Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Network Security Podcast Episode 143 - "SSL Monitoring, Good Security Habits"

Welcome to the Tenable Network Security Podcast Episode 143

Announcements

New & Notable Plugins

Nessus

Passive Vulnerability Scanner

Compliance Checks

Nessus ProfessionalFeed and SecurityCenter customers can download compliance checks from the Tenable Support Portal.

Stories

  1. Five Habits of Companies That Catch Insiders - I guess this is all we need to do to be "secure": "The most effective companies identified their important data, established strong ties with employees, spearheaded cross-disciplinary security efforts, and enforced policy with technology, states the report, released today." Sounds easy, right?
  2. Apple banishes Java from Mac browsers - I just had to laugh when I read this: "Java for OS X 2012-006 delivers improved security, reliability, and compatibility by updating Java SE 6 to 1.6.0_37. This update uninstalls the Apple-provided Java applet plug-in from all web browsers."
  3. Android apps get SSL wrong, expose personal data - This comes as no surprise as developers rush to get apps out the door and how low the barrier to entry is with Android apps: "Examples given by the researchers including apps that are instructed to trust all certificates presented to them (21 of 100 apps selected for a MITM test); 20 of the MITM-tested apps were configured to accept certificates regardless of its associated hostname (for example, an app connecting to PayPal would accept a certificate from another domain). Other issues included SSL stripping and “lazy” SSL implementations." I wonder how well Apple iOS apps would do?
  4. 5 to-dos to maintain reputation after cyberattack | ZDNet - Tips include making sure you beat the media to the punch and be in control of the messages the public receives. Not always an easy thing to do as releasing information can be damaging to your reputation. Also, tailor your messages to different audiences, don't delay your apologies, be open and honest, and help your customers deal with the repercussions. Coincidentally, this is all good relationship advice, especially if you've done something "bad."
  5. Lack of skilled security pros challenges CISOs to fill specialties - A dwindling talent pool is to blame for so few skilled IT security professionals, with the top 3 positions being: Cyber security analyst, Cyber security engineer, and Software engineer. Although I don't agree with this statement: "This talent market nearly causes you to not consider opening a new position when you may ordinarily need to. Instead you find other ways to get it done,” I believe security will fail if you "just try to get it done." In fact, that's true with many things in IT, you have to do it right or it will have a tendency to fail.
  6. Pass the Hash w/o Metasploit - Part 2 - Blog - Room362.com - Really neat article on how to use the Metasploit libraries to eventually create a portable binary that will help you accomplish tasks, such as passing the hash on Windows. This makes small, useful, and somewhat evil utilities easy to port around on systems, but also runs the risk of getting caught by anti-virus signatures. However, there are several tricks to evading, and it typically only takes a few tries to bypass AV. The real kicker is that few are checking the AV logs to see how many times people are trying.