Developed by Tenable Network Security, this tool is one of the most popular vulnerability scanners on he market. Tenable provides different versions, depending on your needs: Nessus Home, Nessus Professional, Nessus Manager, and Nessus Cloud.
You can use Nessus to scan multiple types of vulnerabilities that include remote access flaw detection, misconfiguration alert, denial of services against TCP/IP stack, preparation of PCI DSS audits, malware detection, sensitive data searches, etc. Nessus can also call a popular external tools.
Nessus is supported by a variety of platforms including Windows, Mac OS, and popular Linux distributions like Debian, Ubuntu, Kali Linux, etc.
You can get more information and download the Nessus Home (free) tool here. The commercial version is available here.
When looking at a solution to managing vulnerabilities on your network, you want a solution that will find relevant vulnerabilities and will provide adequate information about known vulnerabilities that will help you mitigate any issues quickly.
In this article by Alexander Leonov, we see the results of the comparison between Nessus and OpenVAS. OpenVAS is free, but Nessus costs you money.
Why I call this comparison fast and primitive? I don’t define the structure of KBs for this product and don’t carefully map one nasl script to another. I suppose it may be a theme for another posts. Instead I am looking at the CVE links. If two scanners detect can the same vulnerabilities, they should have the same CVE links in all the NASL scripts, right? In reality we have a great difference between the products and more than a half of the CVEs can’t be detected by using both of them.
All CVEs: 80196
OpenVAS CVE links: 29240
Nessus CVE links: 35032
OpenVAS vs. Nessus: 3787;25453;9579
We can get group of the NASL scripts, “connected” with the links to the same CVEs. There are also thousands of NASL scripts in OpenVAS and Nessus that have some CVE links and can’t be mapped anyhow to the script in different KB.
All NASL plugins:
Mapped plugins: 38207 OpenVAS and 50896 Nessus
Not mapped OpenVAS plugins: 2673
Not mapped Nessus plugins: 6639
You can read the entire article here.
Compliance requirements dictate that companies must perform quarterly internal and external network vulnerability scans. There are a variety of tools that can be used for this purpose, but Nessus is a popular solution.
In this article by Roger McClinton, we get his take on a recent vulnerability listed in this tool.
This week Tenable released a new “plugin” (what they call a vulnerability detection) named “Web Server HTTP Header Information Disclosure”, plugin id 88099. In spite of even the title saying it only an information disclosure vulnerability, they rate this a medium. In my environment that means we need to address it. I think its a little crazy for an information disclosure vulnerability to be rated that high. It turns out Tenable has ceded vulnerability severity ratings to the CVSS system. So because this has a CVSS score of 5 it has to be rated moderate.
Now with SecurityCenter, I’d be able to change the security severity of this detection. I’m not sure that’s possible in Nessus. Even so, when scanning servers for other people, you cant just change the results of the scan. And now the problem, the other party’s security people don’t have the ability to make rational security decisions. They just want all the detections gone.
You can read the entire article here.
Windows security is a moving target, and you have to be constantly monitoring the latest vulnerabilities to see if your laptop or servers are secure. Kaspersky Lab’s recent announcement that Microsoft just patched a critical vulnerability in the Windows GDI in the latest round of updates was exploited by a group of malicious hackers to successfully execute malicious code is troubling.
The remote code execution flaw starts in how the Windows GDI handled objects in memory (CVE-2016-3393), and the issue has been addressed in critical bulletin (MS16-120). The vulnerability affected all supported versions of Windows operating system, Microsoft Office 2007 and Office 2010, Skype for Business 2016, Silverlight, .Net Framework, Microsoft Lync 2013, and Microsoft Lync 2010.
Now your responsibility is to make sure all your systems are successfully updated, because this isn’t a vulnerability found in a lab. This vulnerability was find in the wild, so it is a known attack vector. If a hacker can trick a user into visiting a malicious website and clicking on a link to malicious content, the PowerShell script could attack an un-patched system. The same attack could also be started with a traditional malicious email attachment or a simple file download.
While your organization may have different patching requirements than mine, all IT departments should prioritize patching critical updates and this is a critical update.
In recent years a new term has entered the vocabulary of cybersecurity experts: Ransomware. Wikipedia says: “Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it.” This basically means a computer system is attacked, the user files are encrypted, and the user must pay a fee to regain access to their critical files. While there is a long history of minor attempts by hackers to create this type of malware, the most well known version of this type of malware is known as “Cryptolocker“, that was released in late 2013.
Most ransomware attacks were opportunistic and targeted at individual computers, but recently there has been a change in the threat landscape to target entire organizations. The ransom demands have also transitioned from the equivalent of a few hundred dollars for an individual to millions of dollars for an entire organization.
The impact of a successful ransomware attack are more extensive than just the cost of the ransom. Your organization can suffer the impact of lost productivity, inconvenience to your customers, decreased sales, and even the permanent loss of essential data.
Tips on preventing this type of infection in your organization:
- Planning – Aggressively patch all systems to prevent known vulnerabilities. All endpoints should also be protected with anti-malware and anti-virus software to automatically detect and respond to any infection attempts. This should also include user training to help users understand how infections are executed, what they can do to minimize the risk of attack, and who they should contact if they have concerns or questions. All user files should be backed up to another location that can’t be accessed by the malware. You want to minimize data loss in the event of a successful attack.
- Active Detection – You can minimize the damage from an attack if you are monitoring your enterprise systems and are alerted to the attack as quickly as possible. Threat intelligence software should be used to block suspicious software and alert you to a possible attack. This includes screening email attachments and embedded links, blocking access to known internet malware sites, and security rules to block common malware folders on endpoints to help spot infections before the files are encrypted.
- Isolation – Even if malware slips through your defenses and an infection occurs on one device, you need to have procedures in place to isolate the infected system and limit the exposure of the remaining endpoints. To help prevent additional files on the network from being encrypted the infected device must be isolated from the network.
- Counterattack – During a ransomware incident, once it has been contained you must eradicate it by using effective counterattack procedures. First replace infected devices and format the compromised hard drives. If you have been effective at the previous steps, you can recover user files from your backups and nothing was lost on the device. By formatting the hard drives you make sure the infection is removed from the device, without the need to worry about residual or hidden files. If you have a network infection, the infection can be much more difficult to contain and cleanup will be much more time consuming. A good relationship wth your anti-malware vendor is essential to make sure they help you with any possible infection, even one from an infection they haven’t seen before.
- Resolution – The best way to recover from an attack is having backups of all your important files. Once user systems have been cleaned and files have been restored, the last step is reviewing what went well and what still needs some more work. Was the infection caused by a user bypassing a security control? Was your anti-malware software ineffective? Are there required changes to your procedures or training that would have made your response faster or more effective?
Never be satisfied with “good enough” security, and look for ways to improve your response times, better educate your users, and provide a safer overall environment for your business. Your level of success against a ransomware attack is largely dependent on you and how seriously you prepare for the possibility of a malware attack.
Understanding security flaws it important if you want to prevent them in your environment. This article by Peter Bright helps us understand what a buffer overflow is and how they can lead to security issues on your servers.
The buffer overflow has long been a feature of the computer security landscape. In fact the first self-propagating Internet worm—1988’s Morris Worm—used a buffer overflow in the Unix
finger daemon to spread from machine to machine. Twenty-seven years later, buffer overflows remain a source of problems. Windows infamously revamped its security focus after two buffer overflow-driven exploits in the early 2000s. And just this May, a buffer overflow found in a Linux driver left (potentially) millions of home and small office routers vulnerable to attack.
At its core, the buffer overflow is an astonishingly simple bug that results from a common practice. Computer programs frequently operate on chunks of data that are read from a file, from the network, or even from the keyboard. Programs allocate finite-sized blocks of memory—buffers—to store this data as they work on it. A buffer overflow happens when more data is written to or read from a buffer than the buffer can hold.
On the face of it, this sounds like a pretty foolish error. After all, the program knows how big the buffer is, so it should be simple to make sure that the program never tries to cram more into the buffer than it knows will fit. You’d be right to think that. Yet buffer overflows continue to happen, and the results are frequently a security catastrophe.
To understand why buffer overflows happen—and why their impact is so grave—we need to understand a little about how programs use memory and a little more about how programmers write their code. (Note that we’ll look primarily at the stack buffer overflow. It’s not the only kind of overflow issue, but it’s the classic, best-known kind.)
You can read the entire article to learn how this vulnerability works and why it is so dangerous.
There is a vulnerability that affects SQL Server 2008, 2008 R2, 2012, and 2014 that Microsoft has released a patch to address. The vulnerability is described by Microsoft as “The most severe vulnerabilities could allow remote code execution if an authenticated attacker runs a specially crafted query that is designed to execute a virtual function from a wrong address, leading to a function call to uninitialized memory. To exploit this vulnerability an attacker would need permissions to create or modify a database.”
The good news is an update is available from Microsoft to address this issue, depending on what version of SQL Server you happen to be running. Aaron Bertrand has done a great job of creating a chart that links to the correct Microsoft patch based on the version of SQL Server you happen to be running.
|If your version /
service pack is…
|…and @@VERSION is in the range…
||…you should install…
|SQL Server 2014 (build list)
||12.0.4050 => 12.0.4212
|12.0.4214 => 12.0.4415
||12.0.2000 => 12.0.2268
|12.0.2270 => 12.0.2547
|SQL Server 2012 (build list)
||11.0.5058 => 11.0.5342
|11.0.5344 => 11.0.5612
||11.0.3000 => 11.0.3155
|11.0.3157 => 11.0.3512
||11.0.2100 => 11.0.2999
||Move to a newer branch
|SQL Server 2008 R2
||10.50.6000 => 10.50.6219
|10.50.6221 => 10.50.6528
||10.50.4000 => 10.50.4041
|10.50.4043 => 10.50.4338
|SP1 or RTM
||10.50.1600 => 10.50.3999
||Move to a newer branch
|SQL Server 2008
||10.0.6000 => 10.0.6240
|10.0.6242 => 10.0.6534
||10.0.5500 => 10.0.5537
|10.0.5539 => 10.0.5889
|SP2, SP1 or RTM
||10.0.1600 => 10.0.5499
||Move to a newer branch