Security Laboratory
Please enjoy this series of interviews with the thought leaders in software security. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu.
An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information
March 22nd, 2007
By Stephen Northcutt
Ron Gula, the author of the Dragon IDS is now running Tenable Security
and they are releasing a novel technology, a vulnerability scanner
plugin that looks for sensitive information. You know, the stuff you
read about being breached every other day. Ron was kind enough to be
interviewed, so here we go. Other than finding security holes Ron, I was not aware you could scan for things like Social Security Numbers (SSN)?
We're releasing the ability to scan for sensitive data on Windows servers using Nessus and a new Nessus plugin named "Windows File Contents Check" (plugin ID # 24760). It has the ability to find a wide variety of sensitive data at rest on Windows computers.
Well that is amazing Ron, how does someone get this technology?
This will be available in the Direct Feed and also has a great impact on what you can do with the Security Center.
OK, slow down Ron you are scaring us. What is a Direct Feed and what is a Security Center? I went to your web site to prepare for this interview and it says this about the Security Center "The Tenable Security Center provides proactive, asset-based security risk management. It unifies the process of asset discovery, vulnerability detection, event management and compliance reporting for small and large enterprises." Great, but what does that mean in English?
The Direct Feed is a subscription and support service that any Nessus 3 user can purchase. With the feed, users get the latest vulnerability checks, the ability to audit system UNIX & Windows configurations against NSA, NIST, CERT, DISA and other "best Practices" policies, technical support and now the ability to scan for sensitive data at rest.
The Security Center is a software product that allows management and monitoring of multiple types of security and compliance data at the network level. It can be used to divide up a network between political groups (HR, Accounting, IT, .etc), technology (printers, Cisco routers, web servers, laptops, .etc) as well as all of the devices with make up a "business asset" such as PeopleSoft, the entire management infrastructure for the NIDS, and so on. The idea is to centralize logs, vulnerabilities and configuration data and then to give this information securely in a variety of formats to IT, business owners, auditors and security monitoring staff.
Thanks for helping us catch up! The last time we talked I thought you told me that you monitored sensitive information using a passive scanner, why the change to active scanning?
This also compliments how we monitor credit cards and SSNs and such passively with the Passive Vulnerability Scanner. Passively, we need to wait until someone moves a sensitive file in order to see it. Using both active and passive methods, we have a better chance of seeing the data and discovering it. Using active and passive monitoring is also the same principal we use to discover new hosts and new vulnerabilities.
Thanks Ron, I understand you guys have a blog that has the really gory technical details and examples of the code for the .audit files that actually do the work of finding things like an SSN, how does someone find your blog?
The blog is at http://blog.tenablesecurity.com. We try to keep it very technical and very useful with content that appeals to everyone from the casual Nessus user, to our larger Security Center customers that monitor device counts in access of 100,000 nodes.
What other types of sensitive information have you created these .audit files to find?
We have created rules to look for CCNs and SSNs in a variety of formats. In additional, there are also rules to search for international wire transfers, driver's license numbers and even copy written source code. We're expecting to get many requests and ideas for new file formats and new content.
The most appealing aspect of this type of search is the ability to customize your own "sensitive content". It is very easy to create rules to search for your own copy written content, employee lists with a few of your company's real employee names, or even "keywords" that would be of interest searching someone's local chat logs.
For compliance monitoring, Nessus 3 also has the ability to scan a system to see if it is configured correctly. For example, checking that event logging on a Windows 2003 server is indeed enabled and logs are being kept for the proper amount of time.
Tenable has produced many policies which can be used to audit against many different standards and we're always adding more policies and tools to make an auditor's life easier. We just added a tool to extract specific variable settings in UNIX configuration files and we're about to release a tool that supports NISTS XCCDF standard.
(the URL for the NIST stuff is: http://nvd.nist.gov/scap/content.cfm)
So this is starting to sound like you are serious, do you think other vulnerability scanners will be interested in the IT audit world?
I think Nessus and the Security Center will be one of the first "vulnerability" guys to really jump into IT auditing with both feet. I've always felt that scanning and auditing is very useful, but being able to centralize this information alongside user, firewall, authentication, IDS and other types of logs makes finding security and compliance issues much easier.