Re: [fw-wiz] concerning ~el8 / project mayhem
From: Anton J Aylward, CISSP (aja@si.on.ca)
Date: 08/21/02
- Next message: Crispin Harris: "RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Previous message: Dave Piscitello: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- In reply to: Dave Piscitello: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Next in thread: R. DuFresne: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Anton J Aylward, CISSP" <aja@si.on.ca> To: Dave Piscitello <dave@corecom.com> Date: Wed Aug 21 23:02:01 2002
On Wed, 2002-08-21 at 17:57, Dave Piscitello wrote:
>
> IMO, vulnerability assessment tools are too often too complex for those who
> need them, and too slow for those who do not.
I think the issue is that the focus on vulnerability, not RISK.
Yes, they're great for final checks, sort of like rattling the door-know
AFTER you've locked to door to make sure it DID latch.
But if the VA tool shows up many flaws, you've got some serious problems
over and above what it shows, and those flaws are in your security
PROCESSES. (insert quote by Bruce Schneier)
And if they don't show flaws it may be because of the shortcomings of
their database or the imagination of the designers - Word Macro viruses
being an example of that in the AV area some years back.
And they also beg the question about the "hard outer shell and soft
squishy center".
Some years back, us "greybeards" were irritated by the Big N-1 companies
send out junior/trainee accountants who were doing scans using the old,
old ISS tool and just hanging over the reports with no interpretation.
I's sure the junior accounts preferred this to pouring over boxes of
scrappy expense receipts. I recall bing called upon by a manager at a
bank in panic with one of these reports that was over 350 pages thick.
Only 2 items were significant and becuase of mitigating controls were
very low risk. But the Big N-12 company charger nearly three months
worth of my pre-tax salary for that report. I later went back and found
a serious problem with encryption key storage that it didn't find - a
real no-brainer that even the non-techie manager could understand.
Like many crutches, these tools can result in "learned disability".
/anton
-- It is against the grain of modern education to teach children to program. What fun is there in making plans, acquiring discipline in organizing thoughts, devoting attention to detail, and learning to be self-critical? -- Alan Perlis
- Next message: Crispin Harris: "RE:[fw-wiz] Vulnerability Scanners ( was: concerning ~el8 / project mayhem )"
- Previous message: Dave Piscitello: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- In reply to: Dave Piscitello: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Next in thread: R. DuFresne: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
