Security Strategy

Real-time Enterprise Exploitability Trending

by Ron Gula
February 13, 2012

Penetration tests are typically a point-in-time exercise to determine if a remote adversary or malicious insider can compromise systems that contain sensitive data. Most organizations do not conduct penetration tests on a daily basis. Instead they schedule them annually, quarterly, or in some cases monthly. Penetration tests procured on a consulting engagement are often limited to key systems and assets rather than the entire network of systems. This diminishes the value of the penetration test as the results quickly become outdated and may not be relevant to new systems or recent network changes. However, by correlating the availability of exploits with a continuous monitoring program to identify vulnerabilities, an organization can have a better idea of how “exploitable” they are on a real-time basis.

Is that System Managed?

by Ron Gula
November 2, 2011

IT auditors, penetration testers, and incident responders often ask if a system they are analyzing is managed. A managed system is one that is being looked after, updated and maintained by an IT staff of some sort. An unmanaged system is one that is on the network, but perhaps has been forgotten, isn’t authorized or has some other reason for it not to be there or updated by anyone else.

Security findings for managed systems and unmanaged systems are reported differently. For an unmanaged system, the recommendation is to make the system managed and bring it into a secured state. For security issues with managed systems, the recommendation is to alter the current management processes to make them more secure.

Unfortunately, there is no “under management” test that can easily be automated. This blog entry will describe some of the different types of data that can be gathered from logs, Nessus scanning and Passive Vulnerability Scanner sniffing that can help identify systems with and without management.

4 out of 5 CISOs Don't Scan for Off-Port Web Servers

by Ron Gula
June 27, 2011

An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.

Comparing the PCI, CIS and FDCC Certification Standards

by Ron Gula
June 23, 2011

As a vendor, Tenable has to demonstrate compliance in many different types of categories. The Payment Card Industry, the Center for Internet Security and US government's FDCC program all have certification standards and procedures for vendors like Tenable. Since Tenable is certified in most of these these categories (we're in the process of becoming an ASV), I though it would be interesting for our blog readers to share some of our insights into the differences and misconceptions between them.

Firewall and Boundary Auditing Best Practices

by Ron Gula
June 22, 2011

Recently, I had the chance to work with several larger Tenable enterprise customers who were charged with figuring out what the perimeter of their network really looked like.

I showed them how multiple Nessus scanners and Passive Vulnerability Scanners deployed throughout their infrastructure could be leveraged to provide near real-time visibility into every boundary or enclave.

Security Metrics - Is This Network Getting Better?

by Ron Gula
August 9, 2010

Metrics that show risk are an excellent way to communicate security information to different people and groups within an organization. However, trend lines can hide a lot of details and nuances. This blog entry discusses an example network where a month’s worth of scan data is used to trend overall vulnerabilities, those that have been around longer than thirty days and correlating systems needing a reboot with residual security issues.

Detecting ALL of Your Websites Passively and Continuously

by Ron Gula
July 19, 2010

Web application auditing is really difficult if you don’t know about the presence of a website or specific application. You may not know about a web server. You may not know what applications run on that single web server. You may even have malicious websites installed on your network by malware or Trojans. Nessus is great for scanning and finding web servers, even on uncommon ports, but you need to scan often to get the most benefit. Fortunately, Tenable’s Passive Vulnerability Scanner (PVS) can discover new web servers and all of their active web sites in real-time and without any impact to your network. This blog discusses how the PVS can be used to audit networks to find all authorized and malicious websites in use.

Detecting Recurring Vulnerabilities

by Ron Gula
July 14, 2010

One of the advantages of Tenable’s suite of Unified Security Monitoring products is that continuous vulnerability monitoring can be used to find reintroduced security issues. Vulnerabilities that were once mitigated but are now back again represent process and organizational issues that must be handled differently. Simply reporting the vulnerability again and waiting for it to be patched does not address the fundamental flaw in the process. This blog entry discusses how recurring vulnerabilities are detected, some of the reasons why they may be recurring and how you can track and report on them with Tenable’s SecurityCenter.