Tenable Network Security Podcast - Episode 24

Welcome to the Tenable Network Security Podcast - Episode 24

Announcements

• Two new blog posts have been released titled "Not Just for Health Care Providers Any More - HITECH for Business Partners" and Nessus Plugin Spotlight: Linksys Router Detection.
• Come see us at RSA - Booth #956! I, Ron Gula, Renaud Deraison and many others from Tenable will be there demonstrating SecurityCenter 4.0 along with Nessus 4.2, the latest Passive Vulnerability Scanner and the Log Correlation Engine.
• A webinar is scheduled for February 25, 2010 titled, "Finding and Stopping Advanced Persistent Threats" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Ron Gula

Ron Gula comes on the show to talk about Security Center 4 and give some examples on how you can use the new features to manage security, vulnerabilities and alerts in your environment.

Stories

• Top five idealistic security recommendations - This article highlights some of that major downfalls in most organization's security strategies. The short of it is we expect users not to open attachments, not to surf to "bad" web sites, never use "social networking" web sites, use good passwords for everything and apply all software patches as soon as the are released. These are unreasonable expectations for sure. The nature of computing in most organizations needs to change or computers will continually be compromised by attackers. Many people have been writing and talking about revoking rights of computer users in the workplace, and this seems like the only sane notion to secure the desktop. While users will self-regulate to a point, they need more help to keep their computer from attackers because there is too much at stake. There once was a time when attackers did not have as much to gain, and you could get away with the idealistic security recommendations. Now, attackers are making big business out of Internet crime, and its time that we adapt our security policies to reflect the times.
• Beware Of The Chuck Norris Worm! - Details are light on how the infections are happening, but there is a work spreading that infects user's routers rather than the PCs. This is very timely as it will be included in my upcoming presentation at SOURCE Boston. I chose the topic for my talk well before this story broke. This further underscores my point that attacking embedded systems can yield far better results than attacking a PC and accomplish the same goals. The "Chuck Norris" worm spreads by installing itself on wireless routers that are exposed to the Internet and using default passwords. It also has been reported to exploit a vulnerability in D-Link routers, most likely the HNAP vulnerability that was posted not too long ago. I will have the full details of my thoughts, research and suggestions for improvement in the area of embedded systems security at my talk. For now, I will leave you with on of my favorite Chuck Norris quotes: "When the boogeyman goes to sleep, he checks his closet for Chuck Norris"
• Spike In Power Grid Attacks Likely In Next 12 Months - Sure its a snazzy title, but how likely are attacks and what protections are being put in place? Scarce on details, this article does have a quote that reads, "Some companies say there's never been a successful attack against the grid...". My question is, if the attack was truly successful, how would you know if there was such an attack? To me, a successful attack occurs without being detected. There are, of course, ways to attack the grid that would draw attention, such as denial of service. However, the new "Smart Grid" has a model where you can "sell back" your unused power to the utility company. So, if you are conserving energy you will get a credit on your bill. What if I trick the system into thinking my power consumption is less, when in reality I am running electric heaters and a server farm in my basement? I also found this quote very interesting, "The [traditional] power grid today is extremely vulnerable. I could turn off the lights in a major metropolitan area, and they would not come back on for a very long time. You don't need a computer -- just something you could buy at your local hardware store," he says. "Putting a smart meter on everyone's home doesn't make the grid more vulnerable. It just opens up another window that requires a higher level of sophistication [to breach]." I think one thing missing from this statement is geographic location. Sure, I could go to the hardware store and rig some stuff up in my house to disrupt power on the grid. However, with smart meters connected to the network the world is now able to access the hardware, opening up your potential attackers from thousands, to millions of people.
• Bypassing Anti-Virus
- There are many ways for attackers to bypass anti-virus software. The method documented here takes a payload and embeds it into an already trusted executable, which makes it extremely difficult to detect. You should not rely on anti-virus software as a main line of defense. In order to detect malware, you need to analyze behavior, on the system and the network, in order to detect it. For example, your chances of detecting malware using rootkit technologies on the system are pretty slim. However, if new accounts are created and/or accessed, systems are talking to the Internet on strange ports, or other activities are noticed in the logs, you have a much better chance.