Tenable Blog

Nessus 5.0.2 has been released and is available at http://www.nessus.org/download/. This update is largely a bugfix release, however a new build for Solaris 10 is now available. 

DerbyCon 2.0 - The Reunion

While I'll do my best not to get "all sentimental," it seems you just can't help it when you're writing about the DerbyCon security conference. DerbyCon takes place each September in Louisville, KY, and has grown to house over 1500 hackers and security professionals in a relaxed and fun environment. There was plenty to do, including visit the lock pick village, be transformed into a zombie by a professional make-up artist, attend a wide array of talks, and much more.

The conference truly feels like you're getting together with your friends and family. Throughout the entire conference, even through the wee hours of the morning, folks were gathered in the hallways and lobbies talking about security, educating each other, and sharing ideas. The presentations received excellent reviews, and ran the gamut from big-name speakers, such as Jeff Moss and Kevin Mitnick, to lesser-known folks sharing some cutting-edge research.

If you want to read more about DerbyCon, you can visit their web page and view videos of all the talks on Irongeek's website.

Tenable Network Security announced today it has established a strategic partnership and technology development agreement with In-Q-Tel. In-Q-Tel is the not-for-profit, strategic investment firm that works to identify, adapt, and deliver innovative technology solutions to support the missions of the U.S. Intelligence Community. Under the terms of the agreement, Tenable will develop secure audit and remediation capabilities that will assist intelligence agencies in continuously outpacing emerging cyber threats.

Passwords are Like Underwear, and It's Laundry Day

Perhaps one of the most easily overlooked security problems in the industry is password security. I'm not referring to the stored end-user password problems (discussed here), but the default (or weak) usernames and password combinations used to protect common administrative interfaces to applications and systems.

The problem stares us in the face every day, each time we log into a router, database management system, or remote access console and enter a password. Often we put a lot of time and effort into securing the end user-facing passwords, such as implementing account lockout password policies and forcing them to change their passwords at a regular interval. I find it ironic that the applications and devices used to run the organization often do not implement the same controls. Hundreds of applications and/or devices are known to be deployed with default passwords, and if not changed before or immediately after they are plugged into the network, can present serious risk to the organization.

Default credentials are considered "low-hanging fruit" for two reasons. First, they are easily exploitable by an attacker and can often lead to a serious security breach. Second, once you've identified the problem, it is easy to fix by setting a more secure password.

I am extremely pleased to announce that Tenable has received its first institutional round of funding: a $50 million investment from Accel Partners. The investment will help us continue to develop and improve our solutions and improve our customers’s experience.

Tenable celebrates its 10^th anniversary this month. During that time, we’ve made Nessus the number one trusted vulnerability scanner in the world with more than 1 million users across 150 countries. We did this though a combination working closely with our community and continually adding improvements to make our users’s lives easier and through our own innovation to push Nessus to do even more than vulnerability assessments. Today, Nessus not only detects vulnerabilities, it finds malware, botnets, credit cards, configurations that will get you hacked or fined and most recently, issues with your iPhone and Android devices.

Tenable’s SecurityCenter, our enterprise platform for Nessus, has also become the preferred enterprise security solution for nearly 1,000 enterprise customers including the entire U.S. Department of Defense. We have changed the vulnerability management paradigm through our unique combination of scalable network vulnerability monitoring, vulnerability scanning and log management. It has helped our customers break down traditional security silos, have a unified view of their security posture and respond quicker to incidents and audits than was previously thought possible.