SecurityCenter 4.4 Released

by Paul Asadoorian
April 17, 2012

SecurityCenter 4.4 Expands USM Capabilities

SecurityCenter version 4.4 is available today from Tenable Network Security. Customers can download the updated release from the Tenable Support Portal. You can view a video tutorial of the new features on the Tenable YouTube channel, or watch it below:

SecurityCenter is the central component of Tenable’s USM platform. It provides robust enterprise security monitoring by uniquely combining active and passive vulnerability assessments with log and event monitoring to create intelligent and actionable reports. SecurityCenter users also benefit from real-time and flexible dashboards for both security monitoring and maintaining compliance.

SecurityCenter version 4.4 includes dramatic performance gains, improved integration with other management systems, reporting and user interface enhancements, and many other new features. A detailed list is available on the Tenable website. Some of the highlights include:

Nessus Perimeter Service with New Tenable PCI Scanning Service Available

by Paul Asadoorian
April 17, 2012

Tenable is pleased to announce availability of the Nessus Perimeter Service including the Tenable PCI Scanning Service. Customers can scan an unlimited number of Internet-facing IP addresses, as often as they like, and submit PCI scan results up to twice per calendar quarter for Tenable PCI Approved Scanning Vendor (ASV) validation, all for $3,600 a year.

The Nessus Perimeter Service offers:

  • One flat fee - Scan an unlimited number of Internet-facing IPs, as often as you like
  • Web application vulnerability detection
  • Up to two quarterly PCI scan submissions for Tenable PCI ASV validation
  • Anytime, anywhere access via web browser and Tenable Nessus App for iPhone, Android, and iPod touch
  • World-class expertise with the most-trusted knowledgebase in the industry and access to Tenable’s PCI-certified professionals

To learn more about Nessus Perimeter Service and the Tenable PCI Scanning Service you can view the video titled "Nessus Perimeter Service Usage: PCI ASV Validation and SecurityCenter Integration":

New PCI-DSS Scan Policy

Vulnerabilities, Exploits, and Good Dental Hygiene

by Paul Asadoorian
April 12, 2012

Vulnerability Management

Constantly assessing the security of your own systems is an important task in maintaining a secure network. I relate regular security assessments to personal hygiene, such as brushing your teeth everyday (and even more "in-depth" maintenance such as flossing and using mouthwash). All of these actions are an effort to prevent "bad things" from happening. Often, the "bad thing" hasn't happened yet, and you are trying to get ahead of the curve to protect yourself from cavities, gum disease, or worst-case, all of your teeth falling out. Vulnerability management plays the same role in your organization. By regularly assessing your systems, finding problems, and fixing them, you hope to get ahead of the curve and prevent bad things from happening, such as data leakage, breaches, and compromises of your systems by “evil bad guys”.

IStock 000014067353XSmall

All of us can hear our parents voices in our heads, as when we were growing up we were all told to "brush your teeth before you go to bed".

As I stated above, finding the vulnerabilities is just the first step. You must have a process in place to fix the vulnerabilities that you've identified. After that, your processes need to check to be certain that a vulnerability was remediated. Your plan for network health has to track vulnerability remediation, and empower those responsible to be in the loop and fix the problems before something "bad" happens (if it were only so easy as brushing, flossing, and using mouthwash). Tenable has a suite of tools to help you both find as many vulnerabilities as possible and implement a process for continued remediation. Below are some examples:

Microsoft Patch Management Integration with Nessus - Part 1 WSUS

by Paul Asadoorian
December 16, 2011

This is the first post in a two-part series that will cover how to configure Nessus and/or SecurityCenter to integrate with Microsoft's patch management software.

WSUS Patch Management Integration

Windows Server Update Services (WSUS) is available from Microsoft to manage the distribution of updates and hotfixes for Microsoft products. WSUS server 3.0 SP2 supports management of patches for the products listed here, as well as Windows 7 and Windows server 2003 SP2 patches. If you are not familiar with WSUS it is freely available to Microsoft customers as part of your Windows server licensing agreement. A great article that covers all aspects of planning, deployment, and configuration is Windows Server Update Services Learning Roadmap Community Edition.

Nessus and SecurityCenter have the ability to query WSUS to verify whether or not patches are installed on systems managed by WSUS and display the patch information through the Nessus or SecurityCenter. When performing scans with the WSUS patch management plugins enabled and configured please note the following:

  • Credentials entered into the policy take priority - If you've entered credentials into the scan policy and they are valid for a target system, Nessus will login and perform credentialed scanning without querying the WSUS server data.

  • WSUS is queried when credentials fail - If credentials are not valid for a target system, or credentials are not entered at all into the policy at all, the WSUS server will be queried to obtain patch information for those targets. This also applies to other policy settings that may cause a credentialed scan to fail, such as the remote registry or administrative shares settings.
  • The WSUS plugin communicates only with the WSUS server - The WSUS plugin makes a connection to the WSUS server IP/hostname and port specified in the policy configuration (see below in the "Patch Management WSUS Preferences"). This is an important point, as the Nessus server(s) will require access to your WSUS server, which could mean making firewall rule changes to allow the connections. However, this is a significant advantage as your target systems do not need to communicate with the Nessus server directly, which means host firewalls and remote registry settings will not get in the way of a patch audit.
  • Patch information is only as up-to-date as your WSUS server - The data returned to Nessus by WSUS is only as current as the most recent data that the WSUS server has obtained from its managed hosts.

Patch Management Integration with Nessus Released

by Paul Asadoorian
December 6, 2011

Today, Tenable Network Security announced integration between Nessus and a variety of patch management systems that will simplify scanning in cases where credentialed scans are difficult or impossible. The integration allows Nessus and SecurityCenter users to establish direct links to patch management systems. This simplifies patch audits as the systems in your environment do not all have to contain credentials in order to be scanned.

SecurityCenter Dashboards on the Discussion Forums

by Kelly Todd
November 18, 2011

One of the primary ways SecurityCenter allows you to visualize the overall security and compliance posture of your network is through the use of dashboards. The SecurityCenter section of Tenable’s Discussion Forums now provides index lists for all of the available Tenable-produced SecurityCenter dashboards grouped by category.

The Unpatchables

by Jack Daniel
October 26, 2011

In a perfect world, there would be no vulnerabilities.  In a perfect patching world there would be a patch for every vulnerability and we would always be able to patch all of our systems as soon as a patch was available. In the real world we do the best we can and struggle with testing cycles, incompatibilities, and legacy applications which means sometimes we have to leave insecure and unpatched systems in production.

There are a variety of situations that can cause exposure:

  • Some patches break needed applications or cause compatibility problems
  • Patches may not yet be available for a vulnerability but the systems must stay online and exposed Legacy applications or operating systems may still be required (for example Internet Explorer 6 may be required to access a legacy web application, probably running on a legacy web server)
  • A maintenance window may not be immediately available when patches are released
  • Systems in development environments may be vulnerable during development and testing phases

Dealing with "Untouchable" Systems

by Paul Asadoorian
October 25, 2011

"The Untouchables"

An untouchable system is one on which you cannot install software (such as agents) or apply security fixes regularly. I have come up with several different examples of such systems, and tried to use examples here from my own experiences to define why they may fall into the "untouchable" category:

  • Select SCADA systems - This is a broad category, but it boils down to computers that are used in control systems networks. While many may be considered to be "air-gapped" (physically disconnected from any other types of systems), that may not actually be the case since connectivity is required to manage the devices (especially those deployed in the field). I was once approached to perform a vulnerability assessment against one such system. I was told that network access would be provided, but that the system in question was responsible for providing power to thousands of people. This is a scary endeavor, as not only could you put thousands of people in the dark, but potentially damage infrstructure if the power is turned on and off too quickly. This situation requires a different approach than a traditional network vulnerability assessment or penetration testing.
  • Traveling Laptops - It can be difficult to control the software and patches on systems that rarely connect to the corporate network. The concern is what happens when a laptop that has been connected to airport, hotel and other potentially hostile networks comes back to home base and plugs into your network. It may already be infected, and may not be up-to-date with patches. You can try to force users to connect back to your network via a VPN, but not all users may do this on a regular basis. During the user’s travel, the system is "untouchable".
  • Network Devices – Let’s face it, no matter how redundant your network is, you just can't blast out a firmware update to your network gear at will. This leaves a good percentage of network systems that are "untouchable" for certain time periods. Routers have a bit more flexibility, but the physical switches that your systems are connected to cannot be taken down at will, or users will lose connectivity as flashing the device with new firmware requires that the system become unavailable for short time period (or longer time period depending on the device and software).

#8 Nessus Performs Web Application Scanning - Top Ten Things You Didn't Know About Nessus

by Paul Asadoorian
October 11, 2011

Next up on our Nessus top ten list is #8, which covers how to use Nessus to find web application vulnerabilities. I've broken out the process into four different methods supported by Nessus:

1. Test For Known Vulnerabilities

Nessus contains over 2,600 plugins that can fingerprint and detect known vulnerabilities in web applications. Any plugin listed in the "CGI Abuses" or "CGI Abuses: XSS" plugin families is written to enumerate vulnerabilities that have been publicly reported in a web application product, whether open source or commercial. To enable these plugins you must enable CGI scanning in a Nessus policy's "Preferences" section. Even if you enable the plugin families they will not execute unless CGI scanning is enabled.

Below is an example of one such plugin's output:

Click for larger image

#9 Nessus Detects Misconfiguration - Top Ten Things You Didn't Know About Nessus

by Paul Asadoorian
September 21, 2011

The Nessus Top Ten List

This is the second post in a series of ten that will cover “The Top Ten Things You Didn’t Know About Nessus”. The first, starting with 10 in David Letterman top ten list fashion, is titled “There's More Than One Way To...” and covers the benefits of both credentialed and uncredentialed vulnerability scanning. Each item on the list will have a blog post and video associated with it. And now, on to number 9: “Nessus Detects Misconfiguration”.

Misconfiguration Leads To Compromise

Nessus helps you answer the question “Do my systems have uniform configuration settings?” Why is this important? Systems are increasingly more complex, and maintaining control of your configurations leads to systems that run smoother and are more resilient to attack. A recent case study that supports this concept was presented in a blog post titled "What do you mean privilege escalation is not HIGH RISK?".