Tenable Network Security Podcast

The PVS Top Ten: What is PVS and what does it do? How is PVS different from an IDS? How does PVS keep track of sessions and discover applications? What are some examples of PVS detecting vulnerable client soft are? How can PVS help detect instances of virtualization in your environment? How can PVS be used to detect vulnerabilities in SCADA devices and why is this important? What are some examples of PVS detecting applications? How much traffic can PVS handle? How can you setup and configure PVS to monitor the wireless network and detect vulnerabilities in smart phones and tablets? Does PVS support IPv6?

New Nessus AMI Image in the AWS Store - Tenable Network Security Joins Amazon Web Services (AWS) Marketplace to Provide On-Demand AMI Vulnerability Scanning & Detecting Windows Process Reputation

Nessus UI v2.0 Released - Tenable recently announce a new release of the Nessus vulnerability scanner user interface (UI)! This is a major update which provides several new features and enhancements, including: A redesigned user interface and usability improvements to enhance scan scheduling, processing, and analysis and policy creation wizards. Specifically, some of the new UI features include: Folders to store scan results – Organize scan results in customized folders, making it easy to locate specific scans and consolidate like vulnerability data. Sort hosts by compliance – Compliance status is integrated into your scan results, making it easy to see the compliance check pass/fail ratio and quantities for each host. One-click metadata access – Host, plugin, and scan information with recommendation and error notes is now easily accessible from within the scan window, putting relevant details right at your fingertips to aid with scan failure and vulnerability investigations.

"Upgrading is Hard To Do" - It can be a really tough thing to leave your current revision of given software, operating system or hardware. However, sometimes vendors bundle features, bug fixes, and security fixes into a major upgrade. I'm a bit torn on this issue. On one hand, its great that vendors are fixing security related issues. On the other hand, its not good that we as the end user do not have a choice between features and security updates. There is likely software compatability issues that are keeping you tied to a particular operating system release. Believe me, as an OS X user I get that. I use many different software applications on OS X for video/audi editing, screen capture movie creation, still image screen capture, blog editing; this list goes on. An operating system upgrade could render any number of those applications useless, leaving me stuck not able to do my job. What can we do to help fix this problem? SCADA "Security" - I recently led a panel discussion with 4 SCADA security experts. It was a really interesting conversation. Very troubling as well. It seems that both the vendors and the consumers in the majority of cases are not incentivised by security. Cost is a major factor, even more so than other industries due to the Governmental nature of the businesses in this industry. We discussed topics such as regulations, "air gapped security", proper testing of control systems, what are your thoughts on these issues? How can Tenable products help with the assessment portion?

Digging For Gold: Finding Vulnerable Web Applications - The Passive Vulnerability Scanner ash many strengths, one of them being able to pick out vulnerable web applications in your environment. Over the years working for several different organizations, this has been a reoccurring problem. Specifically when you work for an organization large enough to have folks deploying their own applications (and it doesn't have to be that large of an organization to have this problem). Web applications help solve a problem, whether it be a blog for corporate communications or a photo gallery for a student group. Its too easy to choose the wrong application, or install an application today that introduced a serious vulnerability down the road. While you can scan using traditional network-based scanning, ask your administrators to keep tabs on installed applications or manually audit your web servers you will undoubtledly miss something. For systems administrators this can be a tough task, as an web application can be represented by a collection of downloaded files, not part of the operating system package management system. By listening to the network traffic, applications and their vulnerabilities can be spotted easily. Top Problems: Patches, Virtualization/Cloud and Mobile/BYOD - Jack and I just completed 3 webcasts in a 4 part series called "Vulnerabilities Exposed". We highlighted several problem areas for organizations. First, we covered the patch problem, and how organizations still struggle to keep things patches and how you can reduce your patch cycle. Then we took on virtualization and cloud. Two technologies that are in large part responsible for changing the face of IT as we know it, and altering your security strategies forever. We now have a much greater attack surface and more applications outside of our control than ever before. Recently we took a look at the Mobile and BYOD problem. Not just limited to smartphones and tablets, today's workforce have more technology available to them than ever before. Using Tenable products we outlines techniques to stay ahead of this problem. Finally, on November 12th we'll talk about how to take all of the information our products collect on these vulnerabilities and threats and distill them down for management.

Detecting Legacy Clients and Application - I was recently using PVS in a alb environment and noticed the wealth of information it provided me on legacy applications. This is great news for organizations, as likely, you have some legacy systems and applications. It may be tough to find these with network scanning, firewalls, no credentials for the systems. System owners may not be forthcoming either. However, with the PVS you can find old versions of Firefox connecting to legacy web applications. The traffic never lies! How can folks leverage this to find their own legacy applications and what do you do once you since them? Disable "Stuff" Not In use - I'm a firm believer in reducing your attack surface. I like simple things, and this is a simple thing. If you're not using it, turn it off! Whether its an entire system, a service, or parts of an application, turn it off. With all the technology in use today, you have to work towards reducing the attack surface in every aspect, including even using firewalls! What got me thinking about this? My new thermostat, a Nest, which it turns out has ZigBee installed by default, but not in use. Do I want attackers messing with my HVAC? No...

"We Don't Have Those On Our Network" - I hear this quite often from folks, especially when presenting on embedded device security issues. Those running enterprise, or even smaller, networks will state that entire categories of devices, such as Apple TV, are not in use on the network. Recently I've been highlighting the use of the network search engine Shodan to illustrate the fact that large organizations do in fact have home-based network gear. Furthermore, folks tend to find ways to use technology in the workplace to get things done. For example, someone stated they have an Apple TV in every conference room and use it for presentations. This is a great use-case for passive vulnerability scanning, finding the device in use by your organization. I'm not saying you shouldn't let the devices come on the network, but that they should receive some level of security which can only be accomplished if you know whats in use. Mobile Dashboards - Another great example of technology in use at the workplace is smartphones and tablets. The undeniable fact that such devices improve productivity has earned them a perminant place in our IT infrastructure. The amazing fact about Nessus and SecurityCenter is that you can collect information about smartphones and tablets natively from your environment to enforce policy. Nessus/SecurityCenter will use the information stored in Active Directory to list the devices in use and associated vulnerabilities. The Passive Vulnerability Scanner will collect data from the network and report on which devices and apps are in use, as well as associated vulnerabilities. All of this can be rolled up into Dashboards and Reports to aid the effort of both creating and enforcing policy.

Passive Vulnerability Scanning Use Cases - You can use Tenable's Passive Vulnerability Scanner to support many different efforts in your network security strategy. For example, as part of a vulnerability assessment the PVS solves many problems. There are many points where a network vulnerability scanner can plugin and start scanning, sometimes its tough to know where to start. With the PVS, you can set it up ahead of time, and review a list of collected vulnerabilities before the audit or assessment officially begins. Intrusion monitoring also can make use of passively collected vulnerabilities, using them to correlate to intrusion events and identify other systems with the same vulnerabilities used by attackers to gain access to your network. See Ron Gula's blog post Adding Passive Vulnerability Scanning To Your Security ToolKit for more information. "Patches Break Things…" - Believe me, I've been there. I was a Windows systems administrator, then a UNIX/Linux systems administrator. I've applied my share of patches that have blown things up. Fast forward to today, and we just can't afford to wait and test every patch, or have really long patch cycles for everything. We need multiple patch cycles. For example, when it comes to Adobe, you've got to be fast and furious with your patching. Adobe Reader should be an easy win, go ahead and push out those patches, chances are that breaking Reader will not disrupt business operations (in some cases it may). Another strategy that has merit is to patch users in groups. I had forgotten about this strategy, but nothing wrong with segmenting your users and constantly rolling out patches, watching for gotchas. Also, don't forget you can use Nessus to Auditing Adobe Reader JavaScript Settings, in addition to finding out if its patched. Video Killed The Network Security Star - Two sets of plugins this week deal with video teleconferencing vulnerabilities from Cisco and Polycom. I've personally discovered and exploited similar vulnerabilities on enterprise networks. Attackers come in all different shapes and sizes, and while most threats are malware-based, you can't disregard the possibility of espionage or targeted attacks, they can be far reaching an damaging. Such as, an attacker snooping in on conversations with your company. Groups of attackers are out there collecting information about your organization, and selling it to other groups of attackers who use the information to exploit you. Don't give them an opportunity to snoop, patch and harden your video teleconferencing systems!

Devices, Devices, Devices - Plugins this week cover Cisco NAC devices, Cacti, iLO and Apple Airport vulnerabilities. I think its great that we are releasing plugins to cover these types of devices. We've talked about it before, and I can't stress it enough, you must scan, patch, and then scan again all of the devices in your your network. The interesting vulnerability for me is the SQL injection vulnerability in the Cisco NAC controller, to me that screens "NAC bypass" and if your NAC is easy to bypass, why have one at all? Locking Down The Browser - Browser vulnerabilities seem to have patches come out almost every week, and the user is a huge target for attackers. We have released a .audit file for Chrome browsers. I believe this is a great strategy, I'm a big fan of hardening your systems and applications. So why not the Browser? Measuring Patch Management - We recently released a SecurityCenter dashboard which tracks how successful your patch management strategy is in your environment. This is an important exercise, constantly measure, and constantly try to improve. What are some things we can do to improve patch management?

Securing Your Cloud - New plugins were released this week for Amzon Linux AMI, allowing Nessus and SecurityCenter uses to perform local patch checking against this platform. This got me thinking, with all the "hoopla" surrounding cloud security, did anyone listen? It would seem to me that cloud-based applications are here to stay. And that we've all made the risk decision that we're going to press forward. Is this the right call? Are there hidden cloud security risks or are they mitigated enough to continue to put resources into "cloud"? The World Of Wordpress - Wordpress is another case of an extremely useful technology, but one that comes with a lot of security baggage. One the one hand, Wordpress amazes me (in a good way). The ease in which you can set it up and the plethora of plugins makes implementing a feature-rich web site easy. One the other hand, it contains a lot of really crappy code. Code that is in no way even in the same universe as "secure code". What do you do? Code review all your plugins? Use something more secure, but costs more money to setup, build and maintain? While I don't recommend rolling the dice and taking your chances when it comes to security, you must play the risk game. "Reducing Your Patch Cycle To Less Than 5 Days" - Jack and Paul delivered this webcast last week, and it was received positively by the community. Reducing your patch cycle is not easy, and we covered the people skills, organizational skills, technical challenges, and ways to use Tenable products to reduce the patch cycle. The questions were fantastic, and a sampling of questions were posted, along with the answers.

SecurityCenter 4.7 - A new version of SecurityCenter has been released this week. Measuring What Matters - I read an interesting post this week about security metrics. It was a little story about how the person responsible for security gave a quarterly presentation to management. It did not contain much in the way of metrics, but offered up an entertaining look at the threats, defenses and general happenings surrounding security. After the presentation, he had support for budget, but purposely left out metrics, claiming they could hurt the security budget. What are appropriate metrics? How can they help or hurt you? More PHP Vulnerabilities - Both Nessus and the passive vulnerability scanner got updated this week for detecting vulnerabilities in PHP itself. One of the world's most widely deployed web server technologies now with more patches to apply. Not only are there concerns about the applications being built on the platform, but also the platform itself. What can users do to protect themselves from being yet another PHP vulnerability?

Detecting Backdoors - This week's Nessus plugin feed update includes detection for Poison Ivy, a popular backdoor used by attackers. Poison Ivy allows a remote attacker to control the compromised system, and has mechanisms to jump from process to process. While Anti-Virus products should detect the presence of this software, there is always a chance of gaps. For example, by modifying the Poison Ivy binary, you can change its signature. This means if your Anti-Virus software is out-of-date, an attack will be successful. If a determined attacker, dare I say "APT", were to modify this software to bypass even up-to-date Anti-Virus software, Nessus can be used as a second line of defense in conduction with malicious process detection adding more layers to detection of malware. Greate quote from this article from Fireeye too: "RATs may well be the hacker’s equivalent of training wheels, as they are often regarded in IT security circles. But despite their reputation as a software toy for novice “script kiddies,” RATs remain a linchpin of many sophisticated cyber attacks and are used by numerous threat actors." And this: "Poison Ivy is so widely used that security professionals have a harder time tracing attacks that use the RAT to any particular attacker." Catching Third-Party Software Vulnerabilities - Perhaps one of the toughest challenges for IT today, still, is keeping up with third-party software. Users are going to install software on their own, they find ways (Such as installing virtual machine software). Filling in the gaps nicely is the Passive Vulnerability Scanner. I've been running PVS on my lab network, and witnessed first hand as it flagged a PuTTY vulnerability on one system, and told me that my Flash player was out-of-date on my other system. Third-party vulnerabilities have a tendency to hide, and PVS helps uncovering them in a big way. Interesting how running PVS immediately highlights the fact that my wife never bothers to update the software on the two iPads and one iPhone we have for family use! One Vulnerability Trumps All (Sometimes) - Reading about OSPF vulnerabilities has me worried, especially when the description states: This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.. Routing protocol attacks, while limited to the local network (unless they refer to BGP) can be particularly damaging. "Intercepting traffic" has a deeper meaning. If an attacker is able to insert themselves into the middle of TCP/IP communications, the possibilities for attack are endless. IT teams must assign a high priority to this type of attack. While some traffic will be encrypted, injection attacks can undermine the encryption. For example, the ability to add any HTML or Javascript to any web site the user visits translates into global XSS vulnerabilities, allowing an attacker to undermine any security controls you may have in place (eventually).

IPMI Detection - The embedded systems inside your servers used to manage the hardware use IPMI. Nessus and PVS contain checks for this protocol. Dan Farmer has released v2 of his paper detailing several vulnerabilities. IPv6 SLAAC attack - Ron Gula wrote a blog post on this topic. Nessus supports discovery of IPv6 interfaces during IPv4 scans. If you have IPv6 connectivity supported on an IPv4 network, you are likely vulnerable to SLAAC attacks unless you have layered firewalls and routers that prevent IPv6 communication. The Power of Powershell - We recently released an update to the configuration auditing functionality of Nessus to include the ability to run a full Powershell script. Powershell is an extremely useful way to get even more information from Windows hosts. Previously Nessus users were limited to running a single command. By encoding your Powershell script, you can now write more complex scripts that use variables and logic to pull settings and information from your hosts. What are some use cases for this functionality? Keeping Up with Vulnerabilities - Reviewing new vulnerabilities is a weekly, sometimes daily, task for many (including myself). I often wonder about prioritization. With so many vulnerabilities being released each week, how do we maintain a patch management program to keep up? For example, I was reviewing the Junos SSL VPN XSS vulnerability. Not much information is provided. The impact is listed as "low", but curiosity gets the better of me, and I wonder why. Now, its just listed as XSS, not qualified whether or not it is stored or reflective. The user must be logged in. The parameter is in the help section of the application. There is no telling just how many characters we have to implement an attack script. Short of trying to exploit it yourself, how do you prioritize this vulnerability and hundred like it?

Passive Vulnerability Scanner Update - At the recent Blackhat USA conference we announced that PVS will be released as a stand-alone product, including a free trial. The interface was showcased at the Tenable booth on the show floor and met with a warm welcome. Users can interact with PVS using an HTML5 interface similar to Nessus. What are some of the most compelling use cases for PVS? Industrial Control System Honeypot - One of the most talked about presentations from Blackhat was given by researchers who created a fake ICS system, let attackers from across the globe "hack" it, and locate over 70 different systems that fell into the trap. I believe this helps to raise awareness about security vulnerabilities in ICS systems, and shows that attackers will take the opportunity to strike at these valuable targets. The question becomes, is locating the attackers systems against the law? Even better, is this valuable data? Web Services Everywhere - One thing that always amazes me is just how many web services exist at any given time on an organization's network. While you must spend time analyzing the security of the applications you know about, you must also look at the web services that tend to hide on your network. So many devices and applications use web services for management, the results can be overwhelming. Recently released SecurityCenter Dashboards and Reports help you get a handle on the different web services in your environment. Our products are able to collect detailed information about web services as they reveal information about themselves when you connect to the s

Securing Management Interfaces - Likely your organization has some measures in place to implement physical security. This is likely tied to some risk equation which takes into account attack likelihood, the value of your assets, and the cost of such an attack. I've seen some really outstanding physical security, some really poor physical security, and mostly organizations implementing something in between. However, leaving gaps in the security of your management devices (access control server, console servers, on-board server management systems) is the equivalent of having almost zero physical security. It allows attackers to gain access to your systems, bypassing any logical security controls you may have in place. There is a fix for Dell's iDRAC system, which if left unlatched, gives attackers root access to the console server, which very quickly can translate into access to the server itself. The fixes for physical security are often expensive, but the fixes for management level access are usually cheaper and easier. Do most organizations miss this? Why? What can we do to raise awareness? Database Security? - Patches this week were released for both Oracle and MySQL. Both of these applications come with challenges. you may have this on your network, and not know it because its embedded in the application that was purchased by a small department. Database administrators have enough challenges, and constant patching seems to rock their world. What can organizations do to improve the security of database architecture given current challenges. Passive PVS PHP Plugins - Say that 10 time fast! Several new plugins were released to passively detect several issues with PHP, including a Backdoor script detection plugin and vulnerability data. Being able to detect indications of compromise, coupled with vulnerabilities is the heart of what Tenable products can deliver.