Tenable Product Usage

Exploitable Since 2002: New Nessus 5 Filters

by Ron Gula
February 21, 2012

With Nessus 5, the results from a single vulnerability scan can be filtered to show which hosts have ancient vulnerabilities, which hosts aren’t being managed, and also which hosts have been exploitable for long periods of time. This blog entry discusses the new Nessus 5 filters, how they can be used to track high-risk vulnerabilities, and how enterprise users of Tenable SecurityCenter can leverage these filters for dashboards and asset-based reporting.

Real-time Enterprise Exploitability Trending

by Ron Gula
February 13, 2012

Penetration tests are typically a point-in-time exercise to determine if a remote adversary or malicious insider can compromise systems that contain sensitive data. Most organizations do not conduct penetration tests on a daily basis. Instead they schedule them annually, quarterly, or in some cases monthly. Penetration tests procured on a consulting engagement are often limited to key systems and assets rather than the entire network of systems. This diminishes the value of the penetration test as the results quickly become outdated and may not be relevant to new systems or recent network changes. However, by correlating the availability of exploits with a continuous monitoring program to identify vulnerabilities, an organization can have a better idea of how “exploitable” they are on a real-time basis.

Scanning for pcAnywhere

by Ron Gula
January 30, 2012

Note -- this blog was updated on Feb 2, 2012 to highlight detection of the Symantec advisory SYM12-002 as well as new additional Nessus local checks to audit pcAnywhere installations.

With the recent news from Symantec that their source code theft has left pcAnywhere open to attack, it makes sense to audit your network for instances of this desktop sharing software. 

Nessus has many checks that identify the presence of pcAnywhere, the type of network access supported by it, and some vulnerabilties in the application. A current list is shown below for reference:

  • 10006   Symantec pcAnywhere Status Service Detection (UDP)
  • 10794   Symantec pcAnywhere Detection (TCP)               
  • 10798   Symantec pcAnywhere Service Unrestricted Access       
  • 20743   Symantec pcAnywhere Launch with Windows Caller Properties Local Privilege Escalation
  • 32133   Symantec pcAnywhere Access Server Detection Service
  • 35976   Symantec pcAnywhere CHF File Pathname Format String Denial of Service
  • 57795   Symantec pcAnywhere Installed (local check)
  • 57796   Symantec pcAnywhere Multiple Vulnerabilitities (SYM12-002)

SecurityCenter Dashboards on the Discussion Forums

by Kelly Todd
November 18, 2011

One of the primary ways SecurityCenter allows you to visualize the overall security and compliance posture of your network is through the use of dashboards. The SecurityCenter section of Tenable’s Discussion Forums now provides index lists for all of the available Tenable-produced SecurityCenter dashboards grouped by category.

Is that System Managed?

by Ron Gula
November 2, 2011

IT auditors, penetration testers, and incident responders often ask if a system they are analyzing is managed. A managed system is one that is being looked after, updated and maintained by an IT staff of some sort. An unmanaged system is one that is on the network, but perhaps has been forgotten, isn’t authorized or has some other reason for it not to be there or updated by anyone else.

Security findings for managed systems and unmanaged systems are reported differently. For an unmanaged system, the recommendation is to make the system managed and bring it into a secured state. For security issues with managed systems, the recommendation is to alter the current management processes to make them more secure.

Unfortunately, there is no “under management” test that can easily be automated. This blog entry will describe some of the different types of data that can be gathered from logs, Nessus scanning and Passive Vulnerability Scanner sniffing that can help identify systems with and without management.

4 out of 5 CISOs Don't Scan for Off-Port Web Servers

by Ron Gula
June 27, 2011

An off-port web server is one that doesn't run on the common ports of 80 or 443. Management consoles, development systems, devices that speak HTTP for their protocol and many other systems can run on any port, typically 8080 or 8443.

Firewall and Boundary Auditing Best Practices

by Ron Gula
June 22, 2011

Recently, I had the chance to work with several larger Tenable enterprise customers who were charged with figuring out what the perimeter of their network really looked like.

I showed them how multiple Nessus scanners and Passive Vulnerability Scanners deployed throughout their infrastructure could be leveraged to provide near real-time visibility into every boundary or enclave.

SecurityCenter 4.2 and Community Dashboard Site Released

by Ron Gula
May 30, 2011

Tenable Network Security is proud to announce the immediate availability of SecurityCenter 4.2. SecurityCenter is used to centralize and report on system and event data such as vulnerabilities, logs, NetFlow, configurations and more. 

Plugin Spotlights: New Nessus OS Identification Plugins

by Paul Asadoorian
April 29, 2011

The Tenable research team recently published a few new plugins that contribute to how Nessus performs OS identification. When scanning devices and systems I am always amazed at how many different services will hint at, or even flat out reveal, the operating system and version.

OS Identification : HNAP

HNAP is the Home Network Administration Protocol developed by Cisco Systems. It is designed to allow remote support personnel to manage devices on users networks using a SOAP-based protocol. An unfortunate side-effect is the information being leaked across the network that can be accessed without authentication. A new plugin was developed to collect this information and use it to determine the remote operating system:

Leveraging Wake-On-LAN Support to Audit Powered-Off Hosts with Nessus

by Ron Gula
March 14, 2011

Have you ever been charged to perform a security audit for a set of hosts that has been turned off? If those hosts have been configured to be “woken up” with a “Wake-on-LAN” packet, you can now leverage this capability with your enterprise Nessus scans. This blog entry describes how organizations that leverage Nessus or SecurityCenter to scan their infrastructure can audit systems that have been powered off.