Security Strategy

Using Real-time Events to drive your Network Scans

by Ron Gula on October 8, 2009

I recently had the opportunity to write an in-depth article for issue #22 of (IN)Secure magazine. The article discussed how the results and reports from your real-time network monitors can be used to make better decisions on how your vulnerability scanners are used. In short, there should be a feedback loop between your scanners and your event monitors. Both processes can help refine each other and ensure you are performing the correct level of montioring. This is also a basic component of our Unified Security Monitoring strategy. Read the full article here .

Successful Security Assessment Programs

by Paul Asadoorian on June 11, 2009

Recently I gave a presentation at the “ SANS Penetration Testing Summit ” titled " Zen and The Art Of An Internal Penetration Testing Program ". This presentation outlines the steps required to create a successful program and perform internal penetration testing. There are several key components that must exist to create a successful program: Getting Management Buy-In - This is the first and most important step. Management must understand the testing strategy and be kept in the loop on the results and remediation. Business units must also be consulted to determine the impact scanning will have on their environment to establish a schedule for scanning. It does not matter what kind of testing you plan to perform, from vulnerability scans with Nessus to full-blown penetration testing, you must get the approval from management.

Black lists, white lists – what lists? How to audit program usage on your network

by Ron Gula on June 3, 2009

How do you know that the software being executed on your network is authorized and acceptable? Many organizations struggle with this concept or ignore it altogether. There are generally four approaches to enabling or preventing software usage: White listing of software - A third party application or very tight operating system configuration settings is used to only enable specific authorized program names. Everything else is denied by default. Black listing of software - A third party application specifically controls what programs cannot be run. Anything not on the list is allowed by default. Ignorance – Some organizations simply do not have the staff, resources, technology or concern to attempt any type of analysis of what software is allowed. Auditing – Using one or more methods, an organization takes no immediate action on software usage, but it does track and analyze what programs are available and in use to help make better policy decisions, to have a more intelligent incident response process and to help IT troubleshoot issues.

Detecting Microsoft Executables Being Served by an Unknown Service with Nessus

by Ron Gula on August 28, 2008

Many different types of malware and botnets require some sort of exploit payload. This payload can be obtained through traditional compromised services such as HTTP, FTP and even TFTP. Payloads can also be delivered by highly customized or proprietary protocols designed by the malware and botnet creators. Tenable’s research team has encountered some ports that can't be fingerprinted and appear to start an executable download when they are connected to. This is a tactic that some of the botnets use to infect additional machines. Any program that can make a simple TCP connection and save any...

"But I patched our DNS servers ..."

by Ron Gula on July 25, 2008

The current DNS cache poisoning issue is a great example of a vulnerability that must be tested with both patch auditing as well as network scanning. Nessus is ideally suited to perform both types of audits. This blog entry discusses the advantages of using an auditing tool like Nessus as compared to pure patch auditing or network scanning. NAT and DNS Cache Poisoning A key part of exploiting this vulnerability is the ability to predict the source ports of replies from a DNS server you wish to inject malicious data to. Consider the following sequence of source ports for queries to a DNS...

Keeping Track of Your Ethernet Addresses

by Ron Gula on June 30, 2008

Tracking the hardware network address of Ethernet devices can be a daunting task for an enterprise network operations group. The ability to track Ethernet (or MAC) addresses can have tremendous value for tracking changes to the network, user activity and access control. This situation can be exacerbated in a dynamic IP address environment. Over the years I've spoken with many different customers who used scripts and other techniques to crawl switches, sniffers, agents to scour their network to keep their list of MAC addresses up to date. Each of these usually worked well, but the data ended...

Boss, I think Half of our FTP Servers are fake!

by Ron Gula on May 23, 2008

Several new plugins for Nessus were recently introduced which can detect FTP servers that are fake: Fake FTP server accepts a bad sequence of commands Fake SMTP/FTP server (backdoor) Fake FTP server does not accept any command Fake FTP server accepts any command The basic concept is that a hacker, botnet, malware or virus needs to have some sort of method for communication, to receive commands, to transfer data or provide continued access so they use a backdoor. But rather than use some sort of custom or proprietary command and control, they use a service that looks like an FTP server. By "...

Safari Windows Detection ... and all That Implies

by Ron Gula on April 8, 2008

Apple recently gave Windows iTunes users the option to download the Safari web browser. This move was criticized by many bloggers and security experts. What we will be discussing in this blog today is detection of the Windows Safari application and also examine how organizations could react to this situation. Detection Nessus plugin # 31788 named "Safari Detection (Windows)" looks for Safari installed on a Windows platform. This plugin requires credentials to analyze the Windows system to see if the browser has been installed. If credentials are not available, this plugin won't report an...

Auditing MySpace and FaceBook Vulnerabilities

by Ron Gula on March 28, 2008

Over the past few months, there have been a few vulnerabilities in ActiveX controls from MySpace and FaceBook . Nessus users can audit Windows systems running Internet Explorer with the following plugins: # 30219 myspace_uploader_1_0_0_6_activex_overflow.nasl # 30152 facebook_photo_uploader_4_5_57_1_activex_overflows.nasl # 30134 image_uploader_4_5_70_activex_overflows.nasl These plugins require credentials for Nessus to log into the Windows computer and analyze which ActiveX controls and versions are available. The plugins are available to all Nessus Direct Feed , Registered Feed and...

Detecting Web Servers with Malicious Javascript

by Ron Gula on January 9, 2008

Recently, Tenable Network Security introduced Nessus plugin # 29871 which looks at the content of a web site to see if it is hosting potential hostile javascript code. There have been several recent mass defacements and infections of 1000s of web sites through SQL injection attacks. Plugin # 29871 , named "Web Site contains links to malicious javascript files", specifically checks web sites for links to the "" addresses used in this recent wave of infections. When performing CGI scans, Tenable recommends several strategies: By default, Nessus will only mirror 200 pages for a scanned...