Uncovering SSL Anomalies In Your Network Using SecurityCenter
October 23, 2012<h3>Looking in More than One Place</h3> <p>Nessus, PVS, and LCE offer several methods for auditing SSL protocol usage on your network(s). SSL is commonly used to secure websites, but also protects email, file sharing, and many other services. This post lists some generic SSL capabilities found in all Tenable products, and shows how you can combine them to generate useful reports and dashboards.</p> <p>On the vulnerability identification side, Nessus uncovers many issues with SSL certificates, such as outdated certificates, unsigned certificates, and much more (see the screenshot below for more examples). SSL implementations shipped with appliances often use unsigned certificates, and rely on the administrator to install their own valid certificate. Without a properly signed certificate, man-in-the-middle attacks become considerably easier. If you’re an e-commerce shop, improper SSL implementations will also cause you to become non-compliant with PCI DSS standards.</p> <p style="text-align:center;"><a href="http://blog.tenable.com/.a/6a00d8345495f669e2017c329e2aa5970b-pi" title="Nessus SSL Plugins" rel="lightbox"><img style="display:block; margin-left:auto; margin-right:auto;" src="http://blog.tenable.com/.a/6a00d8345495f669e2017d3cccb40b970c-pi" alt="SSLNessuplugins sm" border="0" width="540" height="284" /></a></p><p style="text-align:center; font-weight:Bold; margin: 8px 70px;">A sample of Nessus plugins associated with identifying problems with SSL certificates. (Click for larger image)</p>
Tenable Network Security Podcast Episode 139 - "IE Vulnerabilities, SecurityCenter Sneak Preview"
September 20, 2012<h3>Announcements</h3> <ul> <li><a href="http://www.tenable.com/careers/">We're hiring</a>! - Visit the Tenable website for more information about open positions.</li> <li>Check out <a href="http://www.youtube.com/tenablesecurity">our video channel on YouTube</a> which contains new Nessus and SecurityCenter 4 tutorials.</li> <li>Tenable Tweets - You can find us on Twitter at <a href="http://twitter.com/tenablesecurity">http://twitter.com/tenablesecurity</a> where we make product and company announcements, provide Nessus plugin statistics, and more!</li> <li>Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join <a href="https://discussions.nessus.org">Tenable's Discussion Forum</a> for custom scripts, announcements, and more!</li> <li>You can subscribe to the <a href="http://itunes.apple.com/us/podcast/tenable-network-security-podcast/id361250581">Tenable Network Security Podcast on iTunes</a>!</li></ul> <h3>New & Notable Plugins</h3>
Tenable Releases SecurityCenter Continuous View
August 9, 2012<p>Today, Tenable <a href="http://www.tenable.com/news-events/press-releases/2012-tenable-network-security-unveils-securitycenter-continuous-view" target="_self" title="Tenable Network Security Unveils SecurityCenter Continuous View">announced </a>the availability of a new edition of SecurityCenter, called Continuous View.</p> <p>This edition of SecurityCenter uniquely encompasses both scanning and monitoring, with the inclusion of Tenable's Passive Vulnerability Scanner (PVS). That makes SecurityCenter Continuous View uniquely capable of addressing vulnerability, configuration, and compliance management requirements for emerging technologies like mobile devices, cloud-based services, social applications, and virtual systems.</p> <p>The flexible licensing approach provided by SecurityCenter Continuous View allows enterprise customers to deploy PVS in much the same way as they do with Nessus within SecurityCenter, pretty much as many as needed.</p> <p>Existing SecurityCenter customers can upgrade to a ContinuousView license and begin to enjoy the benefits of continuous monitoring with PVS. These include:</p> <ul> <li>Real-time identification of server and client vulnerabilities </li> <li>Identification of mobile devices and their vulnerabilities </li> <li>Passive discovery of all internal and external web servers and databases </li> <li>Identification of trust and communication paths </li> <li>Passive monitoring of virtual environments </li> </ul>
Monitoring Internet-facing Servers with SecurityCenter & Nessus
May 4, 2012<h3>Covering All Your Bases</h3> <p>Internet-facing servers are a popular attack target: They are accessible to everyone on the Internet and can easily be probed for vulnerabilities. Based on exposure alone, Internet-facing servers present a higher risk of becoming compromised. This risk needs to be mitigated if organizations must provide access to services such as web, mail, and VPN connectivity. It is therefore important that these servers are regularly assessed for potential vulnerabilities (and more important that something is done to remediate the vulnerabilities). This blog entry provides guidance for some basic security issues which are important to monitor on Internet-facing servers, such as:</p> <ol><p><li><strong>Maintaining Patches</strong> - It is important to keep up-to-date with patches in general, and with systems that are exposed to the Internet, fixing both local and remote vulnerabilities are particularly important. For example, a web server may contain a vulnerability which allows an attacker to gain a shell with the privileges of the running user (e.g., www-data). If local vulnerabilities are present, the web server vulnerability can quickly lead to the attacker gaining root-level privileges. With this level of access, attackers have a much better chance to cover their tracks and hide their presence within the system. Therefore, ensuring all available security patches are installed on your systems is important.</li></p> <p><li><p><strong>Easily Exploitable Web Application Vulnerabilities</strong> - If you've ever monitored the logs of an Internet-facing web server, you know attacks against applications are frequent. Application testing involves many different processes and techniques, but you don't want to give attackers any low-hanging fruit. It is important to test your applications before they are put in production, but also continue to monitor for vulnerabilities in production. Several automated tools in use by attackers exploit flaws, such as SQL injection, on a regular basis. Once the application is on your production system, it is important to regularly assess it to stay ahead of the curve and remediate the vulnerabilities before attackers get to them.</li></p></p> <p><li><p><strong>Exposed Services</strong> - Internet-facing servers ideally offer a limited number of services, since they do not need to support a wide range of services that an internal development server would offer. This makes it easier to scan and identify vulnerabilities and detect any new services which may crop up. Firewalls are often deployed to provide an extra layer of protection for systems exposed to the Internet and ensure that only required services are permitted. Scanning these hosts on a regular basis will quickly identify any new services that are running or mistakes made in firewall configuration which may unintentionally expose an internal service or server.</li></p></ol><br /> </p>
Tenable Network Security Podcast Episode 120 - "Nessus, Perimeter Service, & SecurityCenter Updates"
April 17, 2012<h3>Announcements</h3> <ul><p><li><a href="http://blog.tenablesecurity.com/2012/04/nessus-501-released.html">Nessus 5.0.1 Released</a> - This update includes support for FreeBSD 9 and gives you more flexibility when specifying port ranges and types (UDP or TCP) for the port scanner. Several bug fixes are included as well, including Windows installation issues.</li></p> <p><li><a href="http://blog.tenablesecurity.com/2012/04/securitycenter-44-released.html">SecurityCenter 4.4 Released</a>:</li> <ul> <li>Improved performance, with a new XML-RPC-based interface that speeds cross-system connections and adds fault-tolerance and improved reliability.</li> <li>Easy report template and information sharing. New reports, designed by Tenable experts, can be downloaded from the new Tenable SecurityCenter Enterprise Reporting blog, imported into SecurityCenter, and used immediately, customized, or exported to share with others.</li> <li>Easy access to over 100 pre-defined Quick Reports, including SANS Consensus Audit Guidelines, Center for Internet Security Audits, FISMA compliance indicators, HIPAA compliance checks, OWASP, PCI, and other IT and patch audit reports.</li> <li>New data visualization displays that use charts and color-coding to indicate the number and severity of vulnerabilities based on IP addresses, host names, and asset groups.</li> <li>Integration with Tenable’s cloud-based Nessus Perimeter Service.</li> <li>Improved integration with GRC, SIEM, IDS, firewall analysis, and other systems that support Nessus reporting. SecurityCenter now exports scan data in the Nessus v2 format.</li> <li>Scan hosts by specifying the DNS host name or URL for web application assessments.</li> <li>Authentication: Support for the use of digital certificates with SecurityCenter. Support for smartcard authentication (including U.S. Department of Defense’s Common Access Card (CAC)).</li></ul></p> <p><li><a href="http://blog.tenablesecurity.com/2012/04/nessus-perimeter-service-with-new-tenable-pci-scanning-service-available.html">New Version of Nessus Perimeter Service Released</a> - As Tenable is an Approved Scanning Vendor (ASV), you can use the Perimeter Service to perform PCI scans, using an approved PCI policy, and submit the scan results to Tenable for PCI ASV validation. The Perimeter Service allows you to scan as many systems as you like, as often as you like, and submit two scans for validation per quarter at no extra cost.</li></p> <p><li>Check out <a href="http://www.youtube.com/tenablesecurity">our video channel on YouTube</a> that contains the latest Nessus and SecurityCenter 4 tutorials. New videos are always in the works and updated Nessus and Perimeter Service videos will be available soon.</li></p> <p><li><a href="http://www.tenable.com/careers/">We're hiring</a>! - Visit the Tenable website for more information about open positions.</li></p> <p><li>You can subscribe to the <a href="http://itunes.apple.com/us/podcast/tenable-network-security-podcast/id361250581">Tenable Network Security Podcast on iTunes</a>!</li></p> <p><li>Tenable Tweets - You can find us on Twitter at <a href="http://twitter.com/tenablesecurity">http://twitter.com/tenablesecurity</a> where we make product and company announcements, provide Nessus plugin statistics, and more!</li></p> <p><li>Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join <a href="https://discussions.nessus.org">Tenable's Discussion Forum</a> for custom scripts, announcements, and more!</li></p></ul>
SecurityCenter 4.4 Released
April 17, 2012<h2>SecurityCenter 4.4 Expands USM Capabilities</h2> <p>SecurityCenter version 4.4 is available today from Tenable Network Security. Customers can download the updated release from the Tenable Support Portal. You can view a video tutorial of the new features on the Tenable YouTube channel, or watch it below:</p> <p><div style="text-align:center;"><iframe width="560" height="315" src="http://www.youtube.com/embed/90isrdaGGSU?rel=0" frameborder="0" allowfullscreen></iframe></div></p> <p>SecurityCenter is the central component of Tenable’s USM platform. It provides robust enterprise security monitoring by uniquely combining active and passive vulnerability assessments with log and event monitoring to create intelligent and actionable reports. SecurityCenter users also benefit from real-time and flexible dashboards for both security monitoring and maintaining compliance. </p> <p>SecurityCenter version 4.4 includes dramatic performance gains, improved integration with other management systems, reporting and user interface enhancements, and many other new features. A detailed list is available on the Tenable website. Some of the highlights include:<br /> </p>
SecurityCenter Dashboards on the Discussion Forums
November 18, 2011Note: Tenable SecurityCenter is now Tenable.sc. To learn more about this application and its latest capabilities, visit the Tenable.sc web page. One of the primary ways SecurityCenter allows yo...
SecurityCenter 4.2 and Community Dashboard Site Released
May 30, 2011<p><a href="http://blog.tenable.com/.a/6a00d8345495f669e201538ed394cc970b-pi" style="display: inline;"><img alt="FWR_SC" border="0" class="asset asset-image at-xid-6a00d8345495f669e201538ed394cc970b" src="http://blog.tenable.com/.a/6a00d8345495f669e201538ed394cc970b-800wi" title="FWR_SC" /></a>   <br />Tenable Network Security is proud to announce the immediate availability of SecurityCenter 4.2. SecurityCenter is used to centralize and report on system and event data such as vulnerabilities, logs, NetFlow, configurations and more. </p>
The Nessus Port Scanning Engine: An Inside Look
March 2, 2011<h3>Port Scanning Never Dies</h3> <p>While information security threats constantly evolve from client-side attacks to web application vulnerabilities, there is one activity that is always effective: port scanning. Determining if a port is open or closed is a critical step in the discovery process associated with successfully attacking systems. For example, if port 80 or 443 is not open, it is likely there will not be a public web site associated with that system. Of course, this leads into service identification, which detects web servers listening on non-standard ports. However, you must be able to test if a port is open in the first place before you can determine which service may be running. Therefore, port scanning maintains its position as a necessary practice, even when referencing client-side attacks that can <a href="http://ha.ckers.org/blog/20060802/javascript-port-scanners/">turn the remote client systems into port scanners using JavaScript</a>.</p> <p>Given the importance of port scanning, I want to cover some of the features and functions of the various port scanners included in the Nessus vulnerability scanner. The Nessus port scanner system has three network-based port scanners:</p> <ul><li><strong>TCP Scanner</strong> - The TCP scanner sends sequence of packets to initiate a full TCP connect to the target hosts, completing the TCP three-way handshake each time. The TCP port scanner uses a balance of speed and accuracy while using logic to tune itself as the scan progresses. The TCP scanner does not operate on Windows and Mac OS due to operating system limitations, so Nessus initiates the SYN scanner on these systems instead. However, when Nessus is installed on Linux it will implement a full-connect scanner in user space (i.e., without requiring root-level privileges). Early versions of the scanner consisted of a couple of pages of C source code. Over time it has grown in features and complexity to handle many different situations and types of networks. The TCP scanner will dynamically estimate the RTT (Round Trip Time) and make multiple passes on unresponsive ports to determine if there was a problem during the initial attempt. The TCP scanner will also read banners for some services and place this information, along with the open ports, in the Nessus knowledge base where the service identification routine and plugins can find the list of open ports for each host.
Tenable All-Star Showcase - Atlanta - February 22
February 7, 2011 Tenable Network Security will be hosting a half-day security and compliance seminar in Atlanta featuring Marcus Ranum, Ron Gula and Renaud Deraison. This is your chance to interact with Tenable ...
Putting a Virus under the SIEM Microscope Webinar
January 13, 2011 When a virus infected one of my Nessus scan targets, I did what any sensible CEO of a SIEM company would do - let it run and see what types of logs and alerts it generated!Over the 30...
SSL Certificate Authority Auditing with Nessus
December 28, 2010<p>Do you know where all of your organization’s SSL certificates are and if they are providing enough protection to you and your customers? Nessus can be used to identify all SSL certificates in use, test if they are expired and with the advent of plugin # <a href="http://www.tenable.com/plugins/index.php?view=single&id=51192">51192</a>, test that they have been securely signed by a valid certificate authority. This blog entry will review Nessus’s SSL certificate auditing ability and describe how plugin #51192 can help monitor your network for untrustworthy SSL certificates.</p>