Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Tenable Network Security Podcast - Episode 21

Welcome to the Tenable Network Security Podcast - Episode 21

Announcements


Interview: Ron Gula - Security Center Version 4

1848_ron_gula.jpg
Tenable CEO Ron Gula and I discuss the features of Security Center and some of the recent enhancements being made in the new version 4.0.

Stories

  • Holy RFI Batman! - Rsnake has published a list of web applications that are allowing an RFI attack to occur. This attack vector allows the bad guys to potentially run code on the remote server and clients visiting the site. These attacks can also lead to Local File Inclusion, allowing attackers to read files on the remote host. I've also found a list of remote file inclusion vulnerabilities that were harvested from the OSVDB. This is a pretty common attack vector commonly used by attackers to drop in some malicious JavaScript code into web sites.
  • Google Willing to Pay For Bugs In Chrome - Google has announced that they will pay up to $1,337 for bugs that are found in the Chrome browser and $500 for lesser severity bugs. You can look at this two ways. First, my inclination is to state that Google is a large enough company that they should be implementing secure coding practices and have a team dedicated to the security of Chrome. It is likely they have this, however on the flip side, giving incentive to millions of people to find bugs is something Google could not do on their own. So, they offer a reward for bugs to harness the power of the Internet community to make their software better. The problem is two fold, if you are a "whitehat" hacker you can make more money selling it to other organizations or stand up to a moral code and provide Google the details without asking for anything in return. Regardless of where you stand on that issue, Google's bounty for vulnerabilities is not in tune with reality. The other factor is that if a "blackhat" hacker were to find a bug, they may decide to keep it for themselves and use it to compromise systems and make money through a botnet or pop-up ads. They may also decide to sell it on the black market to other "blackhats".
  • Network Security Fundamentals - Default Deny - Ah yes, the wonders of firewall administration and "default deny". I remember it vividly during my time (an extended period of time, mind you) as a firewall administrator. Many subnets within the organization were implementing the reverse of "default deny", "default accept" and blocking only the exceptions. This was a bad place to be because going to a "default deny" in this situation would almost certainly break things, and lead to cranky users. It was a long process of analyzing traffic to see what needed to be allowed and adding rules. Was it worth it? Maybe, over time my opinion of firewalls is changing. I'm still in favor of using firewalls, but in many situation I believe more effort should be places on system hardening. This includes using the principal of least privilege, applying software updates, turning off unnecessary services, and tuning the configuration to be "secure" (as in enabling the security features). Lets face it, the firewall only blocks a certain class of attacks, which is important, but lets not forget about security completely because we have a firewall. I like to extend the "default deny" to other aspects of security, such as system hardening (why do we have so-called "default" passwords!), and host intrusion prevention client software (why do we allow DLL injections and embedded iFrames?).

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training