Tenable Blog

Severity Is Multi-Dimensional

Vulnerability scanning tools, such as Nessus, can produce reports and assign discovered vulnerabilities a severity rating. The problem I always had with these reports was in evaluating these ratings. Like many other administrators, I found that vulnerabilities with “high” severity ratings always caught my attention first. Sometimes it would take a week’s worth of effort to evaluate and remediate the high- severity vulnerabilities. Although I knew that I should also investigate the low or medium severity level alerts, I never seemed to have time. These were most often given a low priority when it came time to assign tasks and would most often end up going months, years or never getting fixed at all unless a security incident occurred that involved one of the low-severity vulnerabilities. This is a problem that many organizations face, and the following particular Movable Type vulnerability is a great example that I hope underscores the point that “lower severity rating” does not mean "forget about them and never fix them". I recommend that organizations take a multi-dimensional approach to vulnerability remediation and take into account not only the overall severity, but also the level of effort to fix the problem. For the Movable Type vulnerability in question, the severity level is relatively low (for example, it’s not remotely exploitable to gain shell), but the remediation is simple: remove the file from the web server (which has no impact on the operation of the web application.)

Another Milestone, Nessus 4.2

Long-time users of Nessus have probably noticed that significant improvements have been made over the past several years. For example, Nessus version 3 introduced many performance enhancements due to an overhaul of the NASL interpreter. Nessus version 4 introduced several more improvements, including multi-threading and 64-bit support, in addition to unifying the code base across multiple platforms (Windows, Linux, and Mac OS X). Tenable is proud to introduce the next evolution to the Nessus vulnerability scanner with version 4.2, which includes several enhancements including an all-new Flash-based interface. With the new Nessus 4.2 interface, scan results and policies are stored on the server instead of in a client. Multiple users can log into the web-based interface concurrently and can use a “compare” function to show differences against a previous scan. It is now possible to log out of the interface and log back in without disrupting scans that are in progress,and an administrative user now has the ability to pause or stop the scan of another user. I strongly recommend that everyone view the video preview below to see the new Nessus interface in action:

Welcome to the Tenable Network Security Podcast - Episode 13

Announcements

• A new video has been released that covers how to use Nessus 4.2, the latest version of Tenable's Nessus vulnerability scanner.
• Tenable Network Security's CEO, Ron Gula, is featured in SC Magazine as one the entrepreneurial visionaries who have launched successful IT security companies in the last 20 years.
• We're hiring! - Visit the web site for more information about open positions, there are currently 14 open positions! We also have a new Facebook Group called Tenable Security Is Hiring where you can go to get more information about open positions (Requires Facebook account to view)
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics, and more!
• Tenable is pleased to announce the release of the Log Correlation Engine version 3.4. This release has many new enhancements and features, plus some new functionality such as IDS correlation from various sources and new options in the LCE clients to monitor file integrity. For more information on new features in this release, please see the LCE 3.4 Release Notes. Tenable CEO Ron Gula and I had a chat about the features in this new release.

Interview: Marcus Ranum - CSO, Tenable Network Security

Marcus Ranum hacking up computers and challenging us to think differently about security..

Tenable's CSO Marcus Ranum was quoted in an article from SC Magazine titled "Industry pioneers". In it Marcus gives us some insight into how he perceives his accomplishments:

Another Tuesday, another round of security bulletins from Microsoft. Are you patched? Nessus contains credentialed local checks for all security bulletins, and a network-based uncredentialed check for MS09-064.

Severity is a Matter of Perspective

What struck me as interesting this month are the severity ratings. Microsoft publishes these ratings as a guide to help customers evaluate the vulnerability risk. In many cases, they seem to be doing their customers a disservice. For example, a remotely exploitable vulnerability in Microsoft Word or Excel could be leveraged by attackers to compromise desktop systems. These types of vulnerabilities are frequently exploited by attackers and penetration testers alike to gain access to sensitive information. The advice I always give to organizations is to evaluate each vulnerability with respect to how it affects your business, not what has been published by the vendor.

In addition, if the evaluation of severity is coming from a vendor, it should adhere to some industry accepted standard calculation, such as the CVSS score. Nessus plugins use this scale (1-10, with 10 being the most severe) as a rating for the severity of the vulnerability. While Microsoft rates MS09-067 (a vulnerability in which arbitrary code can be executed as a result of opening an Excel file) as important, Nessus gives it a CVSS score of 9.3. Use these ratings as a guide to develop your patching strategy. For example, if you heavily use Excel, you will need to patch right away. If you do not use Excel, then it is not as critical to patch. You could employ a temporary solution for mitigation by blocking incoming Excel file attachments while you focus on vulnerabilities that pose a bigger risk.