Tenable Network Security Podcast - Episode 36

Welcome to the Tenable Network Security Podcast - Episode 36

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Nessus Spotlight: su+sudo Feature
  • SecurityCenter Webinar in French!
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
• Be certain to check out our video channel on YouTube that contains the latest Nessus tutorials.
• We're hiring! - Visit the web site for more information about open positions. There are currently 7 open positions listed, including a Digital/Web Strategy Coordinator.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Ron Gula - Security Architecture Summit

Stories

• Tips On Choosing Which Vulnerabilities to Test - This article makes some good points in regard to prioritizing vulnerabilities and how it applies whether you are an attacker or a defender. As an attacker, you want to go after what is likely to be easiest to exploit (publicly available, no credentials required, etc.). As a defender, you need to prioritize your remediation the same way!
• Fraud Bazaar Carders.cc Hacked - This story could be good and bad. On one hand, it shows that the bad guys are human like we are and their sites get hacked too. On the other hand, so-called "blackhat" skills are now being spilled out into the public eye.
• A reminder that CSRF affects more than websites - While most only consider CSRF in HTTP (i.e., web sites), it can apply to other protocols as well! This is also true for XSS vulnerabilities; the protocol doesn't really matter for these attack vectors, as long as you can make them work.
• iPhone vulnerability leaves your data wide open, even when using a PIN - I never felt comfortable using a four-digit PIN, but they are all too common in things such as garage door opener panels, ATM PINs and your beloved iPhone. In this case the PIN can be completely bypassed just by plugging the phone into an Ubuntu Linux system. This is the thing that gets me about security: just because people have a security control in place, they seem to forget that it can be bypassed. I can just hear people now, "I have my email on my phone, but I have a PIN so it's secure". Data encryption plus a PIN is far better, but when are we ever truly safe?
• Is Security A Design Problem? - We all tend to say that security is a design problem, and if the Internet was designed to be secure in the first place we wouldn't have this mess. Few things are designed to be secure from the start. Most things are designed to work and function, and then the impacts of security are taken into account. Unfortunately, this is the way of the world and we're left to clean up the mess. I like this quote on the matter:"In absence of other solutions, an intelligence driven incident response model is your best bet."
• Time for a new mantra - Jack has a point - we're all told to "think like an attacker". However, there is something to be said for experiencing what it feels like to be under attack, which is equally as important.