Infosec Europe 2014

by Gavin Millard on May 6, 2014

As Infosec Europe 2014 drew to a close, our security experts share their thoughts after Europe’s number-one information security event.

The Evolution of an Important Metric: The Poverty Line

by Marcus J. Ranum on May 1, 2014

In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests. Keeping with the definition that a metric is used to tell a story, let's look at an influential metric and how it was established, as well as a few things about how it has been historically presented. I'm going to use the metric as a way of red-flagging a few “don’ts” in...

How Vulnerable Are You To The Latest IE 0-Day?

by Paul Asadoorian on April 28, 2014

Tenable customers can use a combination of active scanning, passive scanning and configuration auditing to gauge their level of risk, progress on workaround implementation and track the remediation process once a patch is released. Internet Explorer Zero Day Vulnerability Recently an unpatched vulnerability was discovered in Microsoft's Internet Explorer web browser (including versions Internet Explorer 6 through 11). This remote code execution bug takes advantage of how Internet Explorer handles Flash objects to gain control of the system in the context of the running user. The new...

Five 'Truths' About PCI Compliance and Cybersecurity

by Jeffrey Man on April 28, 2014

Posted originally on Wired, InnovationInsights blog In my last blog, I dispelled three common misconceptions about the Payment Card Industry (PCI) Data Security Standard. And to lend further insight about PCI — especially with regard to its impact upon your cybersecurity assurance — I’d like to share five "truths" that you must know about your approach to cybersecurity and PCI compliance: Never separate PCI compliance from your overall security efforts. Many organizations make the mistake of putting PCI in some kind of box, practically removed from the security program. But PCI is a data...

The Truth Behind Three PCI 'Myths'

by Jeffrey Man on April 22, 2014

Posted originally on Wired, InnovationInsights blog In Part I of this series of posts, I examined how retailers face immense challenges with respect to their cybersecurity posture but don’t often focus on the important elements. For starters, they will spend an inordinate amount of time struggling to "reduce the scope" of their enterprise that needs to comply with the Payment Card Industry (PCI) Data Security Standard. Then, when they are found to be compliant, they too often discover (the hard way) that their bare minimum approach to PCI compliance has left them still vulnerable to exploits...

Nessus Amazon AWS Auditing Now Available

by Mehul Revankar on April 22, 2014

Edits and Contributions: Paul Asadoorian The transition to cloud services is well underway, bringing with it traditional and new security challenges. Nessus is evolving to address these challenges. Unlike traditional environments, cloud services require a modified approach to scanning - users can't simply point their scanners to services such as Amazon AWS, and not expect to be throttled, if not outright blocked. Today we are happy to announce Nessus support for auditing Amazon AWS infrastructure. This new capability in Nessus ® includes a compliance plugin and a .audit file that leverages...

Cybersecurity Is About Attitude, Culture -- Not Strictly Compliance

by Jeffrey Man on April 10, 2014

Posted originally on Wired, InnovationInsights blog How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry (PCI) Data Security Standard for more than a decade, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I’ll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business. In all that I’ve read, there’s too much emphasis on...

Tenable Facilitates Detection of OpenSSL Vulnerability Using Nessus and Nessus Perimeter Service

by Jeffrey Man on April 9, 2014

Facilitate easy detection of the OpenSSL Heartbeat vulnerability in your enterprise Tenable Network Security® released plugins for the detection of the OpenSSL heartbeat vulnerability (aka the “Heartbleed Vulnerability”) on the 8th of April for Nessus® and the Passive Vulnerability Scanner™ (PVS™). A plugin for detecting the vulnerability in Apache web server logs has also been added to the Log Correlation Engine™ (LCE™) and available for reporting in SecurityCenter™ and SecurityCenter Continuous View™. Details about the vulnerability can be found in a blog by Tenable’s Ken Bechtel, Beware of...