Tenable Network Security Podcast - Episode 20

Welcome to the Tenable Network Security Podcast - Episode 20

Announcements

• A new blog post has been released titled "Being Pro-Active Against the "0-Day" Threat" and covers how you can more effectively defend your network given that the bad guys have "0-day" exploits. Marcus Ranum also published an article titled, "Afterbytes - Ranum on Google Considering Leaving China" where he weighs in on the Google Aurora incident. Brian Martin also contributed an article titled, Putting OSVDB to work for Nessus Vulnerability Management where covers how to use OSVDB to provide additional references to give system administrators more information about a particular vulnerability.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments, and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 12 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!

Interview: Mike Murray

Mike Murray is currently the managing partner of Michael Murray and Associates, as well as a founder in a new company called Mad Security. He has spent his entire career in information security, from his work in the late 90's as a penetration tester and vulnerability researcher to leadership positions at nCircle, Neohapsis and Liberty Mutual Insurance Group. Mike's interests and aptitudes are broad - he and his team at Michael Murray and Associates, LLC focus on assisting information security organizations with their human systems, from their information security awareness to their organizational design and efficiency and the career paths of the individuals within the industry. His focus at Foreground Security is to lead Foreground's security engagements and training organization, assisting with curriculum and methodology development, staff development, and security planning and execution. Mike is a widely reknowned speaker, and his talks on a wide variety of topics have been seen at major conferences like RSA, SOURCE, InfoSecurity Canada and Defcon. Mike's thoughts on security can be found on his blog at Episteme.ca, and his work on helping build careers can be found at ConnectedCareer.com. He has written technical articles in publications including BusinessWeek Online and Sys Admin, as well as a regular column on The Ethical Hacker Network.

Stories

• One Exploit Should Not Ruin Your Day - This post by Dino Dai Zovi re-itterates, quite well in fact, much of the post-Aurora Exploit banter. It boils down to this: If you let one unpatched vulnerability be the gateway to your network and all its information, you've for bigger problems than just patching that one vulnerability. Dino goes on to say that network and information segmentation can go a long way to protecting your assets.
• Undisclosed Breaches - This article details how in certain circumstances, a credit card company does not have to disclose the merchant that may have been the cause of a data breach. This seems silly to me, as a consumer I want to know which merchant was at fault, so I can find an alternate merchant to do business with. Breaches happen, and its important that we know at least who is involved so we can make intelligent decisions.
• Four Steps For Trimming Patch Management Time - This article covers some common sense tips for implementing the patch management process. How to prioritize the deployment and make sure that you test the patches. For priority, sure, you definitely want to have a sense of what can be patched, how long it takes, and what the impact will be. However, this is still just skirting the issue. Client software is the real problem, so fix it. If you are running your business and relying on Internet Explorer 6 to interact with a web application running vulnerable code, thats the real problem (not your patch management process). While there will be costs involved, your choice of the software you use has more of an impact on the security of your organization than does how fast you can patch the browser. There are other vulnerabilities lurking out there, some of which the bad guys have written exploits for, so you have to do better than just applying patches. Also, this article covers how you should go about "testing the patch". I'd also add that you need to make sure the patches have been applied to all of the systems correctly.