I attended the Tenable Security Showcase in New York City last Wednesday and wanted to share some of my thoughts on it.  The agenda for the showcase is listed in the table below but I’ll only be discussing the two speakers I found to be the most interesting – Renaud Deraison and Marcus Ranum.

Renaud Deraison – History and Future of Nessus

I had never heard Renaud speak, but he was quite impressive – he began developing Nessus at the age of 17(!) because he was dissatisfied with certain aspects of the SATAN network vulnerability scanner.  Thirteen years and 4 major versions later, he’s got the most popular vulnerability scanner in the world and it’s coming soon to an iPhone and Android device near you.  Besides moving Nessus to a mobile device platform, another interesting, upcoming feature he mentioned was new executive reports.  We have a custom system at Pivot Point that creates reports with easily digestible executive summaries from nessus scan data but it will be interesting to see what Tenable will soon be providing.  He also addressed two big questions regarding the history of Nessus – 1) Why did Nessus move from an open-source to closed-source model and 2) Why did the developers create their own scripting language (nasl) for Nessus?  Renaud said they made the decision to move to a closed-source model to improve customer support.  He said the control provided by a closed-source model enabled them to generate & gather troubleshooting information that would enable Tenable to provide a consistent level of support to every customer with less back and forth communication (which was becoming increasingly more difficult as the userbase and number of plugins continued to grow).  As for the nasl scripting language, he touted the security benefits of using their own language that was immune to common vulnerabilities such as buffer overflow.  The last interesting thing I noted from his discussion of Nessus history is that he admitted they had to make the same performance and security tradeoffs that other developers have to make when they decided to stop running each plugin in its own process space in memory  and moved to threading instead.  His justification was that, minimally, it doubled performance of Nessus scans and in optimal cases the speed was improved by 14 times.  If you get the chance to hear Renaud speak, it will definitely be worth your while so check him out when you can.

Marcus Ranum – What Security Strategies are Outdated and What New Trends are Half-Baked

I’m a big fan of Ranum’s writings and presentations and he’s the reason I was looking forward to attending the showcase (well, that and the CPE credits).  Ranum gave one of his typical, curmudgeonly presentations on all that’s wrong with the current state of information security and a few glimmers of hope for the future – and it was great.  Here are some classic Ranum lines that I jotted down:

• Cloud computing = Mainframe computing and once you get locked in, the prices will rise and all the money you thought would be saved will evaporate.  The key difference with cloud computing, though, is that you don’t know where the mainframe is and will probably need the FBI to get your data back.  He gave a great example of a company that moved their Exchange infrastructure to Gmail and fired all of their Exchange Admins.  The corners cut to provide the Gmail service saved them a ton of money until there was an HR incident and they couldn’t manage a terminated employee’s email the way they could with Exchange – which meant they couldn’t comply with their own employee termination policies.  Eventually, Google provided them with a solution, but Ranum’s convinced they’ll need more customizations until, eventually, Google’s services will mirror the same services their own Exchange Admins used to provide.
• IPv6 – “What if there was a protocol and nobody came?”  Hilarious.
• “Effective security requires information awareness.”
• “Security is an application of process to technology, not a feature that comes from adding technology”
• “Nothing will allow you to operate securely without knowing what you are doing.”

I really agree with Ranum on the last three bullets.  We run into many prospective customers that ask us to assess the security of a service but they don’t know all of the IT assets that provide it or support it.  By assets, I mean the people and infrastructure (i.e. DBMS, OS, servers, networks, facilities) needed to run the applications that deliver the information that provides value.  I’ve blogged about asset-driven audits before and my views haven’t changed.  You can’t secure what you don’t know exists.  Ranum talked about the benefit of Tenable’s tools helping to gather that information and we’ve actually used Nessus to do just that on a few projects.  For example, we’ve used Nessus to scan for personally identifiable information (PII) and payment card data to identify which systems need to be reviewed for a security compliance audit.  That was really the over-arching message of the showcase.  Tenable Security products cannot secure your business but they can provide the information to help you decide how to secure your business.  At Pivot Point Security, we’re much the same way.  None of our services will necessarily make your business more secure, but they will provide assurance about whether the security processes you’ve implemented are operating effectively.

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.