Tenable Network Security Podcast - Episode 26

Welcome to the Tenable Network Security Podcast - Episode 26

Announcements

• Two new blog posts have been released titled "The Value Of Credentialed Vulnerability Scanning and Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview - Ron Gula - CCDC Recap

Ron Gula and I discuss our experiences at the 2010 Collegiate Cyber Defense Exercise held this past weekend in Columbia, MD.

Stories

• Six Steps To "Cloud" Security - Nothing New - A researcher published a paper in the International Journal of Services and Standards titled "A 'cloud-free' security model for cloud computing". In it she outlines six security considerations for cloud computing, which to me represent nothing really new. The first, resource sharing on "cloud" providers could lead to your data being accessed. This is similar to VLANs on switches, which are essentially software, which means you need to carefully design your network to be certain your most critical assets are not on the same switch as something less critical. This is a risk decision, and should be constantly evaluated, whether you are using a "cloud" provider or designing VLANs on a switch. Second, she points out that since data is held off-site, ownership may have become compromised. This is another issue which I have dealt with when I worked for an ISP/hosting provider. Physically being separate from your data means that you need to make yet even more risk-based decisions. If the data you are hosting off-site is public anyway, then there is little need for concern. However, if the data is sensitive or confidential, you may want to take extra pre-cautions to safeguard it at remote sites (encryption, physical security, etc...). How is this different than using a remote storage facility for your backup tapes? There are more, and my advice is to look at the "cloud" security information and relate it to similar security and risk decisions in your organization and I believe you will find that you are well equipped to handle securing your organization, whether its cloudy or sunny.
• Security Policy Gone Wrong - This story centers around the following quote from a client: "Ok, how about this: We take an image of your hard drive when you enter the building. When you leave in the evening, we take another image and see what data changed. This way, we know if any sensitive data leaves the company." I like coming up with creative solutions, but this one just doesn't stick!
• Network Analysis Of A Logitech Mouse Server - While this may not sound particularly concerning, the protocol that allows you to control the keyboard and mouse of a system running this software does not authenticate the commands. This means a packet crafting tool, such as scapy, can be used to send keystrokes to the device. Most users find this type of technology convenient, but fail to realize the security risks. In your environment you have to control the installation of this type of software.

(Note: Please ignore the opening when I incorrectly refer to this as episode 25, whoops!)