In this final installment of Marcus’ video blog series on security metrics, he discusses several ideas for presenting relevant metrics to your management. He explains what a good metrics chart should look like and why depicting change over time is the best strategy. But metrics are not just for illustrating history; metrics should be used to indicate and implement security improvements.

Marcus wraps up his video blog series with thoughts on how metrics contribute to leadership.

A well-presented metric should show change over time

Thank you for following this video blog series. For more information about metrics, visit our Security Metrics page.

This is the fourth and final installment in my “Drifting Out of Compliance” series, taking a closer look at organizational approaches indicative of a point-in-time compliance mentality and the challenges of shifting to a continuous compliance mentality. Although a security first, compliance second approach is best, many organizations still struggle to attain the baseline level of security outlined in compliance requirements.

So, are you sick of compliance already? You’re not alone. We’ve hated the concept of “complying” since the time we were kids. If our moms told us “No,” we did it anyway. Same when we were teens. I saw a great quote the other day:

If at first you don’t succeed, do what your mother told you to begin with. (unknown)

Now fast forward to adulthood. While driving, how many of us roll through stop signs? Or who sticks to the speed limit?

It’s useless to lecture a human. (Richard Riordan, The Lightning Thief)

And in the business world, it just doesn’t sit well with us when an outside entity tells our business what to do. “Okay, so we’ll do what we have to do, but then we’re going to get back to the business of running our business.” As one retailer stated after a data breach, “We sell hammers.” Sure, this is their core business model but shouldn’t they still take ownership of securing card data? Part of the process of selling hammers is accepting payments ... securely.

In an attempt to gain a better understanding of the root causes of compliance violations, I recently discovered that with NERC CIP violations, we humans are most often to blame, not technology. No surprise there. Although the list below outlines three separate and distinct root causes, humans are at the core of all three:

• Human neglect
• Lack of processes (ultimately comes down to human neglect)
• Lack of documentation (ultimately comes down to human neglect)

Humanity in healthcare

According to Verizon’s 2015 Data Breach Investigations Report (DBIR), healthcare data security incidents are notoriously “human,” as evidenced by the following top three “incident patterns” shared in the report:

• Miscellaneous errors– Examples within this category include sending sensitive data to the wrong recipients, publishing non-public data to public web servers, and insecure disposal of personal and medical data
• Insider misuse - The top action for this category is privileged abuse or abusing elevated access they’ve been trusted with
• Physical theft/loss– This covers the loss or theft of sensitive data, most commonly from an employee’s work area or their vehicle

Humanity in the critical infrastructure industries

The North American Electric Reliability Corporation (NERC) calls out “human error” as an official risk factor for 2016 ERO Enterprise Compliance Monitoring and Enforcement Plan. This follows from recorded NERC compliance violations where “human error or human performance failure” was the root cause in many cases. Examples include:

• Ports and services enabled that were not required for normal operation
• Failure to associate a security upgrade with associated cyber assets
• Manual assessment of scan results using less sophisticated scanning software, which introduced a greater propensity for human error
• No action taken in response to vulnerability identification
• Focus on getting the system up and running, personnel failed to disable ports and services not required for normal operations
• Incorrect assessment that the security patch was not applicable

Human error or human performance failure was the root cause in many cases

Humanity in PCI DSS

The #1 hardest-to-sustain PCI DSS requirement is not using vendor supplied defaults for system passwords. Oftentimes, this is simply because it’s easier for those signing into such systems, or they simply don’t think about it.

According to Security Metrics.com in 2014, unencrypted card data was found in unsuspected places for 61% of businesses researched. Given how difficult it can be to find cardholder data across the enterprise, it makes you wonder how many companies define their card data environment based on where they think the card data should be versus taking the extra time to determine where it actually is.

Social engineering

Phishing, a form of social engineering which relies on the email recipient to click on a link or open an attachment, continues to rank the highest in terms of human vulnerabilities. In this case, our curiosity gets the better of us. The Verizon 2015 DBIR references a 2013 statistic:

In the 2013 DBIR, phishing was associated with over 95% of incidents attributed to state-sponsored actors, and for two years running, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.

Other forms of social engineering? At work, how many of us have allowed people to follow us onto a secure floor without even knowing who they were and if they even should be granted access to begin with? In the vast majority of cases, there’s no negative impact, and yet allowing similar access in a healthcare context grants easy access to improperly disposed of medical records or plugging directly into the enterprise network. For technological infrastructure, such access opens the door to the sabotage of critical systems.

We’re all in this together

There’s no doubt that ultimately, we want to trust each other and we choose compassion over compliance every time. We want to trust the quality of our own work. We want to get more stuff done faster. We want to trust the person in the hallway who has forgotten a badge. We want to trust people who send us emails and that what they’re sending is worthy of our time and attention. So what can be done about “us?”

• Training
• Awareness of risks and consequences
• Automation of manual tasks to reduce chances of error
• Monitoring host activities on the network
• Double-checking the security effectiveness of human-administered devices
• Cross-checking human decisions

Automation can be helpful for double-checking our work

Although there’s no substitute for good old human know how and due diligence, automation can be helpful for double-checking our work and for helping to see things we couldn’t see otherwise, a second set of eyes so to speak. Not only can this help with decision reliability, but it can also help unearth hidden risks and introduce considerable efficiencies.

Automated processes, including the use of automated support tools (e.g., vulnerability scanning tools, network scanning devices), can make the process of continuous monitoring more cost-effective, consistent, and efficient. (NIST 800-137)

Adopting advanced continuous network monitoring technologies, such as Tenable’s SecurityCenter Continuous View™, will go a long way towards reducing the human risk factor. By automating compliance processes and conducting automated “audit checks,” Tenable solutions can close the door on risks such as rogue hosts, default user accounts and passwords, unencrypted sensitive data, vulnerability remediation lapses, and misconfigured security devices to name a few.

Thanks for tuning into this blog series and Happy Holidays everyone!

I recently summarized Tenable’s inaugural Global Cybersecurity Assurance Report Card in the blog, Grading Cybersecurity Around the Globe, pointing out some of the more interesting aspects. Now let’s take a closer look at some of the industry verticals and take a deeper dive into how they ranked against each other. Remember, the report took the responses from over five hundred security professionals and asked them to grade their organizations’ ability to assess cyber security risks and to mitigate threats that can exploit those risks. For industry verticals the grades ranged from a somewhat acceptable B- to a barely passing grade of D.

The head of the class

It is really no surprise to see financial services and telecom sitting at the head of the class, both scoring an 81% overall or a B-

It is really no surprise to see financial services and telecom sitting at the head of the class, both scoring an 81% overall or a B-. These industries have real money at risk and so it makes sense to see them with the highest scores. What is a little surprising is that they did not score an A. Financial services and telecom still have a lot of room for improvement. Both financial services and telecom received a D+ for assessing cloud applications; focusing on cloud security may offer the best possibility for overall improvement.

Middle of the road

In the middle of the pack are retail, manufacturing and healthcare in that order. With the recent high profile mega breaches hitting the retail sector, you would think that retail would score a bit higher. Healthcare has also not been immune to the mega breaches in recent history, and yet they only scored an overall 73% or a solid C. These three sectors all had problems with assessing mobile devices for risks; improvement in this area would really help their overall score.

Bottom of the heap

At the back of the class is government and education

And at the back of the class is government and education. First, just a note to point out that government in this report doesn’t necessarily mean US federal government; this is a global report and therefore government could be from any country or even include state or local governments. That said, considering how much governments have been trying to keep bad guys out, it is surprising to see them with an unacceptable and disappointing D.

Education has been the target of online criminals for years, going after not just PII (personally identifiable information) but research intellectual property as well. However, it could be that education’s reliance on mobile devices and a highly transient student population may be a factor in the sector’s low grades, especially considering that education scored an F on detecting and assessing transient mobile devices.

Resources

I encourage you to download the 2016 Global Cybersecurity Assurance Report Card report and infographic to examine the data in more detail. Or you can watch an on-demand webinar about the report findings for the US and Canada, EMEA, or APAC.

Next year when we repeat this research, you will be able to start looking at trends within your own industry vertical, which will make for some very interesting reading.

During the past year, the Tenable Blog has been recognized as one of the top blogs for learning about computer security (Quora) and product information (Network Products Guide). And with such a busy year in cybersecurity breaches, legislation, and frameworks, the Tenable Blog continued to lead the way in thought leadership as our bloggers shared insights on major security news and solutions.

As 2015 draws to a close, we revisit 15 Tenable blogs that were most popular with our readers:

• Attribution is Hard, by Marcus Ranum (1/13/15)
• What’s New in Nessus 6.2, by Diane Garey (1/20/15)
• Tenable Responds to CVE-2015-0235: Ghost, by Kelly Prevett (1/27/15)
• PCI SSC Announces the End of SSL Usage for the Payment Card Industry, by Jeffrey Man (2/16/15)
• Tenable Introduces Agent-Based Scanning in Nessus Manager, by Diane Garey (2/17/15)
• Introducing Nessus Manager and Nessus Cloud, by Diane Garey (2/25/15)
• Tenable Responds to CVE-2015-0204: FREAK Vulnerability, by Kelly Prevett (3/4/15)
• Tenable’s Critical Cyber Controls for Secure Systems, by Ron Gula (3/12/1/5)
• 15 Ways Infosec Pros Turn Tech Talk into Business Language, by David Spark (4/13/15)
• Tenable Announces the Industry’s First Assurance Report Cards in SecurityCenter 5, by Narayan Makaram (4/14/15)
• VENOM Vulnerability Threatens Virtual Machines, by Kelly Prevett (5/13/15)
• New to Nessus: Expanded Agent OS Support and CyberArk Integration, by Diane Garey (6/11/15)
• Lessons to Learn from the OPM Breach, by Cris Thomas (6/25/15)
• Tenable Discovers and Responds to CVE-2015-2474, by Cris Thomas (8/11/15)
• Mr. Robot and Tenable, by Matt Hand (11/9/15)

While content is most important, we also made many improvements to enhance your Tenable Blog experience, including:

• Better search capabilities
• Categorized articles to locate similar blogs
• Artwork for visual appeal
• More hyperlinks to relevant background material
• Video blogs from our security experts
• Over a dozen new authors with fresh perspectives

We hope you continue to find our blog useful, fun, and thought provoking!

Most of us involved with vulnerability management have probably used a Nessus® filter to display specific reporting results. For example, I have used a query to select all of the Windows servers in an environment, and then report on the high and critical severity vulnerabilities. Queries like this focus analysis and increase insight from reports. Report queries are useful for vulnerability management – so valuable that their usage raises two questions in my mind.

First, can we apply queries across the entire vulnerability management process, instead of just during reporting? For example, can we define a query to refine assessments of specific assets; perhaps select Red Hat web servers running in a DMZ and then configure a vulnerability scan and tailored configuration audit to assess those systems every day?

Second, can we use queries to define criteria for grouping assets that will be automatically applied to newly discovered assets? For example, when new web servers are deployed, will the vulnerability scan and configuration audit defined above automatically detect and assess the new systems?

SecurityCenter’s dynamic asset list feature applies across the vulnerability management process

SecurityCenter’s dynamic asset list feature applies across the vulnerability management process. Plus, it automatically adds newly discovered assets to all applicable asset lists. SecurityCenter™ has the ability to parse the results of Nessus, PVS™, or LCE® event data to build dynamic lists of assets, and a single asset can be a member of multiple asset lists. For example, a dynamic rule can be created to generate a list of IP addresses that has ports 25 and 80 open. These rules can be very sophisticated and take into account addressing, open ports, specific vulnerability IDs, and discovered vulnerability content.

Intuitive forms guide dynamic asset list creation

Dynamic asset lists also direct multiple SecurityCenter functions. They can be paired with user permissions to control SecurityCenter scanning, manage blackout windows, and inform workflow. As an example application: if SecurityCenter finds a critical, exploitable vulnerability on a Red Hat web server, it can notify the system administrator responsible for the asset list via email or a ticket.

Dynamic asset lists inform reports, dashboards, and Assurance Report Cards (ARCs)

And of course, dynamic asset lists inform reports, dashboards, and Assurance Report Cards (ARCs). The Critical and Exploitable Vulnerabilities report could easily be configured to run against the Red Hat web server asset list after each daily scan, and the results could automatically be emailed to the appropriate stakeholders. Dynamic asset lists can focus dashboards to display a complete security and compliance view for all the assets in the DMZ. This view could show vulnerability trends over time, vulnerability ages, configuration compliance and more.

Dashboards can focus on a specific asset list

SecurityCenter includes more than 200 dynamic asset list templates that you can use out of the box or you can tailor for your specific requirements. Additionally, you can easily create your own templates using a web-based wizard.

You can also create dynamic asset lists on the fly and apply them to existing SecurityCenter data

You can also create dynamic asset lists on the fly and apply them to existing SecurityCenter data. Consider this hypothetical example: it is Friday at 4:00 p.m. and you are looking forward to going away on a weekend skiing trip. However, a new vulnerability, Heartshock, has just been publicly announced that affects FTP services on Red Hat systems 6.4 and older. You can quickly create an asset list to identify any systems in your environment that might ruin your weekend plans. What’s really amazing is that this asset list doesn’t require a new scan! Rather, it will run against data already collected by SecurityCenter. You can have results in seconds, and if any vulnerable systems are identified, you can notify the appropriate system administrators in minutes. Weekend saved!

SecurityCenter’s dynamic asset lists let you slice and dice your assets as you need to automate much of your security and compliance program. To learn more about them, plan to attend our upcoming webcast on Four Ways You Can Make Vulnerability Management More Efficient and Effective.

Welcome to 2016! What’s in store for cybersecurity this year? Will there be more of the same breaches, will attackers find new vulnerabilities, or will new protective technology reduce the number of breaches?  Over the next week, several Tenable experts will reveal their predictions in individual video blogs.

First up, listen to Ron Gula, Tenable’s CEO, as he looks ahead and shares his insights about cloud initiatives and security issues.

Looking back

See what our experts were thinking about in 2015. The Best of 2015 lists the top most popular blogs of the year.

What’s in store for cybersecurity this year? Cris Thomas, Strategist at Tenable Network Security and aka Space Rogue, knows that breaches and security attacks will continue in 2016. But what will make them different? Listen as he differentiates tomorrow’s attacks from yesterday’s.

Looking back

Read what our experts were thinking about in 2015. The Best of 2015 lists the top most popular blogs of the year.

On the threshold of 2016, our experts have been pondering the state of cybersecurity for the coming year. What can we expect from the industry? Matt McClellan, Product Manager for Nessus, sees a critical shortage in the information security community. What’s missing in 2016? Listen as Matt shares his perspective.

Looking back

See what our experts were thinking about in 2015. The Best of 2015 lists the top most popular blogs of the year.

No doubt, 2016 will continue to see security attacks and data breaches. But what will be different? Diane Garey, Tenable's Product Marketing Manager for Nessus, sees a major shift in the type of data that will be targeted. What data is most valuable to attackers? Listen as Diane shares her thoughts on 2016 security.

Looking back

See what our experts were thinking about in 2015. The Best of 2015 lists the top most popular blogs of the year.

Welcome to 2016! What’s in store for IT departments this year? Brad Pollard, Tenable’s Vice President of Information Technology, has a rich background in IT leadership, from small high growth companies to major industry players. Brad wraps up our series on 2016 predictions by discussing the contemporary IT environment, identifying critical challenges, and sharing advice that can shape your IT policies for the coming year.

Looking back

See what our experts were thinking about in 2015. The Best of 2015 lists the top most popular blogs of the year.

During the past year, a new trend in security experienced a meteoric rise, with headlines in both the mainstream and tech media, simply because vulnerabilities were marketed with catchy names and logos. In this blog series, I share with you critical security issues that haven’t captured the media’s attention, but that deserve serious discussion.

What is your biggest security issue?

When talking to senior security leaders in an organisation, one of my favourite questions to pose is “What is the biggest security issue you currently face?” The responses vary wildly depending on the maturity of the company, geographical region, current issue du jour being discussed at conferences, or just their plain old bias. However, the common theme often centers around a particular nation state, an interesting emerging threat vector, a lack of buy-in from the business to solve the problems faced, and compliance crushing their ability to do what is right rather than what is mandated.

Subversion

One of the most surprising responses I received recently was from the Head of Risk and Compliance at a bank in the Middle East. We started chatting after we both delivered presentations at a conference, with his covering the important and interesting issue surrounding the communication of risk to the business. After the usual ice breakers, I went ahead and asked what his biggest issue was, interested to hear his perspective. Rather than going for the more expected range of answers, he caught me off guard with an eloquent rant that led to my next security issue that deserves a logo and catchy name: Subversion.

Insider threat

With the workforce in his region—often transient and frequently from outside the host country—he had experienced multiple issues with several staff being bribed for information. It seems that the technical controls his team had put in place were circumvented by a well-placed $10,000 investment in a disgruntled or apathetic employee. Have you spent $250,000 on firewalls? That can be easily circumvented by persuading the right person to install a small bit of code for a wad of cash that would be difficult to walk away from. Do you have the latest and greatest encryption and DLP to protect your data? A $1000 back-hander to the cleaners could buy a surprising amount of information printed on old school paper.

Insider threat is a well-known problem that many professionals face, but is often seen as less of a priority with the mindset of border defence and defending against outsider threat still getting more focus. It’s not surprising; we are constantly hearing about another cybercrime gang plundering millions from unsuspecting businesses via the latest zero day rather than the more sensitive and trite issue of corporate espionage, but it doesn’t make it any less important or likely to occur.

One of the first lessons I learnt in information security is that attackers won’t use a sledge hammer to crack a nut, they’ll use the easiest and cheapest path to achieve their goals. Why risk the discovery of a previously undisclosed and valuable vulnerability to gain a foothold in an infrastructure when someone is willing to give up access for a smaller price? In fact, why use a valuable vulnerability at all when there are probably many already disclosed and unpatched issues waiting to be exploited? But that’s a rant for another day.

Safeguards

There are technical and physical controls to mitigate many of the problems caused by Subversion. Continuous monitoring for unexpected and anomalous behaviour, secure shredding solutions for paperwork and clean desk policies, siloing of data allowing visibility to only those who should have access. But mindsets have to change from a border-centric security approach to a data-centric perspective. Otherwise, Subversion could be leveraged to spirit away corporate secrets and customer information easily—something I think that is worthy of a logo and a catchy name.

In my next blog, I’ll introduce you to EagerBeavers.

You’ve heard about adware, malware, and spyware. And you probably have protection against malware attacks. But do you have protection against no-ware?

Ron Gula, CEO of Tenable Network Security, defines “no-ware” as any attack that is accomplished without malicious software. No-ware is notoriously hard to detect because there are rarely any indicators except for a configuration change or a rule modification. Listen as Ron provides examples of no-ware, explains how it works, and recommends a methodology for finding no-ware on your systems.

In November 2015, Tenable released the inaugural Global Cybersecurity Assurance Report Card, with research conducted by the CyberEdge Group. The report asked over five hundred security professionals from around the world to grade their organizations’ ability to assess cybersecurity risks and to mitigate exploitative threats. The results of the survey were reported on our blog in summary and by industry. Today, we take a closer look at the results for governments and provide recommendations for improving the state of cybersecurity in government agencies around the globe.

First, a clarification. When the Global Cybersecurity Assurance Report Card report refers to “government,” it includes much more than the US federal government. This global report covers responses from governments worldwide, in any country, state, or local jurisdiction.

Government scores

Government agencies scored a very disappointing 66% or D

Unfortunately, government agencies scored a very disappointing 66% or D. With major attacks in the news, we had hoped that the government score would be higher. This is particularly disturbing when you compare that D to other industry sectors. Financial services and telecom graded their industries at a high 81% or B-. Even Retail and Healthcare, which have seen major breaches over the past two years, scored a passing C grade. Government ranks next to last in industry sector cybersecurity assurance, outscoring only Education's 64% D grade. And compared to the overall global cybersecurity readiness score of 76% or C for all respondents, government agencies have a lot of work to do to attain the confidence and abilities of organizations worldwide. But despite the overall D grade, there are some brighter spots in the report for government agencies.

They did feel more confident in assessing risks posed against the network perimeter and DMZ (C+) and the network infrastructure in general (C-)

Risk assessment represents an organization’s ability to assess cybersecurity risks across 10 different IT components. While government respondents scored an overall D in risk assessment capabilities, they did feel more confident in assessing risks posed against the network perimeter and DMZ (C+) and the network infrastructure in general (C-). They were least confident in assessing risks to cloud applications and infrastructure (F) and mobile devices (F). This is not entirely surprising, since assessing risk in long standing technologies scored better than the newer technologies. With the current general shortage of professionals with IT skills, government agencies may lack the knowledge and skills to assess the security risks in more modern technologies.

Confidence was expressed in the ability to detect internal threats (C+)

When it comes to mitigating threats against these risks, government staff scored a slightly higher 70%, but still an overall D grade. Confidence was expressed in the ability to detect internal threats (C+) and in conveying risk information to executives and board members (C). However, the mobile sector scored the lowest for detecting and mitigating threats (F). Clearly, government agencies must improve mobile and BYOD security to score better in future years.

2015 exposed one of the largest breaches in government history when the US OPM was attacked, exposing the personal information of millions of current and former government employees and contractors. The outcry by both employees and taxpayers demands significant and rapid security improvements.

Recommendations for improvements

There is always the opportunity to learn new technical skills

What can government agencies do to improve their cybersecurity posture? Ron Gula, CEO of Tenable, advises: “While we are seeing a shortage of good IT talent, there is always the opportunity to learn new technical skills. As government agencies move to the cloud, mobile, and hybrid environments, IT professionals must tackle next generation technologies.”

Ron also notes that the US federal IT security budget is sorely underfunded, allocating the equivalent of just 5% of the average private sector organization's cybersecurity budget – and that 5% must be shared among dozens of agencies in the US government. Underfunding is a common theme across government agencies worldwide, and while simply providing more money for the cause isn’t going to make a government more secure, a budget increase is one of the necessary steps to acquire the personnel and resources needed to improve their security posture.

Underfunding is a common theme across government agencies worldwide

Key recommendations that arose from the OPM attacks include:

• Inventory all assets
• Implement continuous patching and vulnerability scanning
• Assure that users only have access to data that they require for their jobs
• Watch network traffic in real time
• Implement two-factor authentication
• Implement encryption

More information

Download the 2016 Global Cybersecurity Assurance Report Card report and infographic to examine the data in more detail. You can also watch an on-demand webinar about the report findings for the US and Canada, EMEA, or APAC. And watch for the 2017 report in November 2016 for trending data; hopefully another year will provide government agencies with multiple opportunities to improve their security postures.

During the past year, a new trend in security experienced a meteoric rise, with headlines in both the mainstream and tech media, simply because vulnerabilities were marketed with catchy names and logos. In this blog series, I share with you critical security issues that haven’t captured the media’s attention, but that deserve serious discussion. In the last few weeks I’ve discussed Glimpse and Subversion; this week I’d like to introduce Eager Beavers.

Sit around partaking in libations with security people long enough and at some point you can expect to hear someone raise the age-old rant of “My systems would be secure if it wasn’t for the users.” It’s easy to see why: the media is full of stories blaming users for poor passwords, clicking links without rhyme or reason, replying to alleged benefactors of a huge fortune or simply browsing the web and being hit with drive-by malware.

Living in our security echo chamber, it can sometimes feel like our users are sitting there waiting for the next threat to be delivered to their inboxes or browsers - a group of Eager Beavers clicking with innocent abandon.

I remember many years ago when the ILOVEYOU virus hit. At the time, I was an IT Manager for a small security company, managing services for 100+ people. I’d had prior notice from our chosen AV vendor that a malicious love letter was circulating, starting in Asia, making its way westwards across the globe as users logged in and checked emails. I knew this could be a huge problem, so I sent an email to all staff stating, “If you receive an email with the attachment ‘LOVE-LETTER-FOR-YOU.txt.vbs’ do not open!!”

The email I sent was an exercise in futility. Like millions of others before them, probably half of the employees who received the email, clicked the attachment, infected their PCs, causing more emails to be sent to their contacts and furthering the infection. That night the more pints were drunk to aid in forgetting the terrible day, the more descriptive the words became to characterise the eager clickers of the VBS script.

But my animosity towards the user base was misplaced. The unfortunate reality was that the only person who made a big mistake that fateful day was myself. We wouldn’t blame the chickens for being eaten when a fox gets into the henhouse—the responsibility would rest on the farmer's shoulders for not doing more to guard the chickens. I was the farmer, who had totally failed in putting up the right defences to protect my precious brood.

Rather than treating users with disdain for falling victim to a convincing phishing email, ransomware infection or malware, we need to treat each one as a control failure. If we take ransomware as an example, the best defence in reducing the risk of infection is to continuously identify weaknesses on the endpoints that are favoured by exploit kits—Flash or other insecure plugins—and patch or disable as appropriate. Backing up files is a good way to lessen the impact if an exploit kit does manage to break through.

Whilst a group of users eager to click on any link sent to them is worthy of a logo and catchy name, the responsibility to address this particular issue should be less on the shoulders of the clickers and more on the protectors.

“I want to audit the cloud,” said a visitor to the Tenable booth at a recent conference.
“Which cloud? There are several,” I asked.
“The one with clear blue skies” he said with a wink.
“Ah, you mean Microsoft Azure,” I replied.
“Yes, that’s the one!”

For customers who have asked us to support Microsoft Azure, Nessus® v6.5 now supports auditing Microsoft Azure. In fact, Nessus is the first and only solution to offer security visibility, system hardening and auditing for Microsoft Azure. More and more customers want to audit their cloud systems and applications. And why not? Migrating workloads to the cloud doesn’t absolve organizations of their responsibility to secure what’s in the cloud.

There are many “clouds” (read cloud services) to choose from. But the three cloud services that keep popping up in our conversations are Amazon AWS, Rackspace, and Microsoft Azure. With the release of v6.5, Nessus can now audit them all.

Nessus can now audit Amazon AWS, Rackspace, and Microsoft Azure

But how do you secure something which you don’t have physical control over? In general when it comes to securing the cloud, most cloud providers advocate the shared responsibility model: the provider is responsible for the security of the cloud, and the customer is responsible for what’s deployed in the cloud.

Application Programming Interfaces, or APIs from each cloud provider, are a big help when it comes to securing what’s deployed in the cloud. And in our increasingly API-enabled world, Nessus is now able to audit your Microsoft Azure account(s) through the Microsoft APIs.

Setup

Setting up access for Nessus to audit Microsoft Azure is straightforward. To accurately audit a Microsoft Azure account, Nessus needs these details:

• Username
• Password
• Client-Id and optional Subscription IDs

All these fields can be configured via the Audit Cloud Infrastructure template:

Username and Password

This is the username and password to access your Microsoft Azure Account.

Client Id

For Nessus to audit your Microsoft Azure account, you must define an app in your Azure account. Once you define the app, a client-id will be automatically generated by Microsoft Azure for the app, which you can then copy into your Nessus scan policy.

Steps to create a Client Id

1. Navigate to your Microsoft Azure Account
2. Navigate to Active Directory -> Applications tab -> Add -> Add an application my organization is developing
3. Provide the app a name, and select Native client application
4. Provide a redirect URL (for example, http://example.com)
5. Configure the app, give it necessary permissions (Access Azure Service Management), and then copy the client-id to your Nessus scan policy:

Subscription IDs

This field is optional. By default (left blank), all subscriptions to which your account has access will be audited. But if you want to restrict the audit to a subset of subscriptions, you can list each subscription that needs to be audited, separated by commas. This is useful if you want to run an audit against each subscription and share the results with different teams.

What’s audited by Nessus?

In general, when it comes to auditing cloud services such as Microsoft Azure, our approach has been simple: go above and beyond the usual best practice guidelines. This has twin benefits for our customers. First, it obviously helps you to securely configure cloud services. And second, it provides visibility into what is deployed in the cloud. For example, which VMs are running, what is their status, what privileges does each user have, and so forth. In short, it provides you with a deployment snapshot of your Microsoft Azure account.

And we have done just that with Microsoft Azure. We are shipping three distinct audits in Nessus v6.5, each catering to a specific use case:

Infrastructure audit

The infrastructure audit checks the following items:

• Virtual machines
  • Running/Stopped/Deallocated VMs/Public IPs used
• Certificates
  • Certificates in use/expiring soon/recently used
• Azure deployment snapshot
  • Provides details of all resources deployed in your account
• User account(s) review
  • Accounts with admin level privileges
• Subscription(s) review
  • Enabled/Disabled subscriptions

Website audit

• Websites that are enabled/disabled
• Websites without SSL turned on

Database

• Event logging configuration review
• User account review
  • Admin/Non-admin users
• Stopped/Running databases
• Firewall rules for databases

Additional capabilities

Of course, auditing the cloud environment is the first step to improving the security posture of your Azure cloud deployments. You’ll also want to obtain further insight into systems that are vulnerable, understand which are compromised by malware, as well as which are out of compliance. Tenable offers flexible options to support each of these needs. For example, Nessus Agents, software programs installed on Azure virtual machines, offer in-depth local scans to identify vulnerabilities on that system as well as detect malicious processes running on it. The agent results are sent to Nessus Manager or Nessus Cloud. Tenable customers can also import the Nessus Cloud and Nessus Manager results into SecurityCenter™ for a centralized view of scan results from on-premises and cloud deployments. To learn more about the full spectrum of options available for securing your Azure deployments, visit the Azure section of the Tenable Integrations website.

Final thoughts

With support for Microsoft Azure, Nessus now provides support for all three major cloud services: Amazon AWS, Rackspace and Azure. And if you have ever experimented with any cloud services, you are probably aware that each service supports their own range of services. It’s no different when it comes to Azure. For our initial release, we are shipping these three audits with checks for infrastructure, website and databases; we will provide support for more Azure services as needed.

For more information, visit our Azure Integration page.

In today’s chess game of malware author versus network defender, often times the last line of defense is the target itself—your security application. Malware that specifically targets host security applications has been on the rise for the last ten years.

This type of attack—disabling host security products, including anti-virus software—has been one of the most successful strategies used by malware. While some anti-virus software has its own control panel for managing host security, reports from the software can be spoofed back to end users and system administrators. With more recent malware, the host protection isn’t completely removed—it is disabled—so that central monitoring software doesn’t alert on missing or non-responsive security software. Cases like this have led to infections being on a network for prolonged periods of time, even years. Essentially, this becomes a security administrator’s nightmare; they have reported that everything is fine according to the reports coming from the security applications, and they have followed best practices and due diligence, yet the system seems to have failed them.

The attackers

Today’s threats are being created by organizations such as nation states and organized crime groups, with massive resources behind them. These groups perform a professional-style software development cycle, including QA, against known host security products. By knowing this, we also know that the adage “time favors the attackers” applies. If we can’t trust our own security software to report honestly to us, how can we state with certainty that we are compliant and performing our due diligence?

Redundancy

Many early practitioners of network security have long advocated for redundancy. This can be difficult in a time when we’re expected to do more with less and have tighter budgets, but there are tools available that can complement and augment existing traditional host security products. Some of these tools may already be in your environment.

Tenable solutions

The short answer to attacks against host security products is to have an independent off-host sanity check of host security software. By doing this, we are getting a “second opinion” on the software status and validating the findings of organic reporting provided by the products’ consoles. Tenable’s SecurityCenter™ includes a dashboard that provides a Security Software Summary:

You will notice that this dashboard is not limited to the Host Security family; it includes other security software as well. In the example above, Microsoft and Symantec host security software are covered, both reporting in with 100% compliance. The dashboard also includes other security applications, such as Trend Micro, McAfee, BitDefender, Sophos and more. If you have already verified that the console reports are accurate, you get a “second opinion” here to corroborate the results and provide peace of mind – malware hasn’t infected these apps.

While we’ve talked about SecurityCenter so far, Nessus® also enables validation and has been written about twice before on the Tenable Blog by Ron Gula:

• Auditing Anti-Virus Products with Nessus
• Auditing Anti-virus Software without an Agent

While some anti-virus products have been added to the checks performed by Nessus since those blogs were written, the method for leveraging Nessus has not changed.

You can find greater detail about using Nessus and SecurityCenter to validate your anti-virus posture and other malware hunting techniques in Tenable’s Whitepapers library. Whitepapers help you delve deeper into our solutions and even discover ways to use our software that you wouldn’t normally imagine.

Staying out of the news

With the sophistication of threats constantly changing and evolving, it is more important than ever that data security be a mesh of solutions supplementing and supporting each other. The time that we could design, deploy, and forget about security infrastructure is long past. Not only do we need to monitor logs and reports from our security software, we need to monitor the software itself. While malware and attackers would love to remove all instances of security software from our networks, by watching specifically for those attacks that disable the security products, organizations will remain out of the press for being the ones that had malware dormant on their systems for several years.

We recently asked our security experts, "What is the top security issue facing cloud computing today?" Ron Gula, CEO of Tenable, believes that the rapid development of cloud applications is the most critical issue. How can that be a problem when developers are using the best tools for cloud applications? Listen as Ron explains the situation.

Learn how Nessus provides auditing capabilities for the three major cloud services:

• Auditing Rackspace Accounts With Nessus
• Nessus Amazon AWS Auditing Now Available
• Auditing Azure with Nessus v6.5

Tenable experts recently sat down to discuss several critical security issues that face cloud developers and users. Cris Thomas, Tenable Strategist and aka Space Rogue, is most concerned about attackers stealing credentials. How can you prevent this type of attack from happening to your cloud environment? Listen as Cris provides several tips.

Hear more about stolen credentials from Cris in 2016 Predictions, Part 2: The #1 Attack Method.

Salesforce is one of the most prevalent SaaS applications in business, running sales operations platforms for organizations to gain productivity and efficiency, and to enable better communication. With so much critical business happening inside Salesforce, what would happen if someone compromised it or exported your sales data? How would you even know it happened? How well do you trust your administrators?

SecurityCenter Continuous View™ (SecurityCenter CV™) now has the ability to connect directly to Salesforce, via RESTful API and collect activity logs so that you can monitor what users are doing inside Salesforce, as well as detect any changes they are making to accounts, permissions, and system configuration.

Salesforce event monitoring enables you to see at a glance who is accessing Salesforce, and who is making changes.

In the broader context of your security program, you can see Salesforce events alongside other account modifications and drill down into users who might be misusing administrative permissions network-wide. Access failures in Salesforce will correlate with the rest of your account monitoring, to indicate brute force or password guessing attempts, as well as successful access post-attack. Threatlist events monitor any known bad traffic accessing your Salesforce instance, as well as users originating from hostile IP addresses.

Salesforce events merge into “detected-change” alerts, as SecurityCenter CV tracks account activity across your organization. Users who have never accessed Salesforce before, or who are accessing from a previously unknown IP are pulled out as “New_User_Source” and “New_User_Destination” events, providing visibility into these unusual connections. Deviations from normal Salesforce activity are also captured, sending those events up through SecurityCenter CV and feeding further alerting as indicators of suspicious behavior.

Salesforce is one of the first cloud platforms supported by SecurityCenter CV for API monitoring and is an example of Tenable’s commitment to increasing visibility across organizations’ IT infrastructures and assets; whether they are physical, virtual, or in the cloud.

Consult the Tenable documentation for more information on how to integrate Salesforce monitoring into your security program.

See Auditing a Salesforce.com Account with Nessus for more information on securing Salesforce with Tenable.

Today we are pleased to announce the availability of Passive Vulnerability Scanner™ (PVS) 5.0. PVS™ continuously monitors the network – detecting usage of cloud services; identifying new assets as they become active on the network; and profiling an asset’s operating system, active applications, services, network connections, and associated vulnerabilities. Its latest capabilities give you a complete view of assets and activities across your computing environments, helping you identify and prioritize weaknesses that need attention.

PVS 5.0 includes the following new capabilities.

Identifying selected TLS-encrypted application traffic

Internet application traffic is often encrypted with Transport Layer Security (TLS). Unless organizations deploy relatively expensive network devices designed to decrypt TLS, they will be blind to the applications associated with the traffic. PVS 5.0 can identify a number of applications whose traffic is TLS encrypted. This enables users to identify applications in TLS without deploying additional network devices. PVS can detect applications such as Dropbox, Pidgin, Skype, Metasploit Heartbleed Scanner, Metasploit CCS Scanner, Windows Java, Opera v9.80, Mail app iOS, Thunderbird v38.0.1 OS X, Thunderbird v17.0 OS X, Adium 1.5.10, Tor uplink, Aviator, Firefox (v26, 27, 33, 34, 37), Blackberry Messenger, and Golang.

Improved PVS user interface

PVS 5.0 puts important information at users’ fingertips and enables them to easily drill into the details. The enhanced user interface presents summary information on the default login page. From there users can quickly drill into detailed data as desired. The new UI also provides a detailed host view that includes all applications and the DNS name associated with the host. Additionally, as shown below, the new UI displays bandwidth and new connections.

Recording VLAN IDs

Enterprise networks are increasingly being segmented into Virtual Local Area Networks (VLANS) to increase performance and security. By limiting access to a single network segment, VLANs, along with corresponding user controls, reduce potential damage from insider and external threat agents/actors who could otherwise pivot to additional systems. PVS 5.0 shows VLAN tags on a host basis when displaying host details so users can see if VLAN traffic is being controlled as expected.

Processing IPv6 extension headers

PVS 5.0 processes IPv6 traffic containing extension headers to analyze the network traffic, providing visibility into that traffic.

Improved tunneling support for increased network visibility

Some IPv4 networks support IPv6 traffic by tunneling it in IPv4 traffic. PVS 5.0 alerts on the use of such tunneling (Teredo tunneling) and analyzes this traffic to identify related devices, services, applications, and vulnerabilities.

PVS 4.0

With the release of PVS 5.0, Tenable is announcing the End of Support and End of Life for PVS 4.0, effective Thursday, August 18, 2016. Additional information will be provided closer to that date.

For more information

The following PVS 5.0 materials are available:

• PVS 5.0 datasheet
• PVS 5.0 FAQ