This is the first post in a two-part series that will cover how to configure Nessus and/or SecurityCenter to integrate with Microsoft's patch management software.

WSUS Patch Management Integration

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. WSUS server 3.0 SP2 supports management of patches for the products listed here, as well as Windows 7 and Windows server 2003 SP2 patches. If you are not familiar with WSUS it is freely available to Microsoft customers as part of your Windows server licensing agreement. A great article that covers all aspects of planning, deployment, and configuration is Windows Server Update Services Learning Roadmap Community Edition.

Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter. When performing scans with the WSUS patch management plugins enabled and configured please note the following:

• Credentials entered into the policy take priority - If you've entered credentials into the scan policy and they are valid for a target system, Nessus will login and perform credentialed scanning without querying the WSUS server data.

• WSUS is queried when credentials fail - If credentials are not valid for a target system, or credentials are not entered at all into the policy at all, the WSUS server will be queried to obtain patch information for those targets. This also applies to other policy settings that may cause a credentialed scan to fail, such as the remote registry or administrative shares settings.
• The WSUS plugin communicates only with the WSUS server - The WSUS plugin makes a connection to the WSUS server IP/hostname and port specified in the policy configuration (see below in the "Patch Management WSUS Preferences"). This is an important point, as the Nessus server(s) will require access to your WSUS server, which could mean making firewall rule changes to allow the connections. However, this is a significant advantage as your target systems do not need to communicate with the Nessus server directly, which means host firewalls and remote registry settings will not get in the way of a patch audit.
• Patch information is only as up-to-date as your WSUS server - The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

Today, Tenable Network Security announced integration between Nessus and a variety of patch management systems that will simplify scanning in cases where credentialed scans are difficult or impossible. The integration allows Nessus and SecurityCenter users to establish direct links to patch management systems. This simplifies patch audits as the systems in your environment do not all have to contain credentials in order to be scanned. You simply need to give Nessus credentials to your patch management server. This integration enhances compliance programs and helps eliminate confusion about the patch status of systems between IT operations and network security teams.

With Nessus patch management integration, you can:

• Retrieve patch manifests and status information from Red Hat® Network Satellite Server, Microsoft® Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM), and VMware® Go (formerly known as Shavlik).
• Quickly generate patch compliance reports in Nessus and SecurityCenter, based on the data returned from patch management systems. Presentation of records in the well-known Nessus format can speed auditors’ reviews, and simplify resolution of discrepancies between management systems.
• Retrieve accurate patch status information for systems that can’t be fully scanned by vulnerability assessment tools because of a lack of credentials. Credentials are only required for access to the patch management system.
• Retrieve patch status in environments where scanning is not available due to other constraints, such as limited networking.
• Help eliminate false positives caused by back ported patches in Red Hat Satellite environments.

This integration is available today in the case of Microsoft and VMware Go (Shavlik) systems, and is expected no later than Friday of this week for Red Hat. You’ll find the plugins in the ProfessionalFeed. Configuration documentation is available in the Patch Management Integration documentation. If working with patch management systems is a challenge for you, watch this space – I’ll be posting more details on how this integration works, and you can take advantage of it in your environment.

One of the primary ways SecurityCenter allows you to visualize the overall security and compliance posture of your network is through the use of dashboards. The SecurityCenter section of Tenable’s Discussion Forums now provides index lists for all of the available Tenable-produced SecurityCenter dashboards grouped by category.

SecurityCenter dashboards are easily customizable to give snapshot information on scanning, vulnerabilities, and events. Tenable provides dozens of dashboard templates in the SecurityCenter Dashboards section of the Tenable Blog. Categories such as “PCI, CIS, & SANS CAG”, “Advanced Persistent Threats & Malicious Software”, and “Vulnerability Tracking, Trending, & Scoring” are split out so SecurityCenter customers can easily find sample dashboards related to each topic. In addition, each post includes a link to a Tenable-produced dashboard XML file that can be imported into SecurityCenter.

  Sample SecurityCenter Dashboard for Intrusion Detection Trend and Correlation

Anyone can create a Discussion Forums account by clicking on the “Register” link on the main page and filling in the requested information. Once you have an account, log into the Discussion Forums and perform a search for “SecurityCenter Dashboards” to find dashboards of interest, find additional information related to SecurityCenter dashboards, or to start your own discussion with other SecurityCenter customers.

In a perfect world, there would be no vulnerabilities.  In a perfect patching world there would be a patch for every vulnerability and we would always be able to patch all of our systems as soon as a patch was available. In the real world we do the best we can and struggle with testing cycles, incompatibilities, and legacy applications which means sometimes we have to leave insecure and unpatched systems in production.

There are a variety of situations that can cause exposure:

• Some patches break needed applications or cause compatibility problems
• Patches may not yet be available for a vulnerability but the systems must stay online and exposed Legacy applications or operating systems may still be required (for example Internet Explorer 6 may be required to access a legacy web application, probably running on a legacy web server)
• A maintenance window may not be immediately available when patches are released
• Systems in development environments may be vulnerable during development and testing phases

"The Untouchables"

An untouchable system is one on which you cannot install software (such as agents) or apply security fixes regularly. I have come up with several different examples of such systems, and tried to use examples here from my own experiences to define why they may fall into the "untouchable" category:

• Select SCADA systems - This is a broad category, but it boils down to computers that are used in control systems networks. While many may be considered to be "air-gapped" (physically disconnected from any other types of systems), that may not actually be the case since connectivity is required to manage the devices (especially those deployed in the field). I was once approached to perform a vulnerability assessment against one such system. I was told that network access would be provided, but that the system in question was responsible for providing power to thousands of people. This is a scary endeavor, as not only could you put thousands of people in the dark, but potentially damage infrstructure if the power is turned on and off too quickly. This situation requires a different approach than a traditional network vulnerability assessment or penetration testing.
• Traveling Laptops - It can be difficult to control the software and patches on systems that rarely connect to the corporate network. The concern is what happens when a laptop that has been connected to airport, hotel and other potentially hostile networks comes back to home base and plugs into your network. It may already be infected, and may not be up-to-date with patches. You can try to force users to connect back to your network via a VPN, but not all users may do this on a regular basis. During the user’s travel, the system is "untouchable".
• Network Devices – Let’s face it, no matter how redundant your network is, you just can't blast out a firmware update to your network gear at will. This leaves a good percentage of network systems that are "untouchable" for certain time periods. Routers have a bit more flexibility, but the physical switches that your systems are connected to cannot be taken down at will, or users will lose connectivity as flashing the device with new firmware requires that the system become unavailable for short time period (or longer time period depending on the device and software).

Next up on our Nessus top ten list is #8, which covers how to use Nessus to find web application vulnerabilities. I've broken out the process into four different methods supported by Nessus:

1. Test For Known Vulnerabilities

Nessus contains over 2,600 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses: XSS" plugin families is written to enumerate vulnerabilities that have been publicly reported in a web application product, whether open source or commercial. To enable these plugins you must enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute unless CGI scanning is enabled.

Below is an example of one such plugin's output:

The Nessus Top Ten List

This is the second post in a series of ten that will cover “The Top Ten Things You Didn’t Know About Nessus”. The first, starting with 10 in David Letterman top ten list fashion, is titled “There's More Than One Way To...” and covers the benefits of both credentialed and uncredentialed vulnerability scanning. Each item on the list will have a blog post and video associated with it. And now, on to number 9: “Nessus Detects Misconfiguration”.

Misconfiguration Leads To Compromise

Nessus helps you answer the question “Do my systems have uniform configuration settings?” Why is this important? Systems are increasingly more complex, and maintaining control of your configurations leads to systems that run smoother and are more resilient to attack. A recent case study that supports this concept was presented in a blog post titled "What do you mean privilege escalation is not HIGH RISK?".

Tenable has authored a collection of plugins to identify Juniper Junos devices and perform local patch checking. By providing SSH or SNMP credentials, Nessus will log into a device running Junos and check for missing patches, such as:

• Junos J-Web Weak SSL Ciphers (PSN-2011-01-147)
• Junos debug.php Unauthenticated Debug Access (PSN-2011-02-158)
• Junos 11.1R1 on EX Series Switches Causes Multiple sfid Daemon Crashes (PSN-2011-04-241)
• Junos PIM rpd DoS (PSN-2011-07-296)
• Junos ICMP Ping 'Composite Next-Hop' DoS (PSN-2011-07-297)
• Junos Fragmented ICMP Packets DoS (PSN-2011-07-298)
• Junos IPv6 Over IPv4 Security Policy Bypass (PSN-2011-07-299)
• Junos DHCP Relay Agent Traffic Redirection (PSN-2011-07-300)

You can enable these plugins by selecting the "Junos Local Security Checks" plugin family when creating policies in Nessus (or SecurityCenter) as shown below:

Plugin ID 55392, Junos Version Detection, was added to identify the operating system version of the device being scanned:

Drum Roll Please...

Being the Product Evangelist for Tenable Network Security gives me some interesting insight into how the community views the features of our products. I meet some people who provide us with awesome suggestions for improvements and I also meet some people who scan their networks at semi-regular intervals using the default set of policies, unaware of the huge variety of features that Nessus includes.

Hence the project I have been working on: with help and support from the community and my fellow co-workers at Tenable, I have developed what we understand to be a list of the top ten things that people may not know about Nessus.

In part one, I want to explore the differences between traditional network-based scanning and scanning with credentials. So, in traditional David Letterman top ten fashion, we’ll start with number 10!

#10. There's More Than One Way To...

  
Tenable Network Security is proud to announce the immediate availability of SecurityCenter 4.2. SecurityCenter is used to centralize and report on system and event data such as vulnerabilities, logs, NetFlow, configurations and more. 

I was recently talking to my good friend Ed Skoudis about computer security incident response. An interesting question he asks organizations that are in "incident response" mode is, "Do you run PsExec?" PsExec is part of the Windows Sysinternals’ suite of tools and implements a service that allows users to administer Windows systems remotely using the command line. More information can be found on the PsExec download page. It also contains functionality described as:

"PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like ipconfig that otherwise do not have the ability to show information about remote systems."

Tenable’s 3D Tool v2.0 is a Windows application that queries data from a SecurityCenter 4 server and presents it in an interactive visual console to facilitate presentations and security analysis.

It can help better communicate different types of information available in SecurityCenter, such as:

• Nessus vulnerability data


• Network topologies


• PVS data, including passively discovered vulnerabilities, network connections and new network devices


• Event data discovered and normalized by the Log Correlation Engine (LCE), including intrusion detection, firewall, NetFlow and syslog data

For more information, see Ron Gula's post to the Nessus Discussion Portal titled "3D Tool Creation and Walk-Through" (login required).

The following screenshot shows hosts on the network and their operating system type:

It's 4:55 PM on a Friday and you are looking forward to an enjoyable dinner with your family. Your Blackberry starts buzzing from across your desk while your inbox starts filling up with alerts from your SecurityCenter along with frantic emails from Human Resources. It seems a disgruntled employee named Jack Black quit today and nobody remembered to tell the IT group to disable his accounts until after important files started disappearing. Suddenly, you are stuck in Incident Response mode, gathering data on the user's activities. Do you cancel your reservations?

Fortunately, you have deployed Tenable Network Security's Unified Security Monitoring products, and have a wide array of resources[1] at hand to streamline the response process. These resources include SecurityCenter, the Passive Vulnerability Scanner (PVS) and Log Correlation Engine (LCE). At a high level, what can these resources do for you?

SecurityCenter

SecurityCenter provides a unified view of both vulnerability and event data along with the alerting, ticketing and reporting required for thorough user forensics.

Passive Vulnerability Scanner

PVS not only tracks vulnerabilities, but logs user and network activities detected in real-time on the wire. These activities include:

The following video is a demonstration of Tenable's latest 3D Tool Beta, visualizing network topology and security events:

The 3D Tool reads data from SecurityCenter and allows you to present it in an interactive visual console. For more information see Ron Gula's post to the Nessus Discussion Portal titled "3D Tool Creation and Walk-Through" (Login required). The 3D Tool beta works with SecurityCenter 4 and can be used to visualize Nessus information and topologies, passively discovered vulnerabilities and communications with the Passive Vulnerability Scanner and any series of connections or events from intrusion detection, firewall, netflow and other sources normalized by the Log Correlation Engine.

With the recent release of SecurityCenter 4.0.1, Tenable has modified the IP-based licensing to include unlimited discovery scanning. This means organizations that make use of SecurityCenter can perform routine ping sweeps of their backbones and network blocks without it counting against their licensed IPs.

I invite you to join Renaud Deraison, author of Nessus and co-founder of Tenable Network Security for a free webinar. Unlike most of our other webinars, this one will be presented in French! There will be a several topics presented. One topic is "À la carte", that includes what's new in SecurityCenter 4 and how to use it to detect vulnerabilities, missing patches, intrusion events, and network anomalies. In another topic, Renaud will describe how to give attackers the "Coup de grâce" whether you are an auditor, risk analyst, monitoring compliance, security analyst or even an executive in Information Technology.

Date: June 15, 2010

Time: 10:30 AM EST

Link: https://www1.gotomeeting.com/register/935408993

Tenable Network Security is very pleased to announce the release of SecurityCenter 4. This major new release of our security management tool provides much greater efficiency in managing security, compliance and situational awareness for enterprise network monitoring. The process and data from vulnerability scanning, log analysis, event management, configuration auditing and much more can be managed, fused and analyzed from one central console. This is the core principal of Tenable’s Unified Security Monitoring strategy.

Tenable's web site has been updated with much more detailed information about SecurityCenter 4 and how it manages the Nessus vulnerability scanner, the Log Correlation Engine and the Passive Vulnerability scanner. We’ve also updated our solutions content that features the new capabilities of SecurityCenter 4 to enable tasks such as database activity monitoring, forensics, user tracking and anomaly detection. 

More information about the SecurityCenter is provided in the following demonstration videos and images and can also be obtained by contacting us at sales@tenablesecurity.com. 

SecurityCenter Screenshots

SecurityCenter Introduction Video

Tenable Network Security will shortly release SecurityCenter 4. It embodies our entire Unified Security Monitoring^TM strategy. SecurityCenter 4 places everything you need to know about vulnerabilities, missing patches, intrusion events, anomalies, log searches, configuration audits, file integrity auditing and much more right at your fingertips. It centralizes all system and event alerting for any type of security, IT or compliance regulations. But most of all, it makes your job as an auditor, a “risk mitigator”, a compliance monitor, a security analyst or even an IT executive, much easier. This blog post discusses the major functions of SecurityCenter 4 and provides several screen captures to illustrate them.

The Tenable Appliance is an easy way to get up and running quickly with Tenable products such as Nessus and Security Center. The Tenable Appliance is a virtual machine image that is compatible with:

• VMware ESX versions 3.5 and older
• vSphere/etc. 4.0 versions
• VMware Player, Server, Workstation and Fusion.

We have produced a video demonstration that walks you through installation and configuration of the appliance:

The Tenable Appliance is available for download in the customer support portal for all customers. There is also an update which brings the appliance up to date with the latest versions of Nessus (4.0.2) and Security Center (3.4.5).

Defeating Zombies

Attackers have a number of avenues leading directly into your network, and more importantly, into your data. Each week I read about new data losses, phishing scams and the release of hundreds of new vulnerabilities and exploits. Organizations are employing a rear guard action that is not necessarily tuned to today's attack techniques.

Tried and true defensive measures such as firewalls, anti-virus software, Intrusion Detection Systems provide "operational security", but even if this is running flawlessly, it is typically not enough. Security programs need to evolve with the latest attack trends and Internet technologies. A great blog post by Tim Mugherini titled, "Don't be the Smelly Kid" sums this up nicely. This defines a shift from attackers targeting network services, and moving towards attacking web application and client software. These new methods require updated education for management and the implemention of new and different security projects to protect your infrastructure.

Considering Halloween is around the corner, your security strategy can be compared to the situations in typical horror movies. When the defenseless victims are under attack from whatever threat is posed (zombies, Jason, Freddy, Michael Meyers, etc.), they often make common mistakes such as taking all of the furniture in the room and piling it in front of the door and leaving the windows unsecured. Shooting zombies in any other location other than the head is another good example (those who have read "The Zombie Survival Guide: Complete Protection from the Living Dead" know that the only way to destroy a zombie is to destroy the brain!).

Tenable is pleased to announce the release of the Tenable Virtual Appliance! The appliance replaces the Nessus VM Appliance and provides a preinstalled image of all Tenable applications in one easy to configure interface. The Tenable Virtual Appliance is available for Tenable customers and is provided for use with VMware Server, VMware Player and VMware ESX Server. Currently, Nessus and Security Center applications are available on the appliance with the Log Correlation Engine and Passive Vulnerability Scanner to be released soon. Tenable ProfessionalFeed customers can download the latest version of the Tenable Virtual Appliance along with any available updates from the Tenable Support Portal.

Your organization's network is a never-ending source of vulnerability information. New systems and applications are constantly being added, making the job of consistent vulnerability identification and risk management difficult. Tenable provides several tools to assist in this process. Nessus, combined with the Security Center, can provide detailed information about the vulnerabilities in your environment. The problem that many administrators face is that they are not always successful in getting management to recognize problems and provide resources for remediation. This blog post describes some tactics I have compiled over the years to help expedite this process.

Setting up the Log Correlation Engine & Splunk

Tenable has recently released a new Log Correlation Engine (LCE) client that allows you to collect log data from Splunk installations to send to LCE, Tenable’s solution for log storage, normalization and correlation. If you have instances of Splunk in your environment, it’s a simple process to configure the integration. Below is an overview of the traffic flow:

Earlier this week, we released Security Center 3.4 to our customers. Version 3.4 adds a lot of new features in the user interface and reporting. It also strongly ties in log analysis and network monitoring with vulnerability scanning and configuration auditing. Anyone can see video demos of the product being used to analyze logs, audit configurations, perform scans and look for intruders under the "Unified Security Monitoring" section of our Demo Videos.

Some of the major new features include:

• An enhanced and modern user interface
  It makes use of more screen area, can save any query for later usage and has intuitive links to quickly view raw syslog, vulnerability or configuration information.
• Support for manual Nessus report uploads and downloads
  You can perform scans with the Nessus Client and upload them to the Security Center. Any tool or product that works with the Nessus report format can also receive these types of reports from the Security Center.   
• A more robust, intuitive and feature-rich scan scheduling interface
  This includes the ability to override a variety of scan settings at scan time, such as changing the required credentials to perform a patch or configuration audit of a server.
• More than 170 report templates for PCI, FISMA and other standards
  These templates consider vulnerabilties, patch audits, configuration audits, change auditing, compromise events, correlated events and many other types of data sources.

There are hundreds of other features not listed here which focus on ease of use and new technical functionality. For example many new scanning options support new ones available in Nessus 3.2. A full list of new features is available to customers on our support portal.

Below is an array of screen shots which show various aspects of Security Center 3.4 in action.

	Vulnerability Summary By Nessus Family Detected vulnerabilities can be summarized and sorted by each Nessus family. A running total of individual severity levels is also shown and can be clicked on, bringing the user to a list of all vulnerabilties from that severity level in that family.
	Vulnerabiltiy Summary by Port This sort lists all ports for which some sort of vulnerability or information has been discovered either through a Nessus scan or from a Passive Vulnerability Scanner report.
	Raw Vulnerability Detail In this view, we are showing two hosts that had high level severity issues for their SSH daemons. From this link, users can open tickets, look at logs from these hosts and recast the severity level if needed. Any of the raw text in these screens is available for searches as well as dynamic asset classification.
	"Pop Up" IP Screen Throughout the Security Center user interface, when working with an IP address on a vulnerability, intrusion detection or log event screen, clicking on it will "pop up" a  box containing asset classification, descriptions about the IP address and hot links to other queries.
	Normalized Event Visualization In the screen, a user is presented with an activity graph for all normalized log events. You can see that some events occur continuously by the horizontal graphs. The vertical list of events was the result of a large network scan which caused events from different sources across the entire network.
	Directional Activity Graphing When working with IDS or log events, the amount of activity inbound, outbound and internal to the entire network or specific asset groups can be displayed. For example, you might be interested in IDS events "leaving" your entire network and then choose to look at IDS events "leaving" your DMZ or server farm.
	Correlated Event Visualization In this graph, we are showing correlated events. These include IDS events that have been automatically correlated with known vulnerabilities, as well as events generated by the Log Correlation Engine which have discovered a wide variety of suspicious activity.
	Raw Event Display For each gathered and normalized event, the data from Syslog, Windows Events, netflow and so on, is available for display. In this screen shot, several Snort Emerging Threats rules are displayed.

The Security Center is priced solely based on the number of active IP addresses being managed. A 500 IP Security Center license lists for $15,750. All Nessus scanners connected to the Security Center also receive Direct Feed plugin updates. For pricing and quotes on larger networks, please contact our sales team.

One of the new features of Security Center 3.2 is the availability of many report templates. These allow any Security Center user to quickly create a report for one or more of their asset groups.

Some templates are very simple (such as all of the vulnerabilities from a specific Nessus plugin family) and included for convenience. Other templates take advantage of some unique features in Security Center 3.2 and our other products such as the Log Correlation Engine (LCE) and the Passive Vulnerability Scanner (PVS).

To select the verbosity level of a report, most templates include three options being "Summary and Trend", "System Details" and "Vulnerability Details". The trend report presents a list of matching vulnerabilities, vulnerability count by asset group and other high level information. The "System Details" options adds in lists of specific networks (summary by Class C network address) and lists of IP addresses. And lastly, the "Vulnerability Details" template includes all data known about the
vulnerabilities, including the unique responses from the systems reported on.

Below is a screen shot of where Security Center 3.2 users can select the report templates:

This template interface is available after a user chooses a report title and filter.

Below is an alphabetical list of each report type and what it does. For each chapter template, the source of data (Nessus, PVS, LCE or IDS data) is noted. In addition, if there are any special prerequisites (such as having a specifically named Asset Group) they are indicated as well.

NOTE: The "Vulnerability Details" report is extremely verbose. Even for a list of 100 computers, it can produce reports hundreds of pages in length.

AIX Patch Audit (Nessus credentialed patch audits) These templates include a list of all missing AIX patches.

Apache Web Servers (All Vulnerability Sources) For asset groups named "Apache 2_2 Web Server", "Apache 2_0 Web Server" and "Apache 1_3 Web Server", any available vulnerability data is reported on. Dynamic asset templates to automatically classify systems within these assets lists are available in the Security Center.

Asset Vulnerability Summary (All Vulnerability Sources) This template creates chapters unique to the actual assets assigned to the individual creating the report. These "by asset" chapters include generic vulnerability summaries, Database issues, Compliance issues, new issues discovered in the last 30 days, open ports, browsed ports, Internet browsing devices and patches.

Browsed Ports (Passive Vulnerability Scanner) Reports separately the TCP and UDP ports that are being "browsed". A third chapter includes a list of Class C networks which browse the Internet.

Cisco Patch Audit (Nessus credentialed checks) Lists all missing IOS security patches.

Common Open Ports (Nessus and Passive Vulnerability Scanner) Lists all open TCP and UDP ports, as well as unique Class C networks with open UDP and TCP ports.

Compliance (Nessus credentialed compliance audits) Reports on all compliance configuration issues.

Database (All Vulnerability Sources) Lists all vulnerability issues actively and passively discovered.

Discovery Report (All Vulnerability Sources) This template highlights very useful information about the discovered devices on the network. Chapters include passively discovered operating system types, trends of "pingable" hosts, trend of Internet browsing hosts and lists of detected services.

Email Server and Client Issues (All Vulnerability Sources) This report highlights all things related to email delivery, client usage and server security issues. Chapters include all vulnerabilities discover on common email ports, patches missing for Outlook and Exchange, lists of hosts and network which send or receive email, and unique chapters for Nessus and PVS families related to email.

Exchange Servers (All Vulnerability Sources) For asset groups named "Exchange - W2003", "Exchange - W2K", "Exchange - W2K-SP3" and "Exchange - WinXP", any available vulnerability data is reported on. Dynamic asset templates to automatically classify systems within these assets lists
are available in the Security Center.

Hosts With Discovered Vulnerabilities in Last 'N' Days (All Vulnerability Sources) This chapter finds all vulnerabilities discovered in the last 5, 15 or 30 days and lists them out, their ports, the networks and the assets effected by them. If the PVS is in use, or daily active scans are occurring, these reports can show the most recent vulnerabilities.

HP-UX Patch Audit (Nessus credentialed checks) Lists all missing HP-UX security patches.

IDS Targeted Events (IDS Events) Summarizes yesterday's IDS activity with separate chapters for inbound, outbound and internal events, as well as separate summaries for TCP and UDP events.

IDS Targeted Ports (IDS Events) Summarizes yesterday's IDS activity with separate chapters for inbound, outbound and internal ports corresponding to IDS events, as well as separate summaries for all TCP and UDP ports with IDS event activity.

IIS Web Servers (All Vulnerability Sources) Summarizes all vulnerability data for assets pertaining to specific IIS web server type. The asset names are "IIS 6_0 Web Server", "IIS 5_1 Web Server" and "IIS 5_0 Web Server". Templates for dynamic asset rules for these asset types ship with the Security Center and make use of both active and passive discovery.

Incorrect Credentials (Nessus credentialed checks) This template summarizes output from Nessus ID #21745 which reports on issues related to incorrect SSH and Domain credentials. Separate chapter summaries are provided for unique Class C networks and hosts.

LCE Event Summary - Last 'N' Days (Log Correlation Events) This template summarizes all events recorded by the Log Correlation Engine for the past day, two days, five days and 25 days. It lists all events and has separate chapters for inbound, outbound and internal logs.

LCE Port Summary - Last 'N' Days (Log Correlation Events) This template summarizes all ports effected by events recorded by the Log Correlation Engine for the past day, two days, five days and 25 days. It lists all ports and has separate chapters for inbound, outbound and internal logs.

Linux Patch Audits (Nessus credentialed checks) This template lists all known missing security patches for Linux operating systems supported by Nessus. This includes RedHat, CentOS, and several others. Separate chapters for each OS are included.

MacOS X Patch Audit (Nessus credentialed checks) Lists all missing MacOS X security patches.

Nessus Scan Summary (Nessus scan and credentialed checks) This chapter summarizes all vulnerability data. The "Vulnerability Details" version of this template should only be used on small numbers of hosts.

Open Ports Summary (All Vulnerability Sources) This template lists all open TCP and UDP ports, as well as lists of all assets which have open ports. A last chapter includes a list of vulnerabilities which have "high" severity levels.

Outbound Internet Connections (Passive Vulnerability Scanner) This template makes extensive use of PVS ID #3 (the show connections plugin) and any targets of 0.0.0.0. The template summarizes all hosts, outbound ports, internal browsing networks and browsing hosts per day.

Passively Discovered Clients (Passive Vulnerability Scanner) The PVS identifies many different types of information about monitored networks. This template includes chapters for passively discovered operating systems, passively discovered email client types and passively discovered web client types.

PCI Level 4 and 5 Asset Summary (All Vulnerability Sources) This template lists all assets which have vulnerabilities scored as a PCI level 4 or 5 severity.

PCI Level 4 and 5 Nessus Scan Summary (Nessus scan and credentialed checks) This template lists all vulnerabilities which have scored as a PCI level 4 or 5 severity.

PCI Nessus Scan Summary (Nessus scan and credentialed checks) The PCI standard assigns vulnerability severity levels between 1 and 5 with 5 being the most severe. This template produces a report which maps all Nessus vulnerabilities into each of these severity levels.

PVS (Passive Vulnerability Scanner) The vulnerabilities and information about the systems and networks monitored by the PVS is captured in this report template. Separate chapters for browsed ports, discovered vulnerabilities, open ports and Internet browsing devices are included.

SANS Top 20 (All Vulnerability Sources) Tenable includes report templates for the vulnerabilities and recommendations published by the organization. The report template produces chapters which correspond to the topics (such as the "W2 Windows Libraries" in the SANS Top 20 2006 Q4 update) in the corresponding SANS lists.

Solaris Patch Audit (Nessus credentialed checks) Lists all missing Solaris security patches.

Vulnerability Report (All Vulnerability Sources) This template includes various chapters about discovered vulnerabilities.

Web Server and Client Issues (All Vulnerability Sources) This chapter considers all vulnerability data and network information pertaining to web security. Separate chapters are included for Nessus and PVS plugin families related to web servers and clients, vulnerabilities on port 80 and 443, and lists of systems and networks which browse the Internet on port 80 and 443.

Windows OS (All Vulnerability Sources) This template lists vulnerabilities by asset groups which have been defined by the Windows operating system type. Several dynamic asset lists are included to build asset lists named "Windows 2000", "Windows 2003" and "Windows XP". This template summarizes vulnerability data for each of these assets in separate chapters.

Windows Patch Audit (Nessus active and credentialed scan data) This template summarizes vulnerability data from the "Windows : Microsoft Bulletins", "Windows : User management" and "Windows" Nessus groups.

Windows OS and Application Audit (All Vulnerability Sources) This template summarizes all vulnerabilities by asset type for the Windows operating sytems and applications. Chapters for the "Windows 2000", "Windows 2003", "Windows XP", "IIS 6_0 Web Server", "IIS 5_1 Web Server", "IIS 5_0 Web Server", "Exchange - W2003", "Exchange - W2K", "Exchange - W2K-SP3" and "Exchange - WinXP" are included.

Tenable has released version 3.2 of the Security Center. This new version includes several major new features:

• templated reporting with many new pre-configured reports
• data export via spreadsheet for any interactive query
• per user Active Directory authentication

The Security Center is available for Red Hat ES3 and ES4. Existing Tenable Security Center customers can upgrade to version 3.2 if their maintenance is up to date. New customers should contact the Tenable sales group for pricing.

Templated Reporting

This release enhances the reporting options available to all users. When creating a report, users can make use of the existing 3.0 report wizard or select from a list of pre-configured reports. Report templates exist for many basic reports, such as all missing Microsoft Patches, and also advanced reports such as SANS Top 20 and PCI.

Data Export via Spreadsheets

Any user of the Security Center can export their vulnerability, compliance, IDS event or log data to a .csv spreadsheet file. Any tool which summarizes ports, lists vulnerabilities, lists logs, and so on, can have the output saved into a spreadsheet. This data can be saved at any point a user is navigating through the Security Center's GUI.

LDAP Authentication

Security Center 3.2 can be configured to authenticate to any LDAP server, such as a Microsoft Active Directory server. Once this is enabled, any existing user (or new user) can be set to authenticate via LDAP. When adding a new user, the Security Center will also pre-populate the user's data such as full name, phone number and organization.

The Security Center can use the vulnerability data obtained by Nessus scans, Nessus patch audits and the data obtained by the Passive Vulnerability Scanner (PVS). Combinations of specific IDs, DNS names, results content and open ports can be used to create a "dynamic" asset list. These lists are updated each time a new scan is completed or passive vulnerability data is processed.

This blog entry will consider two examples of dynamic asset list creation which are more advanced than a typical user might need, but illustrate the flexibility of the type of rules which can be created.

Detecting Potentially infected Nugache Instances

The Nugache virus is a classic type of worm which opens up a backdoor (in this case on port 8) and also connects out to IRC servers for commands.

If the PVS is configured to watch a network, it will see many types of applications in use and it will also see basic open ports and browsed ports. The PVS logs "open port" data to plugin #0 (the same as Nessus open ports). It also logs "browsed port" data to plugin ID #2.

So in Nugache's case, and active infection should have an open port on port 80, as well as having connected out to IRC on port 6667. A dynamic asset rule to detect this is shown below:

Having a TCP port number of 8 open is very simple. Basically, any vulnerability can contribute to an open port, and if the port is 8, the first part of this rule matches.

The second clause is more tricky. In this case, we want to find hosts that have the presence of plugin ID #2 (browsed ports) but also on a specific port of 6667.  Plugin ID #2's data looks like this:

1.2.3.4 -> 80

That would mean that host 1.2.3.4 browses on port 80. Knowing that the port is at the end of the data, we can write a regular expression that looks plugin ID #2 with data that ends in " 6667". The text in the above image says "2: 6667$" which means to look for plugin ID #2 that ends with a space and the string "6667".

If you are not familiar with regular expressions, the dollar sign is used to indicate the end of the match. Without it, the pattern could be matched anywhere. The expression "2: 6667" could match " 6667" as well as " 66677" or " 66671" or any other type of number which started with "6667".

Users that are new to writing dynamic asset rules might want to write this rule as follows:

This is incorrect. The spoken logic for this rule would sound like this:

"Find any hosts for port 8 open, and then make sure that they also have at least one vulnerability on port 6667 AND they also have at least one instance of plugin ID #2 for browsed ports".

So when the dynamic rules say that ALL rules must match, they must indeed match, but they are each evaluated individually across all of the available vulnerabilities for a given host.

We could make this dynamic asset rule a bit more generic by changing the rule for watching network browsing on port 6667, to a more generic PVS rule which finds and identifies IRC clients. These are PVS IDs 3101 and 3471. These rules have the advantage of being port independent. IRC servers can run on many different ports, and the PVS can recognize them through protocol analysis. We will use these rules in our next example.

Detecting the IRC Browsing Web Server

Once users get the hang of writing dynamic asset rules, we often see them create very creative rules that identify a wide variety of potential security issues as well as configuration issues.

One common idea we see often is to look for IRC activity from a server. The idea is to see an attacker's use of IRC after they have compromised a server.

Consider the following rule:

Plugin ID #1442 is a PVS rule to generically find a web server on any port. Plugin IDs #3101 and #3471 find systems that use IRC clients. This rule, spoken in plain English, would say:

"Find any system which runs a web server on it (plugin #1442) and also uses an IRC browser (with either plugin #3101 or #3471 being present)."

Now, consider what we find what we ran this on a large test network:

We can see that plugin ID #1442 (Web Server) is present and that also plugin ID #3101 is also present. However, based on the other passively discovered vulnerabilities such as Media Player and various versions of Mozilla, this might not really be a "server".

Further analysis (not shown here) shows that the web server is indeed a P2P application known as Lime Wire. PVS accurately identified a service that spoke HTTP, but it wasn't really what we intended to seek out in the first place. The Lime Wire server wasn't even running on port 80 in this case.

If we wanted to make our dynamic rule more accurate, we could try adding a regular expression to the rule clause for plugin ID #1442 to match "Apache" or "IIS". Such a rule would look as follows:

Instead of simply matching for plugin ID #1442, we now have a rule which looks at the text of the vulnerability results and does a simple pattern match for "IIS" which occurs in most Microsoft web server banners. If we wanted to add support for Apache or restrict the port, we could add more rules to this initial clause.

For More Information

The Security Center documentation contains many more examples and ideas for creating dynamic asset rules.

I was on an enterprise vulnerability management panel at the recent Infosecurity show in NY City. On the topic of patch management, a question was asked about using severity ratings for vulnerabilities to select which patches to apply, or the prioritization of which patches to apply first. This blog entry captures my comments from the panel and my general thoughts on the subject.

Don't Let Your Vulnerability Scanner or Penetration Tool dictate your patch policy!

I'm running into more and more people who use Nessus or a penetration testing tool like MetaSploit to discover the "serious" vulnerabilities on their network with the intent to just patch those. This can fail for several reasons.

First, consider three Microsoft Exchange servers, all equally configured except you have credentials for one, the other is behind an IPS and you can only scan the third one. Your vulnerability scanner will likely give you different results for each server, even though they are configured the same.

Second, as far as scanners go, your penetration tool, vulnerability scanner or patch auditing system aren't all built the same way. They may indeed be able to test for vulnerabilities only one way. At Tenable, we often try to make sure we can perform both a remote network check for Nessus, but also try to back it up with a host based check. We extend this even further trying to be able to "sniff" the vulnerability with our PVS. The point is though, that scanner to scanner, you may have different detection algorithms.

And third, even if you have accurate detection, your scanner vendor may set different severity levels for the vulnerability. At Tenable, we include a risk factor, a CVSS score and a severity level for most vulnerabilities detected by Nessus or the PVS. What we score something at may be very accurate or not for your organization. More than 100,000 organizations trust us to write Nessus checks for them, but I would not argue that they should make patching decisions solely based on what Tenable's research group says.

So unless you are very careful about what you are scanning, using solely the results from your scanner can lead you to inconsistent patch levels on the systems you are trying to secure. This can make applying future patches more difficult since there may be different patch levels or dependencies.

Patching Polices That Scale

If you are part of an organization that is always patching based on the latest threat, you will be expending many cycles always being reactive. Instead, it is much better to align patching process with business processes.

Consider those Exchange servers I was mentioning before. I would consider a mature IT organization to manage those servers exactly the same, with a consistent patching policy. Such a policy would include a timeline to test patches and to install them.

It would also include guidance for what sort of patches to install. This could include the use of 3rd party patches. It could also recognize that a patch for "Google Desktop" is indeed available, but that application isn't authorized to run on that system.

The point is that we shouldn't be surprised by new vulnerabilities and leap into action to test how vulnerable our network is to them. This will only lead us into more and more random configurations of our network. Instead, setting patching policies which make sense for each key asset allows for more scalability and consistency than simply applying patches because they are available.

Working with Network and Patch Management Systems

I've blogged last month on some reasons why patch management can fail. In the context of this blog entry, I'd like folks to walk away with the idea that their vulnerability discovery process should be part of their change control and network management process:

• Systems with vulnerabilities should be evaluated to see if they are being "managed". This means that the system is actively being patched and has a configuration consistent with IT policy.
• All "managed" systems should be evaluated to see if the service level agreements (SLAs) for applying patches are indeed being met. This means that the vulnerabilities you do find should only be "new" ones or ones the organization has chosen to accept the risk for.
• Vulnerability detection (both passive and active) can be used to look for both authorized and un-authorized changes, which may have impact on network management and compliance

Where Tenable Can Help

Nessus and the PVS can obviously be used to discover vulnerabilities, but for independent auditing of the network as a business, the Security Center can be used to help answer many of the questions raised here including:

• detection of vulnerabilities by unique asset type (i.e. a corporate laptop vs. the Exchange server)
• mis-configuration issues for specific asset classes (i.e. all corporate laptops need to have "AutoRun" disabled for CDs and USB drives)
• tracking the life-cycle of vulnerabilities and patches by unique business groups and corporate assets
• communicating clear mitigation tasks with IT about configuration changes, corporate patching policy and their specific vulnerabilities

If you'd like more information about the Security Center, please feel free to contact Tenable's sales team.

Tenable has made the "3D Tool" for the Security Center available. A web-based video of it can be viewed here. The video shows a three dimensional topology graph of some different networks, as well as port to IP and vulnerability to IP graphs. Videos of all of our products can be view here. This tool is included for Tenable customers who purchased the Security Center.

I was at a Security Center customer this past Friday and they had asked how they could report on just certain computers that had certain applications on them. One of the things the Security Center can do is "mine" the results of the existing and future Nessus and Passive Vulnerability Scanner results to come up with dynamic lists of IP addresses with matching criteria. For example, consider this screen shot:

In the above image, the Security Center has been configured to dynamically create lists of various IIS, Sendmail, Apache and other types of applications. These rules are wizard driven and look like this:

That "2004" plugin ID probably isn't recognized by Nessus users because IDs 1 through 10,000 are reserved for results from Tenable's Passive Vulnerability Scanner. This rule says for each known IP address, if there has been a discovery of ID 2004 or 10263 (plugins which discover SMTP servers regardless if they are on port 25 or not) look at the content and if we see "Sendmail" and "8.13" put it on the list of "Sendmail 8.13" servers.

The Security Center allows for dynamic lists to be created like this with active or passive content based and also some interpreted content including:

• DNS name
• NetBIOS/Workgroup name
• MAC Address
• IP/Network address
• open TCP port
• open UDP ports
• existence of particular vulnerability IDs
• regular expression content search

Very sophisticated dynamic rules can be created. For example, all OSes actively fingerprinted as "Linux", in the 10.10.20.0/24 network with port 22 open could be placed on a list. 

If an organization knows about their devices or networks, they can simply upload these lists of IP addresses and CIDR blocks to the Security Center. We call these static asset lists as compared to the dynamic asset lists generated based on the vulnerability content. All asset lists can be used for reporting, filtering and asset control as shown in this image below:

Tenable has been working on a 3D Visualization tool that works with the Security Center. We're almost out of BETA testing with it and the screen shots are something pretty neat to look at.

The tool allows anyone with an account on their organization's Security Center to present vulnerability and compliance data in a comparative manner. For example, one could display on a network topology where all the unpatched Windows IIS servers for two different political organizations were. This can make some stunning executive presentation moments.

In the above examples, we're showing network topology for two different very large (more than 10,000 node) networks. All routers are placed on the helical spiral, and all known hosts are linked off of their nearest router. The third image shows a comparative plot of IP addresses and open ports.

When I say comparative, this means that a user can do multiple queries to the Security Center for data and then visualize each set with the 3D Tool. For example, one could query for all vulnerability data about the "West Coast Data Center" email servers as well as data for the "East Coast Data Center" email servers. Both of these data sets can be analyzed at the same time to determine visually differences in topology, port/IP relationships and vulnerability/IP relationships. Because the query is being powered by the Security Center, the same query could be performed using any filter available including Nessus vulnerability families, specific port rages, discovery dates and much more.