Beware of Bleeding Hearts (Updated)

by Ken Bechtel on April 8, 2014

A recently discovered vulnerability, identified as Common Vulnerabilities and Exposures (CVE) CVE-2014-0160, but more commonly called HeartBleed Vulnerability, has been acknowledged by the Open SSL Organization and the Finnish Cert Team. This is an attack against the transport layer security protocol (TLS/DTLS) hearbeat extension. When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server. This vulnerability is pretty serious in that it is transparent to the administrators, as there is no log of the attack. When an attack is...

Understanding NIST’s Cybersecurity Framework

by Cris Thomas on April 8, 2014

NIST’s Cybersecurity Framework (CSF) is likely to become the basis for what's considered commercially reasonable in regards to securing an organization’s infrastructure. For this reason alone companies should pay close attention to the CSF and, even if they don’t follow it completely, should at least understand where they are deficient and why. The CSF is a valuable indicator of what a standard of care should be. The document provides a standard measurement that organizations can agree on in terms of assessing risk assessment. The CSF will give higher levels of management, such as a boards of...

PVS 4.0.2 is now available for download

by Sherry Quinn on April 2, 2014

This maintenance release addresses the following issues: An expired PVS license or activation code sends the user to the Quick-Setup wizard to allow entry of the new license Hosts with Internet facing vulnerabilities were missing the “External Access” tag Filtering issue on the “Affected Host List” was fixed Dependency issue causing some false positives was fixed Improvements were also made including: The password complexity requirement on the Web Proxy Password setting Relaxed the port setting restriction for “Web Proxy Port” to allow specification of ports below 1024 Plugin evaluation logic...

True White-Knuckled Stories of Metrics in Action: Sylvan

by Marcus J. Ranum on April 2, 2014

In this blog series on SecurityWeek, Tenable CSO Marcus Ranum advises security professionals on how they can create and share metrics in their jobs. These metrics can create better understanding and awareness about the success of their approaches, as well as allow them to build support for programs and funding requests. When you start your metrics program, you will find that a great deal of information can be gleaned from existing data that gets stored in various places.... When I was a junior systems administrator just out of college, I worked at a major hospital as a systems analyst in the...

Malware’s Journey from Hobby to Profit-Driven Attacks

by Ken Bechtel on March 24, 2014

While most of my posts focus on malware attacking systems today, the history of malware is a fascinating topic that provides insights into the current landscape. As one of the authors of the Avien Malware Defense Guide , I contributed to the book's chapter on history and will be leveraging and expanding on some of that content here to give context to where we are today. First what is malware? Malware is a merger of "malicious" and "wares," meaning malicious software. It can range the gamut from traditional viruses and worms to botnets, potentially unwanted Programs (PUPs), adware and spyware...

Announcing Tenable SecurityCenter CV Version 4.8

by Aarij Khan on March 20, 2014

Tenable is excited to announce the general availability of SecurityCenter Continuous View (SC CV) version 4.8. This latest update to the SecurityCenter product family is the latest step in Tenable’s history of innovation and market leadership. SecurityCenter CV 4.8 is the first product in the industry to integrate vulnerability, threat and compliance management, introducing several features that enable security teams to accelerate security forensic analysis and incident response. This release is built on the industry’s only security solution that provides 100% asset discovery 100% of the time...