SecurityCenter

Nessus Patch Management Integration Now Supports IBM Tivoli Endpoint Manager

by Paul Asadoorian
October 16, 2012

Nessus and SecurityCenter now support Tivoli Endpoint Manager (TEM) as a patch management platform in which patch-level information can be extracted for given scan targets.

Nessus Patch Management Support

We are pleased to announce new support for IBM Tivoli Endpoint Manager (TEM) for Patch Management (formerly known as BigFix). This new capability allows us to use the information gathered by TEM from systems where we may not have credentials or we’re unable to reach such systems over the network. The TEM integration is configured similarly to our integration with other patch management solutions where credentials and the server IP address/hostname are provided so Nessus can retrieve the patch information for the hosts targeted in the scan.

In addition to TEM, Nessus and SecurityCenter also integrate with the following popular patch and system management solutions:

  • Microsoft Windows Server Update Services (WSUS)
  • Microsoft System Center Configuration Manager (SCCM) 2007
  • Red Hat Network Satellite Server
  • VMware Go (formerly known as Shavlik)

In order to make use of this feature, be certain you've configured TEM properly. Refer to this discussion post for more information and instructions.

Auditing Open Ports on Windows Systems Using Nessus

by Paul Asadoorian
September 26, 2012

Tenable recently released three new checks used for auditing the configurations of Windows systems. The new configuration auditing options allow users to audit open ports. This post provides details about the three new checks, and describes how Nessus users could use them to maintain tight control over the number of open ports on their Windows systems.

1. AUDIT_ALLOWED_OPEN_PORTS


This check allows users to audit the list of open ports against an "allowed" list of ports that can be open on a target. For example, let’s assume there is a company policy to only allow SMB ports 445 and 139 to be open on a target. The resulting configuration audit would look as follows:
&ltcustom_item&gt
type : AUDIT_ALLOWED_OPEN_PORTS
description : "Audit TCP Open Ports"
value_type : POLICY_PORTS
value_data : "445,139"
port_type : TCP
&lt/custom_item&gt

Tenable Inks Deal With In-Q-Tel

by Dale Gardner
September 24, 2012

Tenable Network Security announced today it has established a strategic partnership and technology development agreement with In-Q-Tel. In-Q-Tel is the not-for-profit, strategic investment firm that works to identify, adapt, and deliver innovative technology solutions to support the missions of the U.S. Intelligence Community. Under the terms of the agreement, Tenable will develop secure audit and remediation capabilities that will assist intelligence agencies in continuously outpacing emerging cyber threats.

Default Credentials: Low-hanging Fruit in the Enterprise

by Paul Asadoorian
September 17, 2012

Passwords are Like Underwear, and It's Laundry Day

Perhaps one of the most easily overlooked security problems in the industry is password security. I'm not referring to the stored end-user password problems (discussed here), but the default (or weak) usernames and password combinations used to protect common administrative interfaces to applications and systems.

The problem stares us in the face every day, each time we log into a router, database management system, or remote access console and enter a password. Often we put a lot of time and effort into securing the end user-facing passwords, such as implementing account lockout password policies and forcing them to change their passwords at a regular interval. I find it ironic that the applications and devices used to run the organization often do not implement the same controls. Hundreds of applications and/or devices are known to be deployed with default passwords, and if not changed before or immediately after they are plugged into the network, can present serious risk to the organization.

Lowhangingfruit

Default credentials are considered "low-hanging fruit" for two reasons. First, they are easily exploitable by an attacker and can often lead to a serious security breach. Second, once you've identified the problem, it is easy to fix by setting a more secure password.

0-Day Java Vulnerabilities and Dealing with Vulnerable Client Software

by Paul Asadoorian
September 4, 2012

0-day or Not, Clients Are Vulnerable

Whenever there is a new vulnerability in popular software found on users’ desktops, such as Java, Adobe Reader, Adobe Flash, or Mozilla Firefox, the media goes into a frenzy and a lot of articles are published on the topic (often not containing much useful information). The most recent case is a particularly nasty vulnerability affecting Oracle Java, which can be successfully exploited on Windows, OS X, and Linux. While this vulnerability is generating buzz, it’s not all that different from any other popular software in use on users’ desktops that contains a vulnerability. Additionally, there is likely a population of exploits for such software that has yet to be disclosed and is being bought and sold on the black market. In fact, journalist Brian Krebs interviewed the creator of the Blackhole exploit kit who stated, "he was surprised that someone would just leak such a reliable exploit, which he said would fetch at least $100,000 if sold privately in the criminal underground."

Furthermore, it has been known for some time that a Java applet can be used to trick clients into running a malicious payload. Functionality within the Social Engineering Toolkit (SET) allows you to construct a fake website and distribute such a payload. The difference is that the user will have to click "Allow" for this action to occur. While this will decrease the success rate of malware deployment using this method, it will work on Windows, OS X, and Linux.

Tenable Receives Highest Rating of "Strong Positive" in Gartner Vulnerability Assessment MarketScope Report

by Dale Gardner
August 16, 2012

Late yesterday, Tenable announced SecurityCenter™ received a "Strong Positive" rating in Gartner's 2012 MarketScope for Vulnerability Assessment. The report provides guidance to security professionals evaluating options for vulnerability assessment. Gartner rates vendors based on evaluation criteria including market responsiveness and track record; product offering strategy; product functions such as base scanning methods, scope of vulnerability assessment, workflow and remediation support, and reporting capabilities; viability; and customer experience.

Tenable Releases SecurityCenter Continuous View

by Dale Gardner
August 9, 2012

Today, Tenable announced the availability of a new edition of SecurityCenter, called Continuous View.

This edition of SecurityCenter uniquely encompasses both scanning and monitoring, with the inclusion of Tenable's Passive Vulnerability Scanner (PVS). That makes SecurityCenter Continuous View uniquely capable of addressing vulnerability, configuration, and compliance management requirements for emerging technologies like mobile devices, cloud-based services, social applications, and virtual systems.

The flexible licensing approach provided by SecurityCenter Continuous View allows enterprise customers to deploy PVS in much the same way as they do with Nessus within SecurityCenter, pretty much as many as needed.

Existing SecurityCenter customers can upgrade to a ContinuousView license and begin to enjoy the benefits of continuous monitoring with PVS. These include:

  • Real-time identification of server and client vulnerabilities
  • Identification of mobile devices and their vulnerabilities
  • Passive discovery of all internal and external web servers and databases
  • Identification of trust and communication paths
  • Passive monitoring of virtual environments

Monitoring Internet-facing Servers with SecurityCenter & Nessus

by Paul Asadoorian
May 4, 2012

Covering All Your Bases

Internet-facing servers are a popular attack target: They are accessible to everyone on the Internet and can easily be probed for vulnerabilities. Based on exposure alone, Internet-facing servers present a higher risk of becoming compromised. This risk needs to be mitigated if organizations must provide access to services such as web, mail, and VPN connectivity. It is therefore important that these servers are regularly assessed for potential vulnerabilities (and more important that something is done to remediate the vulnerabilities). This blog entry provides guidance for some basic security issues which are important to monitor on Internet-facing servers, such as:

  1. Maintaining Patches - It is important to keep up-to-date with patches in general, and with systems that are exposed to the Internet, fixing both local and remote vulnerabilities are particularly important. For example, a web server may contain a vulnerability which allows an attacker to gain a shell with the privileges of the running user (e.g., www-data). If local vulnerabilities are present, the web server vulnerability can quickly lead to the attacker gaining root-level privileges. With this level of access, attackers have a much better chance to cover their tracks and hide their presence within the system. Therefore, ensuring all available security patches are installed on your systems is important.
  2. Easily Exploitable Web Application Vulnerabilities - If you've ever monitored the logs of an Internet-facing web server, you know attacks against applications are frequent. Application testing involves many different processes and techniques, but you don't want to give attackers any low-hanging fruit. It is important to test your applications before they are put in production, but also continue to monitor for vulnerabilities in production. Several automated tools in use by attackers exploit flaws, such as SQL injection, on a regular basis. Once the application is on your production system, it is important to regularly assess it to stay ahead of the curve and remediate the vulnerabilities before attackers get to them.

  3. Exposed Services - Internet-facing servers ideally offer a limited number of services, since they do not need to support a wide range of services that an internal development server would offer. This makes it easier to scan and identify vulnerabilities and detect any new services which may crop up. Firewalls are often deployed to provide an extra layer of protection for systems exposed to the Internet and ensure that only required services are permitted. Scanning these hosts on a regular basis will quickly identify any new services that are running or mistakes made in firewall configuration which may unintentionally expose an internal service or server.


Pages