The Silicon Underground

Home » Page 93

How to read a Nessus scan report

Dave Farquhar security June 9, 2021March 23, 2025

Reading and analyzing a Nessus vulnerability scanner report is an underrated skill. Frankly, I see a lot of misuse and abuse surrounding Nessus scans. So let’s talk about how to read and analyze a Nessus scan for the purpose of understanding and solving problems.

You can read it in the user interface but I recommend exporting a CSV so you can sort and filter. The exact CSV format has changed a bit over the years so they may not be in this exact order. But this will get you started. The most important columns are all here. You’ll find it very similar to reading a Qualys scan report.

For reference, I used the sample file here: https://github.com/derekmorr/nessus-csv/blob/master/nessus_test.csv

Lockheed Martin Cyber Kill Chain explained

Dave Farquhar security June 9, 2021January 26, 2022

The Lockheed Martin Cyber Kill Chain is a popular model in information security. The model illustrates the typical cyber attack. Like the CIA triad, the Cyber Kill Chain is a fundamental concept that helps people understand what motivates security professionals. Understanding it and being able to explain it makes us more effective at our jobs.

Here’s an explanation of the Cyber Kill Chain, along with a couple of examples, one real, and one imagined.

What to do when you know a pedophile (and what not to)

Dave Farquhar Uncategorized June 7, 2021June 6, 2021

Word got out this weekend that a fairly prominent member of my profession is a pedophile. Fortunately I don’t know the guy. But this is hardly the first time this happened. A fairly prominent tech journalist turned out to be a pedophile a couple years ago too. Unfortunately this happens, and unfortunately I came into some experience in this area early in life.

I know from experience, you don’t always know until afterward. If it were easy to know, these people wouldn’t get away with it for so long.

Vulnerabilities without CVE

Dave Farquhar security June 3, 2021March 23, 2025

I had a discussion with somebody this week about vulnerabilities that don’t have CVEs. I learned from this conversation that there are a lot of misconceptions about those. So let’s talk about vulnerabilities without CVEs, and what to do about them.

Why is lumber so expensive?

Dave Farquhar DIY June 3, 2021May 15, 2021

I remember when a 2×4 cost $3. And before you tell me I’m a grumpy old man, that was less sometime in 2019 or 2020. At the moment I’m writing this, a 2×4 costs $8. So what’s going on? Why is lumber so expensive? And will prices ever come back down to normal?

Vulnerability management metrics

Dave Farquhar security June 2, 2021September 15, 2023

I am 75% confident your vulnerability management metrics are too complicated. I’m 75% confident because I’d need to see examples from about twice as many organizations than I’ve seen in order to be 95% confident. But I’ve probably seen 150 more samples than most people. But I have bad news for you. I’m 75% confident your vulnerability management metrics are too simplistic. How can you be both? Measuring the wrong things puts you in situations like that. So let’s talk about NIST’s recommended vulnerability management metrics, and how to more closely align with their recommendations.

How long it takes to get a security job with no experience

Dave Farquhar security June 2, 2021May 10, 2024

I was involved in an interesting discussion about how long it takes to get a security job. But here’s an even more important question. How long does it take to get a security job with no experience? That’s a tougher question. I’ll also argue there’s no such thing as no experience. But to keep the search engines happy, here’s how long it takes to get a security job with no experience (except there’s no such thing as no experience!).

Remove cigarette smell from books

Dave Farquhar Saving money June 1, 2021January 23, 2022

One of the best estate sales I ever attended was a sale in a modest St. Louis suburb that happened to be the estate of a computer programmer. The sale had almost everything I look for. Books, music, vintage computer gear, and even recent-ish computer gear. There was only one problem. Her books smelled like an ashtray. So I had to learn how to remove cigarette smell from books and other items.

Automatic updates vs managed updates

Dave Farquhar security May 31, 2021March 15, 2023

Just turning on automatic updates is one of those bumper sticker-style solutions to IT problems that won’t go away. It sounds really good, and of course it would be cheap. And since nobody’s doing it, it sounds like a new idea. As someone who’s been working in this space more than 20 years, I can tell you there’s a reason nobody does it. And it’s a good reason. It’s even a reason most proponents of bumper sticker-style solutions love to cite as a reason not to do something: unintended consequences.

While allowing systems to auto update seems like a cheap way to solve a difficult IT problem, the unintended consequences can be devastating. There are reasons to do automatic updates in limited circumstances, but it’s easy to cause bigger problems than you solve.

What do Home Depot prices mean? How to decode them

Dave Farquhar DIY, Retail May 27, 2021May 22, 2021

Retailers can and do use prices to manipulate you. But rumors of hidden codes in prices also abound. Home Depot is no exception to that. So what do Home Depot prices mean? Here’s how to find the hidden meaning in prices so you know when you might have found a bargain, and how long that bargain might last.

There are rumors that you can tell how long an item will be on sale from the numbers in the price, but those numbers don’t match what I found at my local store. Still, there are tricks for finding closeouts and other sale items.