Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Network Security Podcast - Episode 22

Welcome to the Tenable Network Security Podcast - Episode 22

Announcements


Interview: Ron Gula - Security Center Version 4

1848_ron_gula.jpg
Tenable CEO Ron Gula and I discuss the features of Security Center 4 in more detail, including dashboards, alerting, and reporting.

Stories

  • ShmooCon: P2P Snoopers Know What's In Your Wallet - While many associate P2P networks with the trafficking of illegally downloaded copyrighted material, such as movies and music, researchers have uncovered that other valuable information is also being shared. Most likely unbeknownst to the user, sensitive information such as tax documents, personal cell phone numbers, and information about an informant who wanted to help U.S. forces in Iraq has been shared. Special tools are being used to search through files being shared on common P2P networks. Having used some of these tools myself to test out this process, I can say that this is a scary thing. Depending on how well the search engines are indexing data, this could be used in a targeted attack. I would suggest making sure this software is not in use in your environment, and use credentialed checks to look for sensitive information in places where it should not be. However, an employee that uses this software from home could expose sensitive information even though you have put defensive measures in place on the corporate network. This is where user education becomes key to protecting your company's information.
  • Microsoft Scheduled To Fix 26 Vulnerabilities - Patches will include fixes for a local privilege escalation exploit that uses a 17 year old vulnerability in the Virtual DOS Machine. Patches for a new vulnerability discovered in Internet Explorer will not be released (but workarounds are available), and a DoS vulnerability in Windows 7 and Windows Server 2008 will also remain unpatched.
  • Verizon MiFi - Authentication & Security Matter - The Verizon MiFi is a small, compact device that provides you devices with a WiFi connection, then routes your connection over the Versizon cellular Internet. As for a convenience, this device is pretty neat as you can have multiple devices (for example, a cell phone and a laptop) communicating over the WiFi and being able to access the Internet. However, the web interface suffers from a problem where certain CGI scripts bypass authentication. This means an attacker on the wireless network can send requests, without any authentication, and re-configure the router. You may be wondering just how secure the wireless networking is on the MiFi. Going from "bad" to "worse", Josh Wright has an article posted showcasing how the default WPA passwords can be guessed, and accelerates the process using a CUDA device (a password brute force method that uses the computing power found on graphics cards).
  • Who Should Infosec Report To? - I've been in this position many times, working as a security professional and being moved around within IT, outside of IT, etc... One point I would like to make is that if you are to separate operational security from just plain security, you need the appropriate level of staff. By level, I mean number of employees and skill level. For example, the networking team needs someone who can manage firewalls, intrusion detection systems, log analysis systems, etc... The systems administrators need someone who can also review logs, implement desktop defenses, and apply patches. There needs to be security minded people in the IT department, people with security in their title, and people who, and this is a big one, are held accountable for security breaches. I'm not saying fire people, but security should be part of their jobs. This leaves the security department to focus on strategy, vulnerability scanning and management, penetration testing, policy, procedures, and incident response. So, I do agree with the points Dave Shackleford makes in this article, but certain things need to be in place in order to have this separation. Otherwise, you've got security in one corner saying, "We need security!", and IT saying, "We don't have time for that security stuff".

Download Tenable Podcast Episode 22