Tenable.SC has a basic ticketing system built into their product. But, by default, there’s no way to notify someone that a ticket has been assigned to them. To notify someone that a ticket has been assigned to them, an alert needs to be generated that is based on a query.
The first step is to configure a query. Within Tenable.SC, navigate to Analysis → Queries and Add a query. In the Query Builder section, select “Ticket” for Type and “Ticket List” for Tool.
Many security professionals face the same challenge – improve security and reduce risk with a fixed or reduced budget. There is a lot of information on the internet about using Open Source software to build systems that can help you reduce risk.
But I propose that we, as security professionals, must be teachers as well as technicians. Yes, we can do the work. But how much better would it be if the entire IT department or even the entire organization understood basic security principles and could apply them in their day to day activities? It’s like the old adage. You can give a man a fish and feed him for a day or you can teach a man to fish and feed him for a lifetime. Let’s teach people to be secure so they can apply security principles at work and in their day-to-day lives.
This article’s focus will be slightly different than a formalized Security Awareness Program (see Securing the Human for details on that). Instead, we will look at ways any security professional can more effectively communicate with others so that security concepts become a more prominent topic in people’s day to day life.
I’m sure all of us know about an “angry security guy”. Maybe we are that guy. But the first step to effectively communicating security concepts to others is to be approachable. Staff need to feel free to come to us with questions and concerns. In particular, they need to feel free to bring any possible risks to us.
I recently needed to pull all of the asset groups associated with a list of IPs from Tenable.SC. It’s easy enough to filter assets in Tenable.SC by Asset Group and get all of the assets in a group. And the full list of Asset Groups can be viewed in the Web UI by looking at the information for a single asset. But there was no report or query within the Web UI that would list all Asset Groups for list of IPs/assets.
Enter the Tenable.SC API. Within the API, there is a method called “assetintersections” that will list all Asset Groups associated with a given IP.
With a little scripting in your favorite language, a list of IPs and their associated Asset Groups can be created.
Nexpose, like other vulnerability management platforms, has the ability to create exceptions for the vulnerabilities it finds. You might need to issue exceptions because the vulnerability is a false positive, a compensating control is in place, or the risk is acceptable to the business.
Unfortunately, you sometimes have to create exceptions for hundreds, if not thousands, of vulnerabilities within Nexpose. It’s far too time consuming to create those manually.
The good news is that Nexpose has a well documented API. I’ve used this API to create a Powershell module that can help automate the submission of vulnerability exceptions.
Last week, Congress released the full Equifax Breach Report.
To briefly recap the breach, attackers exploited an Apache Struts vulnerability on the Equifax ACIS web servers (accessed at ai.equifax.com). They then pivoted from these servers to gain further access and query multiple databases within Equifax. As a result, the personal information of 148 million US Citizens was stolen.
It’s a fantastic document that not only explains HOW the breach happened, but WHY it happened. It’s a document that everyone in IT, from the new Service Desk Tech to the seasoned CIO, should read.
The report explains that the breach was the result of many contributing factors that will be familiar to anyone who has worked in IT. Let’s go through the list. (more…)
Have you ever been looking through Active Directory and notice something strange in one of the fields? Maybe the Organization or Description field has a weird string of letters, numbers, and characters. You think, “Huh, that kind of looks like a password.”
Ding! Ding! Ding!
Yes, it happens. Either through lack of understanding or just laziness, sometimes passwords get put into the plain text fields in AD. This is dangerous because those fields are readable by everyone on the domain.
So how do you know if any of these fields are being used to store passwords? I managed to cobble together a PowerShell script that can help. (more…)
Last week I received an email from my web host. It said that all customers needed to backup and move their data because their hosting services would be shutting down immediately. It was a strange email. After some digging, I found out that the reason for the shut down was that the CEO had just died. There was evidently no one who could step in and take over the business. So the decision was make to close.
Why would the unfortunate death of one employee, even a very high level employee, cause a business to shut down? Simply put, it is the lack of succession planning. What is succession planning and why is it important? (more…)
If you’re like me, you LOVE Volatility, the open source memory forensics tool. One of the best features of Volatility is that it can be extended with user created plugins. SANS recently released an amazing Memory Forensics Poster that listed some great plugins. Many thanks to Alissa Torres and Jake Williams for created it. Unfortunately, the poster didn’t give the exact location of the plugins. Below is the list of plugins used in the poster, where to download them, and any prerequisites. (more…)
Some time ago, I posted a PowerShell script to detect changes in external NS records for domains. I’ve made some modifications to the script to reduce false positives. Additionally, the script now emails the “before” and “after” results of the NSLookup command for easy comparison.
Updated script is below: (more…)
I’ve released a new version of my http-screenshot-html.nse script for NMAP. I also moved the hosting to GitHub as Google Code no longer allows file uploads.
Version 1.3 is mostly a bug fix release. The list of changes are below: (more…)