Tenable Network Security Podcast - Episode 31

Welcome to the Tenable Network Security Podcast - Episode 31

Hosts: Paul Asadoorian, Product Evangelist & Kelly Todd, Compliance Analyst

Announcements

• Several new blog posts have been published this week, including:
  • Microsoft Patch Tuesday Roundup - April 2010 - Superman Edition
  • Nessus Version 4.2.2 Released
  • Event Analysis Training – Passive Worm Detection
  • Afterbytes: The "Cyberwar Battlefield"
  • Tenable at SOURCE Boston
  • PVS 3.2 Released – Enhanced vulnerability discovery, real-time forensics and file share and database activity monitoring
  • Vulnerability Metrics Webinar - April 28, 2:00 PM EST
• New Nessus training is now being offered at conferences! - The new course titled "Advanced Vulnerability Scanning Techniques Using Nessus" is now being offered at both Black Hat Las Vegas 2010 and BruCon 2010. It's a two-day course that will put students into a real-world environment where they will have to solve problems and identify vulnerabilities using the advanced features of the Nessus vulnerability scanner.
  
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. We would love to hear your feedback, questions, comments and suggestions! We put up a call for ideas on new Nessus videos, so please give us your feedback!


• We're hiring! - Visit the web site for more information about open positions. There are currently 6 open positions listed!


• You can subscribe to the NEW Tenable Network Security Podcast on iTunes! You can also subscribe to the new podcast RSS feed directly.


• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview: Ron Gula, CEO of Tenable Network Security

Ron comes on the show to give us an update on several new Tenable software releases:

Ron also presented at SOURCE Boston last week and provides a brief overview of his talk.

Stories

• Can switching to Linux protect your online identity? - The answer is of course, "No". The article makes a good point that the operating system plays a smaller role than the browser in terms of protecting your identity online. As more services move to the "cloud", the OS becomes even less important, and I couldn't agree more. The most secure operating system (in my opinion) is the one that you are most comfortable maintaining, updating, using, and performing forensics against. For me, this happens to be Apple's Mac OS X. It is probably not the most secure, but I am comfortable using and maintaining it, which makes it the safest choice for me as I can gain insight into the system to identify any security problems (to the best of my ability). If Linux is the best choice for you I applaud your efforts; for me, I spend too much time maintaining my OS which takes away from more productive work, like producing podcasts!
• Stagger Your Anti-Virus Updates - Given the recent McAfee blunder, it's a good time to review your processes that surround anti-virus updates. I've always preached that you should keep your anti-virus signatures and software up-to-date. However, this is not an easy task. Virus definition and software updates can cause problems, so it's best to first deploy updates to test systems before releasing them into production. The next test group should be the IT department because if something does go wrong they are the best equipped to handle the problems. Not to say it should be the entire IT department, but a group at a time could be selected to weed out potential issues. Then you can begin to apply the updates to groups within your organization, and maybe even wait 12 hours before starting the process to be certain there are no problems reported by other organizations. The big question I have is, why didn't McAfee test this update before it went out the door?
• Stuffing JavaScript into DNS - This is a neat little attack vector as it has the potential for executing script code in some interesting places. Management consoles and log management systems could be vulnerable, as is any web-based tool that displays results from a DNS query. For example, some firewalls will allow the user to review the logs and translate IP to names, and if the name is a Javascript inject, then code will execute on the firewall administrator's browser. This reminds me of a flaw in the DD-WRT web interface that had a similar problem when displaying neighboring SSIDs.
• A Wake Up Call For Embedded Systems - Have you ever wondered why your wireless routers, printers, and network cameras come with default passwords and weak management protocols? Isn't it time for a change? Care to share your experiences with insecure embedded systems to help move towards change? This is a new project that will aim to highlight common vulnerabilities and implementation flaws that have plagued embedded systems for year. The site provides users with a platform to write about embedded systems insecurity.
• 9-year old boy accused of hacking Blackboard - If your web applications, especially those that run student grades and online courses, can be hacked by a 9-year old you've got some serious problems. While you can't manually test every web application in your environment, you can target the important ones. Of course, you'll need vendor support for the problems that you find, but the first step is to identify the issues.