Conversations 5: Vulnerability scanning to the rescue

“Networks are living and breathing things. They don’t sit still. Your vulnerabilities will change on a daily basis, for sure, and you need to be on top of that,” says Dick Bussiere, principal architect for Tenable Network Security in the Asia Pacific region.

That’s why Tenable is advocating what they see as a revolution in maintaining a data network’s security posture.

“We’re kind of advocating that people perform vulnerability assessment, and remediation of vulnerabilities, as a constant and continuous process, rather than something that you do on a periodic basis,” Bussiere says.

By a happy coincidence, that matches the processes of continuous vulnerability measurement and measured risk reduction that are now mandated for US government networks — creating a ready market for Tenable, and a salutary model for others to follow.

This interview was recorded on 3 September 2013 in Sydney, Australia.

Podcast: Play in new window | Download (Duration: 30:00 — 19.6MB) | Embed

Subscription options:
Corrupted Nerds: Conversations podcast only via RSS and iTunes.
Corrupted Nerds: Extra podcast only via RSS and iTunes.
All Corrupted Nerds podcasts via RSS and iTunes.

Episode Notes

1. Tenable Network Security company website.
2. Wikipedia entry for Nessus vulnerability scanner.
3. An Ars Technica story on a typical watering hole attack, Facebook, Twitter, Apple hack sprung from iPhone developer forum.
4. Russian crims evade transaction profiling, describing how users were infected via legitimate news websites in Europe.
5. The US National Institute of Standards and Technology (NIST) National Vulnerability Database.
6. SANS Institute director of research Alan Paller’s message about continuous vulnerability measurement and measured risk reduction is outlined in Cyberwar is happening now: turn your sysadmins into heroes.
7. Agencies must use CyberScope tool for FISMA reports, reported Federal News Radio in 2011. (FISMA is the Federal Information Security Management Act of 2002.)
8. Tenable’s resources on attack path analysis.
9. My introduction to the Syrian Electronic Army (SEA) in Crikey, Assad’s army: the future of hacking is here, with a new target.
10. My March 2013 critique of hacktivist group Anonymous, Beware! Anonymous has become the Hello Kitty of hacktivism.

I haven’t linked to any material about the revelations of Edward Snowden because the story is moving so quickly. You’d be better off consulting your favourite daily news outlet.