Security Strategy

The Big Red Button and the Kill Switch

by Marcus J. Ranum on April 25, 2013

I have no idea if I had a role in the "Internet Kill Switch" debacle, but it's possible that I was one of the pushes that got that particularly horrible ball rolling. Back in 2002, when I was between jobs, I did a talk at CSI in Chicago, about the need for organizations to be better able to react to attack, especially if they were part of critical infrastructure. At the time, I was concerned particularly with denial of service attacks; I had been thinking about them and had concluded that it's never going to be possible to completely prevent such attacks. "Well, that has big implications for...

Information Sharing: Learn From Past Mistakes

by Marcus J. Ranum on March 7, 2013

I've been asked repeatedly for my opinion about the APT1 report , and every time I try to respond I find myself waffling. The reason is simple: I think the report is a good thing, a sign of deep dysfunction in security, a stimulant to information sharing, an indicator of failed foreign policy, a brilliant marketing maneuver and a bit of business as usual. It's hard to pull those together into a simple, "yes, it's a good thing!" answer. If nothing else, it's going to serve as a stimulant for worthwhile discussion for at least the next 5 years. One possibility is that it will be the only such...

Why is outcome based security monitoring so critical with “Big Data”?

by Manish Patel on December 10, 2012

At the recent 2012 ITSAC conference in Baltimore, John Streufert, the Director of the National Cyber Security Division of DHS, outlined five recommendations for achieving continuous monitoring. These were: Scan daily, at least every 36 to 72 hours Focus on attack readiness Fix daily Grade personally Hold managers responsible While the above are a key component of the government’s CyberScope program, which mandates monthly reports, many organizations internally perform real-time or near daily security assessments. Yet, this becomes overwhelming with “Big Data”. As a result, many organizations...

Annoy, Attribute, and Attack

by Dale Gardner on May 28, 2012

Annoy, attribute, and–with care–attack the attackers who are attacking you. In this RSA presentation, Tenable Product Evangelist and PaulDotCom Host Paul Asadoorian is joined by colleague John Strand to discuss and demonstrate Offensive Countermeasures: Making Attacker's Lives Miserable. Watch now on YouTube.

Predicting Attack Paths

by Ron Gula on April 2, 2012

Tenable has published a technical paper titled “ Predicting Attack Paths ” that describes how to leverage active and passive vulnerability discovery technology to identify in real-time Internet facing services, systems and clients on your network that can be exploited in a variety of scenarios.

Enhanced Botnet Detection with Nessus

by Ron Gula on March 22, 2012

Tenable’s Research team recently added the ability for Nessus to evaluate audited hosts to see if they are connected to or configured with a known botnet IP address. In this blog entry, we will review all of the features available within Nessus for botnet and malware detection, as well as the types of features that are available in other Tenable products.

Active and Passive Auditing of DNS Servers in Use – Finding DNSChanger Malware

by Ron Gula on March 5, 2012

Tenable’s Research team recently shipped a variety of Nessus plugins and Passive Vulnerability Scanner (PVS) PASL scripts that audit and detect the DNS servers in use on (and off) your network. These plugins and scripts are leveraged to find systems affected by DNSChanger malware, but they can also be used for a broader audit of DNS servers actively in use. This blog entry describes the new plugins and PASL scripts and how they can be used to audit active DNS servers in use.

Decoding IPv6: Four Misconceptions that Security Execs Need to Know

by Ron Gula on February 29, 2012

IPv6. It’s big, unavoidable, exciting, and concerning… The Internet protocol that we’ve come to know and love (IPv4) is about to get a facelift (or, at least a serious shot of HGH). The tech community is bracing for a wild ride ahead -- guaranteed to be riddled with successes, failures, and security snafus as IPv6 is rolled out. In fact, we just saw the first DDoS attack targeting IPv6 networks earlier this month -- making this a very timely topic.

Three Types of Client-side Exploits

by Ron Gula on February 28, 2012

We often hear about vulnerabilities in client software, such as web browsers and email applications, that can be exploited by malicious content. The repeated stories about botnets, infected web sites, and viruses which infect us with malicious documents, movies, and other content have ingrained the concept of an exploitable client in our minds. Unfortunately, client software can also be targeted with attacks from compromised servers accessed by the clients, and some client software actually listens for connections. In this blog entry, we will discuss auditing client software for vulnerabilities and describe the three different types of client-side exploits and how they can impact the risk of your network.

Using Nessus 5 to Raise the Value of Penetration Testing

by Ron Gula on February 23, 2012

Cross referencing the results of your vulnerability scans with the list of public exploits helps identify likely targets for authorized penetration testing teams. Removing these vulnerabilities significantly raises the value of a penetration test since the team will have to work much harder to find issues that aren’t found through automation. There are many subtle issues to consider when correlating available exploits with vulnerabilities. In this blog entry, we’ll highlight these issues by considering exploit correlation with attacks available from the Metasploit project, Core, and Immunity with the results of a very large Nessus scan of several thousand web servers.