Search Our Site

Our Newsletter

Our Ramblings

The Nessus Vulnerability Scanner

In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:

  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
  • Preparation for PCI DSS audits

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user.
According to surveys done by sectools.org, Nessus is the world’s most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

In typical operation, Nessus begins by doing a port scan with one of its four internal portscanners (or it can optionally use Amap or Nmap) to determine which ports are open on the target and then tries various exploits on the open ports. The vulnerability tests, available as subscriptions, are written in NASL (Nessus Attack Scripting Language), a scripting language optimized for custom network interaction.

Tenable Network Security produces several dozen new vulnerability checks (called plugins) each week, usually on a daily basis. These checks are available for free to the general public; commercial customers are not allowed to use this Home Feed any more. The Professional Feed (which is not free) also give access to support and additional scripts (audit and compliance tests…).
Optionally, the results of the scan can be reported in various formats, such as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX, scanning can be automated through the use of a command-line client. There exist many different commercial, free and open source tools for both UNIX and Windows to manage individual or distributed Nessus scanners.
If the user chooses to do so (by disabling the option ‘safe checks’), some of Nessus’s vulnerability tests may try to cause vulnerable services or operating systems to crash. This lets a user test the resistance of a device before putting it in production.
Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system, and can perform password auditing using dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they have been configured per a specific policy, such as the NSA’s guide for hardening Windows servers.

 

Q. What is included in the Nessus download?
A. When you download Nessus, you receive the Nessus 4.4 scanning engine (server) that includes a flash web-based client. To receive updates under either a ProfessionalFeed or HomeFeed, you will need to register your scanner.

Q. What OS platforms does Nessus have builds for?
A. Nessus 4.4 is available and supported for a variety of operating systems and platforms:
Debian 5 (i386 and x86-64)
Fedora Core 12, 13 and 14 (i386 and x86-64)
FreeBSD 8 (i386 and x86-64)
Mac OS X 10.4, 10.5 and 10.6 (i386, x86-64, ppc)
Red Hat ES 4 / CentOS 4 (i386)
Red Hat ES 5 / CentOS 5 / Oracle Linux 5 (i386 and x86-64)
Red Hat ES 6 / CentOS 6 (i386 and x86-64) [Server, Desktop, Workstation]
Solaris 10 (sparc)
SuSE 9.3 (i386)
SuSE 10.0 and 11 (i386 and x86-64)
Ubuntu 8.04, 9.10, 10.04 and 10.10 (i386 and x86-64)
Windows XP, Server 2003, Server 2008, Server 2008 R2, Vista and 7 (i386 and x86-64)

Q. What does Nessus 4.4 cost?
A. The Nessus 4.4 scanner is available as a free download.

Q. Where can I go for more information?
A. If you still have questions about Nessus 4.4, feel free to contact us, visit http://www.rustyice.co.uk/ or post to us via our contact link.

The Problem of Tailgating in Secured Buildings

One of the biggest weaknesses of automated access control systems is the fact that most systems cannot actually control how many people enter the building when an access card is presented. Most systems allow you to control which card works at which door, but once an employee opens the door, any number of people can follow behind the employee and enter into the building. Similarly, when an employee exits the building, it is very easy for a person to grab the door and enter the building as the employee is leaving.

This practice is known as “tailgating” or “piggybacking”. Tailgating can be done overtly, where the intruder makes his presence known to the employee. In many cases, the overt “tailgater” may even call out to the employee to hold the door open for him or her. In these cases, good etiquette usually wins out over good security practices, and the intruder is willingly let into the building by the employee.

Tailgating can also be done covertly, where the intruder waits near the outside of the door and quickly enters once the employee leaves the area. This technique is used most commonly during weekends and at nights, where the actions of the more overt tailgater would be suspicious.

Solutions To The “Tailgating” Problem

First, recognize that the tailgating problem is probably the biggest weakness in your security system. This is particularly true at doors that handle a high volume of employee and visitor traffic. Many security managers spent a lot of time worrying about unauthorized duplication of access cards and computer “hackers” getting into their security system over the network. It is far more likely that someone who wants access to your facility will simply “tailgate” into the building rather than using one of these more exotic methods to breach your security.

The practice of overt tailgating can be reduced somewhat through employee security awareness training. If employees are frequently reminded of the tailgating problem, they are less likely to let a person that they do not know into the building deliberately.

It is difficult to overcome the problem of covert tailgating through employee security awareness alone. While it would be possible to ask employees to wait at the door until it locks after they pass, it is probably not likely that this procedure would be followed except under the most extreme circumstances.

The problem of covert tailgating can usually only be reliably solved through the use of special “anti-tailgating” devices.

“Anti-Tailgating” Devices

To minimize the problem of tailgating, the security industry has created a number of “anti-tailgating” devices. These devices include mechanical and optical turnstiles, security revolving doors, security portals, and doorway anti-tailgating devices.

The essential function of each of these devices is that they permit only one person to enter or leave the building at a time. They either do this by providing a physical barrier that only allows one person to pass, or electronically by providing sensors that detect when a person attempts to tailgate in, or when more than one person tries to enter using the same card.

The following is a brief summary of each of the common types of anti-tailgating devices:

HALF-HEIGHT MECHANICAL TURNSTILE

  • Approximate cost: |£2,000 to £3,500 per opening.
  • PROS: Lowest cost anti-tailgating device, readily accepted by most users, relatively unobtrusive, well-proven and reliable.
  • CONS: Can easily be climbed over or under, requires separate door or gate for emergency exit and for handicapped users, easily defeated by knowledgeable intruder.
  • Comments: Good choice for visitor lobbies or employee entrances that are constantly attended by a security officer and where cost is a consideration.

FULL-HEIGHT MECHANICAL TURNSTILE

  • Approximate cost: £3,500 to £5,000 per opening.
  • PROS: Provides good security at a moderate cost. Well-proven and reliable.
  • CONS: Obtrusive in appearance, requires separate door or gate for emergency exit and for handicapped users, lacks sophisticated anti-piggybacking detection features.
  • Comments: Good choice for commercial and industrial facilities where security and cost considerations are more important than appearance.

OPTICAL TURNSTILE

  • Approximate cost: £11,000 to £15,000 per opening.
  • PROS: Aesthetically-pleasing appearance, accommodates handicapped users, does not require separate emergency exit, has sophisticated anti-piggybacking detection systems, provides good visual and audible cues to users.
  • CONS: Expensive, provides little or no physical barrier, must be used at an entrance manned by security guard, relatively high “false alarm” rate.
  • Comments: Good choice for use in manned building lobbies where aesthetics prevent the use of a half-height manual turnstile.

SECURITY REVOLVING DOOR

  • Approximate cost: £22,000 to £38,000 per opening.
  • PROS: Provides best protection against tailgating and piggybacking, fast, handles high volumes of traffic, unobtrusive in appearance, provides energy savings when used at exterior entrances.
  • CONS: Very expensive, requires separate door or gate for emergency exit and for handicapped users, door cannot be used for loading/unloading of large objects, relatively high maintenance costs.
  • Comments: Good choice for use at unattended building entrances where appearance is important.

SECURITY PORTAL

  • Approximate cost: £22,000 to £38,000 per opening.
  • PROS: Provides good protection against tailgating and piggybacking, unobtrusive in appearance, accommodates handicapped users, does not require separate emergency exit, allows load/unloading of large objects.
  • CONS: Very expensive, relatively slow, cannot support large volumes of traffic, high maintenance costs.
  • Comments: Good choice for use at unattended building entrances with relatively low traffic volumes and for entrances into high security internal areas, such as computer rooms.

DOORWAY ANTI-TAILGATING DEVICE

  • Approximate cost: £3,000 to £5,000 per opening.
  • PROS: Easy add-on to existing doors; provides good protection against tailgating and piggybacking, unobtrusive in appearance, accommodates handicapped users, does not require separate emergency exit, allows loading/unloading of large objects, relatively inexpensive.
  • CONS: Must be used at an entrance manned by security guard, does not provide good visual and audible cues to users.
  • Comments: Good choice for use at doorways with relatively low traffic volumes and where conditions do not permit the use of another type of device.

Other Anti-Tailgating Systems

There are several new anti-tailgating detection systems on the market. These include closed-circuit television camera systems equipped with video analytics software, and machine vision sensors that use infrared imaging technology. Both of these systems “look” at the entrance point and use computer software to detect tailgaters. Once a tailgater is detected, an audible alarm is activated to alert the security guard.

While this new technology looks promising in the long run, it is our opinion that these systems are still too new and unproven for use in most applications.

Have additional questions about the prevention of tailgating?  Please contact us.

How to recognise security vulnerabilities in your IT systems

As IT systems continue to extend across multiple environments, IT security threats and vulnerabilities have likewise continued to evolve.

Whether from the growing insider threat of rogue and unauthorised internal sources, or from the ever increasing number of external attacks, organisations are more susceptible than ever to crippling attacks. It’s almost become simply a matter of “when it will happen” rather than “if it will happen.”

For IT resellers, security issues have always persisted as critical to all communications for an organisation’s IT department.

However, with the increase in the levels of access to a company’s network compounded by these maturing threats, it is no longer feasible to merely recognise the existence of more simplistic, perimeter threats.

Resellers must be able to provide customers with a comprehensive risk assessment of the entirety of an organisation’s IT assets to their vulnerabilities–inclusive of both software and hardware.

This risk assessment must incorporate an understanding of external threats and internal vulnerabilities and how the two continue to merge to create increasingly susceptible IT environments.

At the most basic level, organisations and resellers alike must understand the different types of threats. Malware, a generic term for malicious software, such as trojan horses, worms, and viruses, is the most common form of attack that is originated by an external hacker. Malware attacks have persisted for years – from the infamous Morris worm to common spyware attacks – and they remain the easiest and most damaging tactic deployed by malicious hackers.

With enterprises extending to the cloud, and more organisations adopting SaaS-based applications, social media and other Web 2.0 tools, damaging malware attacks and viruses can now originate through simple SPAM messages and emails.

Internally, organisations are typically susceptible to threats from either authorised rogue users who abuse privileged accounts and identities to access sensitive information, or unauthorised users who use their knowledge of administrative credentials to subvert security systems. It is this type of vulnerability – unauthorised internal access – that has continued to emerge as the most volatile and disruptive.

To truly understand the risks involved with these “insider threats”, organisations and resellers need to understand the root of the vulnerabilities.

Most commonly, the risks lie with the use of embedded credentials, most notably hard coded passwords, a practice employed by software developers to provide access to administrators during the development process. The practice occurs frequently since application developers tend to be more focused on the development and release cycle of the application, rather than any security concerns. While it may appear harmless at first glance, it is extremely risky as it can potentially provide unauthorised users with powerful, complete access to IT systems.

To compound the matter, by hardcoding passwords to cover embedded credentials, vendors create a problem that cannot be easily fixed nor assuaged by tools such as Privileged Identity Management systems. Once embedded into an application, the passwords cannot be removed without damaging the system. At the end of the day, the passwords provide malicious outsiders with a bulls eye target – a key vulnerability to leverage to help them gain powerful access and control on a target device, and potentially throughout the entire organisation.

One of the most well known examples is the Stuxnet virus. We’ve all been blown away by the design of Stuxnet, and were surprised by the pathway the virus took in targeting SCADA systems. Reflection shows that the virus used the hard coded password vulnerability to target these systems – which should serve as a lesson for all businesses.

The existence of vulnerabilities embedded within these types of systems is not necessarily new, but the emergence of new threats continues to shed light on the ease with which they can be leveraged for an attack. While malicious outsiders and insiders have focused often on the administrative credentials on typical systems like servers, databases and the like, in reality, IT organisations need to identify every asset that has a microprocessor, memory or an application/process. From copiers to scanners, these devices all have similar embedded credentials that represent significant organisational vulnerabilities.

While steps can be taken to proactively manage embedded credentials without hardcoding them in the first place – Privileged Identity Management tools can help – the onus is on the organisation, and the reseller, to ensure that a holistic view of all vulnerabilities and risks has been taken.

SCADA Security Heats Up

The use of Supervisory Control and Data Acquisition (SCADA) devices is growing. That growth is expected to continue to soar. SCADA revenues will grow from £3.2 billion last year to nearly £5 billion in 2016. Question is: What about security?

A few years ago, when anyone would bring up the topic of SCADA system security, they were looked at like conspiracy theorists or UFO investigators.

That all changed when Stuxnet surfaced, which was designed, many analysts who studied the worm now contend, to disrupt the uranium enrichment capabilities of Iran through the modification of programmable logic controllers (PLCs).

That’s not precisely a SCADA system, but it does show that industrial control systems can – and more importantly – will be targeted. And the processes SCADA systems help to manage include those used in manufacturing, power generation and distribution, refining, water systems, large communication systems – you get the idea: critical infrastructure stuff.

What is concerning is that for years, while people were aware of the security concerns, no one did much of anything about it.

Fortunately, security is getting some level of attention now. Strategic Analysis of the World SCADA Market, found that oil exploration, gas distribution, and other demands are driving SCADA growth. And security is part of the planned spend:

One of the key challenges that manufacturers face in the world SCADA market is ensuring enhanced cyber security. A great majority of SCADA vendors have started to address the risks of cyber threats by developing lines of specialised industrial firewall and VPN solutions for TCP/IP-based SCADA networks. Additionally, more and more applications are being implemented to the control systems in order to prevent unauthorized application changes without impacting the performances of common antivirus scans.

That’s a start. Now let’s also ensure the applications and systems SCADA devices connect are built securely and with resiliency in mind.