Re: [fw-wiz] concerning ~el8 / project mayhem

From: Dave Piscitello (dave@corecom.com)
Date: 08/22/02


From: Dave Piscitello <dave@corecom.com>
To: Anton J Aylward CISSP <aja@si.on.ca>
Date: Thu Aug 22 17:05:05 2002

At 02:22 PM 8/22/2002 -0400, you wrote:
>Indeed. So what you are saying is that the scanners are a crutch that
>lets you avoid raising your competency.

Not at all, and in fact, quite the opposite. Not certain if you're trying
to bait me here, but of course, there's a "let the tool help the lazy avoid
improving himself" aspect to scanners, but lazy is as lazy does. I'm not
lazy, and I find them useful.

They are tools. People with experience in one OS can get a jumpstart on
appreciating and learning the vulnerabilities of others.

The more useful ones not only identify vulnerabilities, but they provide an
explanation of the vulnerability. Many offer URLs to online documentation
explaining the risk, the nature of the vulnerability, exploits associated
with the vulnerability, locations where the vendor has posted the security
fix, service pack, whatever. I gather you've not used any of these?

>Perhaps you could compare it to
> - reading books with the term "hack" or "hackers" in the title
> (search amazon.com for examples...)

Personally, I think these books tell you more about how to be as clever as
the kiddies that attack systems than they do about improving security of
systems. I prefer the "securing foo" titles. But quality scanners educate
you in similar ways to such books, if you take the time to do more than
"recommended action: change registry value X to Y".

> - reading the vuln-dev mailing list

This is a good resource and very helpful when a scanner doesn't tell me
enough about the vulnerability to help me understand.

> - reading the LINUX source code

Oh, come down from the lofty perch...this is an entirely elitist
perspective. The ratio of people who must be engaged in securing systems
vs. those capable of evaluating whether source correctly bounds data
structures approaches infinity.

> - Following up on the Linux vendor advisories to see what changes they
> made to the source to overcome the problems mentioned in the
> advisories.
> - Trying to fix the problems in the advisories yourself then comparing
> with the published solutions

Begs the issue of having the skill to do this absent some additional
guidelines that some scanners do provide in a kinder, gentler step by step
manner than "read the F'in advisory and patch the source, or aren't you the
manly 'I grok Linux and C' type?"

> - Reading the CVE database

If the CVE entry is referenced in the scanner, is this sufficient?

> - Reading papers by Bhoem, Parnas, Hansen and the like (or perhaps
> "Software Tools") on good technique and comparing it with some
> published code.
> (Some of the 'open source' code is exemplary in its grotty-ness)

This is unfortunately a luxury for many daily ops folks. Have you run or
worked in a NOC?

>I don't drink beer, and besides, it doesn't pay the mortgage.

No, but I am guilty of frequently doing work out of friendship and I have a
charitable nature.

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com



Relevant Pages

  • Re: Distributed Vulnerability Scanners
    ... Talisker, ... As far as distributed vulnerability scanners go, I have to throw in a couple ... scanners reporting to a central console that stores all the data for all of ...
    (Pen-Test)
  • RE: Vulnerability scanner/appliance
    ... I can suggest Qualys a good vulnerability product ... Moreover PCI standards focus is on encryption, ... properly securing their environment to do so...but ... When I say there are scanners that will pass the PCI ...
    (Security-Basics)
  • RE: Are Vulnerability Scanning Software putting Ptesters out of b usiness?
    ... the synergy a group of qualified pen testers ... vulnerability scanners (ISS, Nessus, STAT, and other similar ... the governing KPMG client engagement letter. ...
    (Security-Basics)
  • RE: Views and Correlation in Intrusion Detection
    ... The biggest problem with VA scanners is determining what *really is* a ... > is to use distributed scanning (multiple, tiered Nessus scanners) so you ... > vulnerability scanner which determines vulnerabilities and topology ... Adjunct Information Security Officer ...
    (Focus-IDS)
  • Re: Windows Security Center damaged
    ... This one runs four different "command-line" scanners, ... In the Security Center, ... I'm sure that some malware caused that ... ETrust Internet Security Suite includes a firewall. ...
    (microsoft.public.windowsxp.security_admin)