Passive Network Monitoring

Three Types of Client-side Exploits

by Ron Gula on February 28, 2012

We often hear about vulnerabilities in client software, such as web browsers and email applications, that can be exploited by malicious content. The repeated stories about botnets, infected web sites, and viruses which infect us with malicious documents, movies, and other content have ingrained the concept of an exploitable client in our minds. Unfortunately, client software can also be targeted with attacks from compromised servers accessed by the clients, and some client software actually listens for connections. In this blog entry, we will discuss auditing client software for vulnerabilities and describe the three different types of client-side exploits and how they can impact the risk of your network.

Real-time Enterprise Exploitability Trending

by Ron Gula on February 13, 2012

Penetration tests are typically a point-in-time exercise to determine if a remote adversary or malicious insider can compromise systems that contain sensitive data. Most organizations do not conduct penetration tests on a daily basis. Instead they schedule them annually, quarterly, or in some cases monthly. Penetration tests procured on a consulting engagement are often limited to key systems and assets rather than the entire network of systems. This diminishes the value of the penetration test as the results quickly become outdated and may not be relevant to new systems or recent network changes. However, by correlating the availability of exploits with a continuous monitoring program to identify vulnerabilities, an organization can have a better idea of how “exploitable” they are on a real-time basis.

New SCADA Plugins for Nessus and Tenable PVS

by Paul Asadoorian on January 31, 2012

Assessing the security of SCADA devices has always been a challenging task. SCADA devices are used in several critical infrastructure industries, including power plants, manufacturing, chemical processing, and nuclear reactors. Thus, the high availability and security of these devices are of the utmost importance. The challenge lies in assessing the security of SCADA devices without causing any adverse effects. The special purpose-built systems often operate within a limited scope and use protocols that are specific to the tasks being performed, such as Modbus, OPC, and DNP3. In 2006, Tenable Network Security released the first Nessus® vulnerability scanner and Tenable Passive Vulnerability Scanner (PVS) SCADA plugins (you can read the original release notes for PVS in a post titled " SCADA Network Monitoring " and the original release for Nessus titled " SCADA Checks For Nessus 3 "). In April 2011, a new round of SCADA plugins were released for Nessus (covering devices from Movicon, 7-Technologies, and more). Tenable is now pleased to announce the availability of additional SCADA plugins for Nessus ProfessionalFeed, Tenable SecurityCenter, and PVS users. Tenable's research team worked alongside SCADA experts from Digital Bond to test and identify a wide variety of common SCADA devices. The plugins were announced at Digital Bond’s S4 Conference on SCADA security held on January 19, 2012. Note: Digital Bond’s Dale Peterson joined us on the Tenable Network Security podcast episode 110 and spoke about the new plugins and SCADA security. Below is a sample of some of the new SCADA plugins:

Scanning for pcAnywhere

by Ron Gula on January 30, 2012

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations. With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference: 10006 Symantec pcAnywhere Status Service Detection (UDP) 10794 Symantec pcAnywhere Detection (TCP) 10798 Symantec pcAnywhere Service Unrestricted Access 20743 Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation 32133 Symantec pcAnywhere Access Server Detection Service 35976 Symantec pcAnywhere CHF File Pathname Format String Denial of Service 57795 Symantec pcAnywhere Installed (local check) 57796 Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

Mobile Devices, Your Network, and Passive Sniffing

by Paul Asadoorian on November 30, 2011

Do you know how many mobile devices reside on your network? Is your security architecture designed to secure the mobile platform and protect your users and the network from the threats they pose? Mobile devices are a security concern for many reasons. Mobile devices are typically unmanaged – meaning they may or may not be running AV software, a firewall, or conform to enforceable security policies. Yet, whether they are provided to your employees as part of your operations or not, they are likely accessing resources on your network. To compound the problem, many mobile devices connect to your local network and the Internet directly on two separate mediums. For example, the device may associate to a wireless belonging to your organization and a 3G/4G connection to the Internet.

Discovering Dropbox On Your Network

by Paul Asadoorian on November 10, 2011

Why is "Cloud Storage" So Appealing? Services such as DropBox use the cloud to enable users to share files with others and transfer work from office to home and back. The challenge is two-fold: Determine how this and other cloud-based technologies align with the organization’s security policies and compliance mandates. Monitor use of these solutions to ensure compliance and limit exposure while preserving benefit. Users often turn from sanctioned file sharing methods when they reach the limits of email and internal file sharing capacity, performance, and functionality. Email was not intended to share large files, and very often restrictions are implemented on the size of an individual email and how large your inbox can grow. Users can put files on an internal file sharing service, but that limits access to local users and VPN connected users. Employees who travel or third-parties may not have access to the internal network to retrieve the files. Many IT departments do not offer an easy way to share files through more traditional methods such as public FTP servers because of security concerns. Dropbox overcomes many of these issues and has become quite popular, as evidenced by a recent influx of $250 million additional dollars in funding . The price is right too, as you can get 2GB of storage for free and manage access to your files. The problem is, DropBox security and usage often violate corporate policy and security best practice. Corporate policy must protect sensitive information, such as customer data and intellectual property. If this information is being transmitted insecurely to a service such as Dropbox your policies and network defenses should detect this behavior and monitor for violations and information leakage. For example, Dropbox relies on SSL for encryption. Several attacks released this year have been reported that can circumvent SSL security, and SSL certificate authorities have been compromised, breaking down the trust that SSL relies upon for security and integrity. Client software can become the weakest link as well, even if SSL is implemented properly. The Dropbox client software has contained vulnerabilities that, when exploited, could lead to your data in the wrong hands . To solve this problem we need to implement encryption at the file level to protect sensitive data. I have to admit, I am a Dropbox user. However, I use it with caution and implement my own security policy. Any sensitive data is sent to DropBox using file encryption (PGP in this case). Any non-sensitive information is not encrypted and I am careful to distinguish between the two.

Converting Packets to Syslog

by Ron Gula on October 27, 2011

Tenable’s Passive Vulnerability Scanner ( PVS ) performs protocol analysis on network traffic to discover vulnerabilities and log the sessions that have occurred. Unlike network forensic systems which log the actual packets and session content, the PVS creates a single syslog message for each identified network session. These logs are ideal for consumption by a SIEM or log analysis tool such as Tenable’s Log Correlation Engine . This blog entry describes what types of applications are logged and how they can be used for alerting and analysis.

Dealing with "Untouchable" Systems

by Paul Asadoorian on October 25, 2011

"The Untouchables" An untouchable system is one on which you cannot install software (such as agents) or apply security fixes regularly. I have come up with several different examples of such systems, and tried to use examples here from my own experiences to define why they may fall into the "untouchable" category: Select SCADA systems - This is a broad category, but it boils down to computers that are used in control systems networks. While many may be considered to be "air-gapped" (physically disconnected from any other types of systems), that may not actually be the case since connectivity is required to manage the devices (especially those deployed in the field). I was once approached to perform a vulnerability assessment against one such system. I was told that network access would be provided, but that the system in question was responsible for providing power to thousands of people. This is a scary endeavor, as not only could you put thousands of people in the dark, but potentially damage infrstructure if the power is turned on and off too quickly. This situation requires a different approach than a traditional network vulnerability assessment or penetration testing. Traveling Laptops - It can be difficult to control the software and patches on systems that rarely connect to the corporate network. The concern is what happens when a laptop that has been connected to airport, hotel and other potentially hostile networks comes back to home base and plugs into your network. It may already be infected, and may not be up-to-date with patches. You can try to force users to connect back to your network via a VPN, but not all users may do this on a regular basis. During the user’s travel, the system is "untouchable". Network Devices – Let’s face it, no matter how redundant your network is, you just can't blast out a firmware update to your network gear at will. This leaves a good percentage of network systems that are "untouchable" for certain time periods. Routers have a bit more flexibility, but the physical switches that your systems are connected to cannot be taken down at will, or users will lose connectivity as flashing the device with new firmware requires that the system become unavailable for short time period (or longer time period depending on the device and software).

4 out of 5 CISOs Don't Scan for Off-Port Web Servers

by Ron Gula on June 27, 2011

An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.