Tenable Blog

A customer recently asked us to provide a count of patches issued in 2009 for various Unix and Linux-based operating systems. To honor their request, we turned to OSVDB, the Open Source Vulnerability Database. OSVDB covers over 60,000 vulnerabilities, spans over 26,000 products and has a powerful search engine that can produce search results based on disclosure date(s), vendor and/or product, CVSSv2 scores, references, vulnerability classifications and more. When generating any statistic regarding vulnerabilities, it is important to qualify the statistics and understand they are only as good as the data set that generated them. While OSVDB does not have a complete data set, it is the only Vulnerability Database (VDB) that provides powerful and flexible search capabilities.

Welcome to the Tenable Network Security Podcast - Episode 19

Announcements

• A new blog post has been released titled "Microsoft Patch Tuesday - January 2010 - "Aged Cheese" Edition" and covers the latest patches released from Microsoft, in addition to some useful plugins to detect deprecated operating systems. Marcus Ranum also published an article titled, "Afterbytes with Marcus Ranum - Using A Dedicated PC For Online Banking".
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Jake Kouns

Jake Kouns is the co-founder and President of the Open Security Foundation which oversees the operations of the Open Source Vulnerability Database (OSVDB) and the Dataloss DB project.. Kouns' primary focus is to provide management oversight and define the strategic direction the project.

ABA Recommends Using Dedicated PC for Online Banking

Date: January 1 & 4, 2010

Synopsis: The American Bankers' Association (ABA) issued guidance to small and mid-sized businesses regarding how to protect themselves from the growing problem of unauthorized Automated Clearing House (ACH) transactions. Of special note is the recommendation that businesses use a dedicated PC that is never used for email or web browsing to conduct online banking transactions.

Sources: Online banking warning surprises some experts, Businesses warned about online banking

This particular bit of news seems to have gotten disproportionate attention. On one hand, people see it as "ABA tells home users to use a dedicated PC!" and on the other it's business as usual.

But, it's not business as usual - what ABA is doing is recommending a specific response to a deeper problem. The problem is not "online banking" or anything like it; what we're seeing here is an implicit statement that endpoint trust is finally beginning to matter, as cybercriminals are increasingly attacking the shoddy operating systems that everyone seems to use for general purposes.

Airport "Security"

Those of us who travel through any U.S. airport are used to the inconvenience of airport security - the long lines, metal detectors, having to take off your shoes, belts, earrings, and of course the ominous "liquids and gels" inspection. While most people accept these inconveniences as an unfortunate necessity, much of what has been implemented shares some of the common pitfalls found in many computer and network security programs. Using the U.S. airport security model as an example, let’s take a look at some of the security being implemented and relate it to security gone wrong in the enterprise:

The dreaded long lines at airport security are a by-product of the current security model at U.S. airports.

I recently attended the San Francisco IANS Security Forum, where Hart Rossman and I facilitated several of the roundtable sessions. I thought I'd summarize a few of the "take-aways" and useful comments from each.