Tenable Network Security Podcast - Episode 26
March 17, 2010<p>Welcome to the Tenable Network Security Podcast - Episode 26</p> <h3>Announcements</h3> <ul> <li>Two new blog posts have been released titled "<a href="http://blog.tenablesecurity.com/2010/03/value-of-credentialed-scanning.html">The Value Of Credentialed Vulnerability Scanning</a> and <a href="http://blog.tenablesecurity.com/2010/03/microsoft-patch-tuesday---march-2010---it-wont-happen-to-me-edition.html">Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition</a>. </li> <li>You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "<a href="https://discussions.nessus.org/community/social">Tenable Social Media</a>" thread. I would love to hear your feedback, questions, comments and suggestions! <a href="https://discussions.nessus.org/thread/2018">I put up a call for ideas on new Nessus videos</a>, so please give us your feedback!</li> <li><a href="http://www.nessus.org/about/index.php?view=careers">We're hiring</a>! - Visit the web site for more information about open positions, there are currently 7 open positions listed! </li> <li>You can subscribe to the <a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=329735657">Tenable Network Security Podcast on iTunes!</a></li> <li>Tenable Tweets - You can find us on Twitter at <a href="http://twitter.com/tenablesecurity">http://twitter.com/tenablesecurity</a> where we make various announcements, Nessus plugin statistics and more!</li> </ul> <p>Interview - Ron Gula - CCDC Recap</p> <div style="text-align:center;"><img src="http://tenable.typepad.com/.a/6a00d8345495f669e20120a9427862970b-pi" alt="2010_CCDC.png" border="0" width="260" height="86" /></div> <p>Ron Gula and I discuss our experiences at the 2010 Collegiate Cyber Defense Exercise held this past weekend in Columbia, MD.<br /> </p>
Tenable Network Security Podcast - Episode 23
February 15, 2010Welcome to the Tenable Network Security Podcast - Episode 23 <h3>Announcements</h3> <ul> <li>Two new blog posts have been released titled "<a href="http://blog.tenablesecurity.com/2010/02/microsoft-patch-tuesday---february-2009---from-microsoft-with-love-edition.html">Microsoft Patch Tuesday - February 2010 - "From Microsoft with Love" Edition</a>" and <a href="http://blog.tenablesecurity.com/2010/02/shmoocon-2010-security-conference.html">Shmoocon 2010 Security Conference</a>.</li> <li>A webinar is scheduled for February 25, 2010 titled, "<a href="http://blog.tenablesecurity.com/2010/01/finding-and-stopping-advanced-persistent-threats-webinar.html">Finding and Stopping Advanced Persistent Threats</a>" where Tenable CEO Ron Gula and Tenable CSO Marcus Ranum will discuss strategies for preventing, finding and eliminating advanced persistent threats in enterprise networks. </li> <li>You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "<a href="https://discussions.nessus.org/community/social">Tenable Social Media</a>" thread. I would love to hear your feedback, questions, comments, and suggestions! <a href="https://discussions.nessus.org/thread/2018">I put up a call for ideas on new Nessus videos</a>, so please give us your feedback!</li> <li><a href="http://www.nessus.org/about/index.php?view=careers">We're hiring</a>! - Visit the web site for more information about open positions, there are currently 12 open positions listed! </li> <li>You can subscribe to the <a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=329735657">Tenable Network Security Podcast on iTunes!</a></li> <li>Tenable Tweets - You can find us on Twitter at <a href="http://twitter.com/tenablesecurity">http://twitter.com/tenablesecurity</a> where we make various announcements, Nessus plugin statistics, and more!</li> </ul>
Afterbites with Marcus Ranum: Gartner & Two-Factor Authentication
December 17, 2009<p>Afterbites is a blog segment in which Marcus Ranum provides more in-depth coverage and analysis of the SANS NewsBites newsletter. This week Marcus will be commenting on the following article:</p> <p><strong>Gartner Report Says Two-Factor Authentication Isn't Enough</strong><br /> (December 14, 2009)</p> <blockquote><cite>A report from Gartner says that two-factor authentication is not providing adequate security against fraud and online attacks. Specifically, Trojan-based, man-in-the-middle browser attacks manage to bypass strong two-factor authentication. The problem resides in authentication methods that rely on browser communications. The report predicts that while bank accounts have been the primary target of such attacks, they are likely to spread "to other sectors and applications that contain sensitive valuable information and data." Gartner analyst Avivah Litan recommends "server-based fraud detection and out-of-band transaction verification" to help mitigate the problem.</cite></blockquote> <p><strong>References:</strong> <a href="http://www.eweek.com/c/a/Security/2Factor-Authentication-Falling-Short-for-Security-Gartner-Says-303095/">2-Factor Authentication Falling Short for Security, Gartner Says</a> & <a href="http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222001977">Strong Authentication Not Strong Enough</a> </p> <p>I found this article interesting because it typifies, for me, the end result of the "whack-a-mole" approach to computer security. Certain technologies are sold as "security enablers" but customers don't seem to understand (and/or aren't informed) of the reality: security is a top-to-bottom problem that doesn't have any single place where you can add a widget that'll magically make you safe.<br /> </p>
Tenable Network Security Podcast - Episode 7
October 13, 2009<p>Welcome to the Tenable Network Security Podcast - Episode 7</p> <h3>Announcements</h3> <ul><li>New blog post going up today on the experiences at Cyberdawn, a cyber exercise that puts hackers against defenders in a realistic environment.</li> <li>Attention Security Center customers! A new version of Security Center, 3.4.5, has been released and is available for download in the customer support portal (Security Center customers can find the<a href="https://discussions.nessus.org/message/3615#3615"> release notes</a> the <a href="http://discussions.nessus.org">discussion portal</a>). It includes such improvements as web application scanning support.</li> <li>Paul Asadoorian was interviewed on <a href="http://feedproxy.google.com/~r/securabitsite/~3/vqaj5nGH63I/">Securabit Episode 40</a> and discusses all things Nessus and some of the features in our enterprise products such as Security Center and the Passive Vulnerability Scanner (PVS)</li> <li>Paul Asadoorian spoke at the <a href="http://www.louisvilleinfosec.com/">Louisville Infosec conference</a> on web application security on October 7, 2009</li> <li>As always be sure to check out our blog at <a href="http://blog.tenablesecurity.com">http://blog.tenablesecurity.com</a></li></ul> <h3>Interview: John Bos - <a href="http://www.cybrexllc.com/">Cybrex, LLC</a></h3> <table class="image" align="center"> <tr><td><div style="text-align:center;"><img src="http://tenable.typepad.com/.a/6a00d8345495f669e20120a5e061d8970b-pi" alt="John_Bos.png" border="0" width="320" height="240" /></div></td></tr> <caption align="bottom"><strong>John Bos joins us to talk about his 10 years of experience with the Defcon CTF and his team "sk3wl0fr00t".</strong></caption> </table>
Logs of Our Fathers
September 22, 2009<p>At USENIX in Anaheim, back in 2005, George Dyson treated us to a fantastic keynote speech about the early history of computing. You can catch a videotaped reprise of it <a href="http://www.ted.com/talks/lang/eng/george_dyson_at_the_birth_of_the_computer.html" target="_blank">here, on the TED site</a>. I highly recommend it - there's lots of interesting and quirky stuff. I managed to talk him into giving me a copy of his powerpoint file, and subsequently tracked him down and am re-posting this material with his permission.</p> <h3>November, 1951 </h3> <p style="TEXT-ALIGN: center"><a href="http://www.ranum.com/security/computer_security/papers/ur-syslogs/first_syslog.jpg" target="_blank"><img border="0" height="375" src="http://www.ranum.com/security/computer_security/papers/ur-syslogs/t/first_syslog.jpg" width="500" /></a> <br /><strong>Machine Log #1</strong></p>
Event Analysis Training – “Could you look at some odd IRC Connections?”
July 29, 2009<p>At one of the research sites that we monitor, an analyst noted that a few servers were consistently making a large number of IRC connections. These connections occurred in a periodic manner and appeared to be automated. This blog entry describes the various steps taken in analyzing the connections and historical data. We used Tenable’s log analysis, network monitoring and passive profiling solutions to perform this analysis, but the principals could be applied to various SIMs, NBADs and analytical tools.</p><p> </p>
Auditing PHP Settings to OWASP Recommendations with Nessus
March 16, 2009<p>Tenable recently released an audit policy for Linux servers running PHP which tests for hardening recommendations from the Open Web Application Security Project (<a href="http://www.owasp.org/index.php/Main_Page">OWASP</a>). OWASP maintains a set of guidelines for hardening web servers, with specific attention given to <a href="http://www.owasp.org/index.php/Configuration#PHP_Configuration">PHP</a> and Cold Fusion technologies.</p><p> </p>
ShmooCon 2009 - Playing Poker for Charity
February 12, 2009Tenable sponsored a booth at this year's ShmooCon and ran a Texas Hold'em table to help raise money for the Hackers for Charity organization. We raised close to $400 from conference attendees ...
DOJOSEC - Compliance Presentation
January 5, 2009The next DOJOSEC is this week. I've been invited to speak about the latest compliance trends in PCI and FDCC. Also presenting will be Shaf Ramsey of TechGaurd Security and Dale Beauchamp of the Transp...
Marcus Ranum PaulDotCom Interview on Penetration Testing
December 14, 2008Tenable's CSO, Marcus Ranum, was recently interviewed on the PaulDotCom Security Weekly podcast. They discussed a wide range of topics regarding penetration testing, secure coding, Marcus's "6 Dumbest...
PCI Executive Roundtables in New York and Atlanta
November 4, 2008Tenable Network Security has partnered with IANS to sponsor two executive level PCI discussions in New York City and Atlanta. Both events are this week, and we have limited seating available for corpo...
Nessus turns 10 !
April 4, 2008Ten years ago today, I announced the initial public release of Nessus on the bugtraq mailing list. The initial version would run only on Linux and was bundled with 50 plugins (vulnerability checks) wr...
