Tenable Network Security Podcast

Effective Vulnerability Management, Securing Your Own Critical Infrastructure

Modifying Vulnerability Scan Results Post-Scan - A new Nessus feature allows end-users to apply rules to vulnerability scan results and modify them after the scan has completed. This is an extremely useful feature, as severity, at its core, is specific to each organization. Also, as I've found over the years, exploitability is dependent on many things. Adjusting the results according is a useful tool, how do you see end-users taking advantage of this new feature? Old Vulnerabilities - A new SecurityCenter dashboard was released which allows you to view vulnerabilities old than 30 days. While this can help enforce your patching policies, its typically the older vulnerabilities that could have the most impact. Often it takes some time to be able to exploit a vulnerability reliably. Have you looked at vulnerabilities older than a year? How about two years? This query can also help identify machines that have fallen out of the patching process, and it is these systems that can often pose the most risk to security breaches. Detecting Devices - While much of the focus in IT is getting Windows systems and major applications patched, this leaves the smaller things vulnerable. Several new plugins for PVS were added allowing you to detect different types of devices. What is the risk? A great example is a multi-function printer. Most folks don't pay much attention, however people are faxing/scanning/printing sensitive documents all the time. Some devices keep a record of everything going through the device, and with open shares and default password rampant on these systems, it can lead to data leakage.

The Web Is A Hostile Place - Updates this week for several browser-based technologies including the browsers themselves (Internet Explorer, Google Chrome), and several Adobe Flash versions on multiple platforms. This is no different from most weeks, and begs the question of how we keep our desktops safe when browsing the web. Joe McCray demonstrated an interesting attack where other client-side applications, such as VLC, can be envied from a web browser. Which technologies and procedures must we employ to protect our user's desktops? For SecurityCenter customers, Tenable released the Desktop Application Vulnerability Dashboard which helps customers get a handle on all the applications installed. What do we do with the information in this dashboard to be more effective at preventing desktops from becoming compromised? Continuous Monitoring Home Users - We recently added the ability for Nessus scanners registered with the HomeFeed to perform scheduled scans and have elegant summaries of them emailed to you. Previously, scheduled scanning with Nessus was limited to the ProfessionalFeed and the SecurityCenter. The combination of scan scheduling, email notifications and remediation reports is beneficial to the home user with just a few computers all the way up to enterprises with thousands of desktops. Vulnerability Management Key Points - Both myself and Ron Gula provided recommendations for improved vulnerability management, including scanning more often and tips for presenting to management. What are the highlights of this subject and what can users take back to their environments to be more effective?

VMWare vCenter Patching - Two plugins were released this week affecting VMware vCenter. If you are running this product, you have to patch this. vCenter is the foundation to your foundation. Successful attacks not only grant the attacker access to the hypervisor, they grant access to all your hypervisors. An attacker with access to the hypervisor has "virtual physical access". For example, downloading the snapshots from your VMware servers is similar to physically sitting in front of your computer. Designing an architecture that allows you to easily patch the virtual infrastructure is not all that easy, and while certainly technically feasible, the challenges come with a price tag of having multiple, redundant, virtual environments. How can we build a cost-effective and low security risk virtual infrastructure? Detecting Vulnerable Browsers - I don't believe you can have too many checks and balances when it comes to keeping browsers up-to-date with patches. For example, I use Google Chrome on OS X, and set it up to update automatically. For most people, they are not like me and don't keep up with all the latest vulnerabilities. So, its very easy to go on and never realize something needs to be updated. Now, multiple this problems times thousands of desktops, virtual machines, and devices that run a web browser. Turns out my browser was in a funky state, and I had to re-install the updater. Having something like PVS would help, always telling me which of my machines and devices need updating, even if I think they are updated, the User-Agent typically doesn't lie (unless you are telling it to). How do you keep your browsers up-to-date? Are there other circumstances which may cause patches to not apply correctly? Vulnerability Trending Using Scanning, Sniffing and Logging - I really like this dashboard. If I was responsible for network security, I would use it. Being able to pull from those three different sources to get vulnerability data is really powerful. Few things are able to hide, and I really like that as vulnerabilities can be deceptive and its the ones you miss that get exploited. This is what a penetration test does, finds those vulnerabilities in the dark dusty corners that you missed.

Web Interface Command Execution - This is a particularly critical type of vulnerability. Make certain you understand the context, e.g. if the exploit requires authentication or not. The ability to execute operating system commands via the web interface easily allows attacker to take control of a system. I've encountered command execution vulnerabilities in several different forms, and most of the time, with a little testing, it is possible to fully compromise the system. Many systems do not offer command line access, however, the web interface allows you to run commands, often without restrictions since the system assumes the user will never see "under the covers". The plugin released this month covers a web command exception for z/OS, IBM's mainframe platform, making this an interesting situation. How can we more easily detect this type of vulnerability in our environments? Detecting HTTP Error Codes - Several new plugins for PVS detect HTTP error codes. This could be indicative of a host on your internal network looking for vulnerabilities in external sites. Categorizing Vulnerabilities by Software Type - Several new reports and dashboards were created to allow you to analyze vulnerabilities by software type. How does this help you analyze risk and improve your vulnerability management program?

New targeted email monitoring in Nessus, detecting web management interfaces, Adobe reader running in the browser and more!

Big patch updates from Adobe, Microsoft and Juniper, difference between a vulnerability scan and a penetration test, attacking critical infrastructure and more!

Wireless Network History, Red Hat Enterprise Linux consolidated patch reports, CDorked.A detection, passively detect nginx vulnerabilities, PCI Dashboards, and more!

Nessus Tips and Patch Reporting

Pick your poison: choosing the right CMS, routers cough up passwords, detecting search queries passively, 14-year-old finds XSS, Serial Killers.

We discuss all of the new features in Nessus 5.2: The latest release of Nessus!

Introducing new VMware vShpere ESXi and vCenter configuration audits! Plus tons of new Nessus and PVS plugins and a few stories.

Detecting portable devices on Windows, vulnerable PHP applications, FTP clients and database servers, losing your keys by proxy and more!

Apple Profile Manager, Java, MySQL vulnerabilities, tracking convicts, cloud leaks.

IP Camera vulnerabilities, HP Printer weaknesses, vulnerable PHP CMS, CVSS update and more!