Compliance Monitoring

Is that System Managed?

by Ron Gula on November 2, 2011

IT auditors, penetration testers, and incident responders often ask if a system they are analyzing is managed. A managed system is one that is being looked after, updated and maintained by an IT staff of some sort. An unmanaged system is one that is on the network, but perhaps has been forgotten, isn’t authorized or has some other reason for it not to be there or updated by anyone else. Security findings for managed systems and unmanaged systems are reported differently. For an unmanaged system, the recommendation is to make the system managed and bring it into a secured state. For security issues with managed systems, the recommendation is to alter the current management processes to make them more secure. Unfortunately, there is no “under management” test that can easily be automated. This blog entry will describe some of the different types of data that can be gathered from logs, Nessus scanning and Passive Vulnerability Scanner sniffing that can help identify systems with and without management.

Comparing the PCI, CIS and FDCC Certification Standards

by Ron Gula on June 23, 2011

As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry , the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.

Hardening OS X Using The NSA Guidelines

by Paul Asadoorian on May 27, 2011

NSA Hardening Guidelines The National Security Agency (NSA) has developed security hardening guidelines for various operating systems and technologies. I remember when I first started in information technology and used these guides to harden my Windows servers. I was met with mixed success; some systems would run better, and some would cease to function due to configuration changes. This taught me about my systems and their configurations, and knowing what your systems do and how they are configured is the true key to successful systems administration. Remember, the “guidelines” are just that, a guide to configuring and securing your systems. Ultimately, it is up to you to determine which changes you will implement, and most importantly test those changes in a lab/QA environment. Mac OS X's popularity has been growing rapidly, and so has its use in corporate environments. The NSA has released a new hardening guide for OS X . Tenable has created a configuration audit that will compare the configuration of your OS X systems with the NSA's guidelines, and below are some of the example results from an audit:

SSL Certificate Authority Auditing with Nessus

by Ron Gula on December 28, 2010

Do you know where all of your organization’s SSL certificates are and if they are providing enough protection to you and your customers? Nessus can be used to identify all SSL certificates in use, test if they are expired and with the advent of plugin # 51192 , test that they have been securely signed by a valid certificate authority. This blog entry will review Nessus’s SSL certificate auditing ability and describe how plugin #51192 can help monitor your network for untrustworthy SSL certificates.

If an exploit falls in the forest, does anyone hear it being patched?

by Ron Gula on December 8, 2010

Recently, Tenable added exploitability reporting for Nessus . After performing a scan, results can be filtered to see which vulnerabilities have exploits available for them. In the report, you can even see which common exploitation tools have payloads for these vulnerabilities. This is a great way to help prioritize which vulnerabilities to fix first. However, it is not a great way to manage your network or decide whether to patch a system or not. Consider the following conversation that represents many I’ve had on this topic:

Research Spotlight: Oracle Patch Auditing

by Paul Asadoorian on July 8, 2010

Oracle has implemented a quarterly patch release cycle for its customers. Patches for all Oracle products are released on this schedule, and typically fix dozens of vulnerabilities in their database software, Sun Java (recently acquired) and other enterprise products.. They have a similar rating system to other major vendors (such as Microsoft and Cisco) with regular patch release cycles. Oracle describes the severity of each vulnerability using the Common Vulnerability Scoring System (CVSS): "Access Vector", "Access Complexity", "Authentication", "Confidentiality", "Integrity" and "Availability". It is a great way to categorize vulnerabilities; however, this still leaves you with the important task of scheduling, testing and applying the updates. Tenable's Research team has added the ability to perform an Oracle patch audit into the Nessus vulnerability scanner. A new plugin was created (oracle_rdbms_query_patch_info.nbin) that logs into an Oracle database and runs a set of queries to determine which patches are missing: Query 1 - Determines the hostname of the system the database is running on (important when Nessus is testing an Enterprise Manager Grid Controller that contains patch information of other hosts). Query 2 - This query pulls the installed "PatchID" and the "Oracle_home" it is installed in. Query 3 - If Nessus found any PatchIDs in Query 2, it looks up all the bugs that were superseded by each PatchID that was found in Query 2. The patch information comes from the same tables that are used by Oracle Enterprise Manger and Oracle Enterprise Manager Grid Controller for patch management.

Nessus Cisco Compliance Checks

by Carole Fennelly on June 18, 2010

Tenable has authored a Nessus plugin ( ID 46689 ) named “Cisco IOS Compliance Checks” that implements the APIs used to audit systems running Cisco IOS. This plugin is pre-compiled with the Nessus “.nbin” format. This provides ProfessionalFeed users a method of using Tenable provided .audit files, or their own audit policies, to audit Cisco devices to ensure compliance with corporate policy. This functionality provides a wide range of audit capability including ACL policy detection, service status, device access control and more. New Keywords Many of the .audit keywords are the same as for other devices such as Windows and Unix systems. The Cisco compliance checks add two new keywords specific to Cisco IOS based devices: feature_set - Similar to the “system” keyword in the Unix Compliance Checks, this keyword checks the Feature Set (e.g. AdvancedEnterprise, AdvancedIP, Advanced Security, K9, etc) version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular Feature Set (e.g. SSH in K8 and K9 bundles). ios_version - Similar to the “system” keyword in the Unix Compliance Checks, this keyword checks the version of the Cisco IOS and either runs the resulting check or skips the check because of a failed regex. This is useful for cases where a check is only applicable to systems with a particular IOS version.

Understanding The New Massachusetts Data Protection Law

by Kelly Todd on January 26, 2010

After months of defining, redefining, extending deadlines and planning, a new law in Massachusetts that affects all businesses that handle personal data of Massachusetts residents is finally about to go into effect. According to Massachusetts 201 CMR 17 : "The objectives of this regulation are to insure (sic) the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer."

Tenable and SANS Consensus Audit Guidelines (CAG)

by Carole Fennelly on June 29, 2009

The SANS Consensus Audit Guidelines (CAG) is a compliance standard that specifies 20 "control points" that have been identified through a consensus of federal and private industry security professionals. This blog post provides a summary of the SANS initiative and an overview of how Tenable’s solutions can be leveraged to demonstrate compliance with these guidelines. Tenable has also released a technical white paper that shows exactly how our scanning, log analysis and auditing solutions can be used to monitor the SANS-CAG controls.