Tenable Network Security Podcast Episode 127 - "IPv6 Day, Defense-In-Depth?"

Announcements

• Tenable Network Security's Jack Daniel to Present at Gartner Security & Risk Management Summit
• We're hiring! - Visit the Tenable website for more information about open positions.
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!
• You can subscribe to the Tenable Network Security Podcast on iTunes!

New & Notable Plugins

Nessus

• Sharebar Plugin for WordPress status Parameter XSS
• Citrix XenApp Unspecified Remote Denial of Service
• Atlassian JIRA Version 5.0.1 XML Parsing Vulnerability
• Ecava IntegraXor DLL Traversal Arbitrary File Overwrite
• HP SAN/iQ Root Shell Command Injection
• Tornado version 2.2.1 or Less HTTP Response Splitting

SecurityCenter Report Templates

• DNSChanger Site Summary - This report template will enumerate systems on your network that have been identified (via Nessus and/or PVS) to have DNS IPs in use that fall within the DNSChanger ranges.

Compliance Checks

Nessus ProfessionalFeed and SecurityCenter customers can download compliance checks from the Tenable Customer Support Portal.

• Tenable Audit Policies - PCI Compliance
• Tenable Audit Policies - CIS Windows
• New CIS HP-UX Audit Policy
• Tenable Audit Policies - Antivirus
• Tenable Audit Policies - DISA STIGs and Checklists

Stories

1. toolsmith: Security Investigations with PowerShell - I think this is really cool, so much functionality in PowerShell. Also note you can run PowerShell commands from Nessus Compliance Checks.
2. Woes me information (cyber) security is hard - I'm not certain I agree with the whole "get rid of defense-in-depth", I think some folks look deeper into the meaning of this term. There is nothing wrong with having several safeguards and not relying on any one (or even two) things to increase security. However, defense-in-depth does not excuse you from a more holistic approach to security, which I think is where people start poking holes in it. Some other great thoughts here, such as security being more about being resilient and protecting your data.
3. HUGE Microsoft security FAIL helped Flame virus spread - Computerworld Blogs - We all knew it would be a bad day when someone was able to spoof Microsoft updates, and Flame has done just that.
4. IPv6 Day 2012 – What Does It Mean? - I believe IPv6, despite gaining traction recently, will still be a slow, steady mover, which will eventually win the race, but not overnight.
5. It’s Time to Retire "Security" From Our Lingo - It's a fantastic idea, we drop security as an add-on, and just embed it into the culture. This won't happen anytime soon due to human nature and economics, but it's a nice idea to think about.
6. How security pros are handling data overload - "A third of the respondents, all of who worked in companies with 1,000 employees or more worldwide, found it too difficult to distinguish legitimate from malicious activity, while almost three in 10 were equally successful as unsuccessful in correlating security data to business impact. Worse, 4 percent of the pros said they were mostly unsuccessful." What can we do to make sense of the data? I've heard lots of tips in this area, such as correlation, knowing your network, and context, but it still remains on the higher end of the difficulty scale. The one thing I believe many organizations miss most often is dedication and resources.
7. SecurityTracker: Microsoft Windows Includes Some Invalid Certificates - Microsoft has revoked the problem certificates -- make sure all your systems no longer trust them!