug in either the software or the software patch or 2) you don't apply the patch and attackers compromise the system and ruin the integrity of the system and the data contained therein. So, hence my cry to "rally to the patch"!
Continue reading "Microsoft Patch Tuesday Roundup - April 2011" »
Welcome to the Tenable Network Security Podcast - Episode 78
Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher
Continue reading "Tenable Network Security Podcast - Episode 78" »
We are pleased to announce that four new Nessus policy templates will be distributed to Nessus ProfessionalFeed and HomeFeed users via the Nessus plugins feed. This is first time we've used "push" functionality to send down scan policy templates.
The four new Nessus scan policy templates will appear in the "Policies" tab once your Nessus installation has updated the plugins:
Continue reading "New Nessus Scan Policy Templates Added in the Plugin Feed" »
Nessus plugin 29871 has been updated to look for the presence of malicious JavaScript on a remote web site.
(See Attack on ASP site that uses a SQL server database)
Below is an example of the plugin report:
Continue reading ""LizaMoon" Detection Added to Nessus, PVS and LCE" »
Welcome to the Tenable Network Security Podcast - Episode 77
Hosts: Paul Asadoorian, Product Evangelist, Carlos Perez, Lead Vulnerability Researcher, and Ron Gula, Tenable CEO/CTO
Continue reading "Tenable Network Security Podcast - Episode 77" »
Real-time Enterprise Exploitability Trending
#2 Routers, Firewalls, & Virtualization - Top Ten Things You Didn't Know About Nessus
#3 Dynamite Plugins - Top Ten Things You Didn't Know About Nessus
#4 Nessus Licenses & Usage - Top Ten Things You Didn't Know About Nessus
#5 Scheduling Nessus Scans - Top Ten Things You Didn't Know About Nessus
