Tenable Blog

Tenable is again returning to the SOURCE Boston conference, held at the Seaport Hotel from April 21-23. This year Tenable will be delivering three presentations: Tenable CEO Ron Gula will be presenting a talk titled “How to Detect Penetration Testers” on Wednesday from 10:00am to 10:50 am; Carole Fennelly and Kelly Todd will be participating in the Vulnerability Management panel on Thursday from 10:00 to 10:50; and Paul Asadoorian will be presenting a talk titled “Embedded System Hacking and My Plot to Take Over the World” from 2:00 to 2:50 on Thursday. This blog provides a brief overview of these presentations.

Ron Gula’s talk, “How to Detect Penetration Testers” describes methods of detecting authorized penetration testers from a variety of technical and political aspects. Very often audit organizations feel the need to run a “surprise” audit on one of their divisions. This is intended to see how the target organization reacts to an unannounced penetration attempt, but very often results in disrupted production services and a lot of political finger pointing. This presentation provides tips and insights to make better use of firewall logs, netflow data and systems logs both to protect from situations that will embarrass the security program as well as protect resources from the real intruders.

This blog entry describes a basic worm detection that triggers multiple types of correlation rules. All detections were done passively using the Passive Vulnerability Scanner (PVS) and by observing network session traffic using the Log Correlation Engine (LCE). The principals in this blog entry and others in our ‘Event Analysis Training’ blog series can be used with a variety of NBAD, IDS and SIM solutions.

It’s A Bird, It’s a DoS, It’s Remote Code Execution!

I've always cautioned people about the danger of disregarding vulnerabilities that are labeled as "Denial of Service" (Such as MS10-014 from February) for a couple of reasons. First, when a bug exists in the code that allows something to "crash", there is usually a potential that the "crash" could somehow allow for code execution (remember that a buffer overflow is just a controlled crash). Second, when code is being analyzed so that the bug can be fixed, the surrounding code is often analyzed to be certain there are no other bugs or vulnerabilities. This analysis could lead to the disclosure of other vulnerabilities or a new way to turn a DoS into remote code execution. This appears to be the case with MS10-20, which was first publicly disclosed as a DoS bug in the SMB client. Microsoft is now reporting it as a vulnerability that "could” allow remote code execution. Upon further inspection, the security bulletin reports five vulnerabilities related to the SMB client that are patched in MS10-20. The first is the original DoS bug reported by Laurent Gaffie to the Full Disclosure mailing list on November 11, 2009. The general consensus was to dismiss this bug because it was "just a DoS".

Misconfiguration can Lead to Compromise

As a former full-time systems administrator, I understand the pain of managing and maintaining systems. A significant amount of testing is often required to ensure that you have the correct configuration settings, not just in terms of security, but also for system stability. Once you have the correct configuration it is difficult to maintain consistency across the environment on an ongoing basis (especially across hundreds, or even thousands, of disparate systems). This problem crosses all platforms and Unix/Linux and Windows administrators alike share the same challenges. Some examples include:

• Authentication/Logon services implementing the appropriate policies
• Ensuring all services are logging properly
• Permissions on existing users and running processes
• Various configuration settings associated with installed services (and typically specific to the service)

Tenable Network Security is currently seeking talented individuals to fill several roles within the company. Tenable Network Security is a privately held company founded in 2002 by security product innovators Ron Gula, Renaud Deraison and Jack Huffard. Together with Tenable CSO Marcus Ranum, they have developed a Unified Security Monitoring approach based on the award-winning Nessus scanner engine leveraged with several other enterprise vulnerability and log management products such as SecurityCenter, the Log Correlation Engine (LCE) and the Passive Vulnerability Scanner (PVS). In 2009, Tenable was named one of Deloitte’s 500 fastest growing technology companies. This blog provides a brief description of four technical positions that are open here at Tenable:

Vulnerability Research Engineer

This position is ideal for those who like to research and test software vulnerabilities. The results of your research will present themselves as Nessus and PVS plugins, which are small scripts that are able to detect vulnerabilities. In this role, you will accurately test for vulnerabilities by manually configuring vulnerable targets in a virtual environment, analyzing the system or application to reliably understand how the vulnerability is exploited and then developing a method to test for the vulnerability with credentialed or uncredentialed access. We are looking for people with strong programming skills (knowledge of a scripting language, regular expressions, functions and source code analysis), familiarity with system configurations in operating systems, applications or network devices and in-depth knowledge of TCP/IP protocols, Linux/Unix internals and Windows internals.