RE: [Full-Disclosure] Top 15 Reasons Why Admins Use Security Scanners
From: Harlan Carvey (keydet89_at_yahoo.com)
To: email@example.com Date: Wed, 28 Apr 2004 11:54:43 -0700 (PDT)
Just some things to think about...
> Top 15 Reasons Why Admins Use Security Scanners
Question: Should admins be using security scanners?
> This list has been compiled by emailing various
> Security/Admin lists...
> Anyone care to offer their input - add to the list?
> -Am I sure that I have found all vulnerabilities in
> my network?
> -Have I configured my network properly?
What's your policy say? If you're relying on a
security scanner to define proper network
configuration, maybe you're in the wrong line of work.
> -Am I finding and closing security holes fast
With proper policies and procedures in place, it's not
a matter of finding and closing holes fast enough.
Some Microsoft guys (Dave LeBlanc included) set up an
IIS 4.0 web server on NT a full year before Code Red
came out, and from the time it went live, it was
immune to Code Red. Why? The ida/idq script mappings
were unnecessary functionality and therefore disabled.
> -How do I know which machines have a missing patch?
What is your patch management process?
> -Are we resistant enough to network-savvy viruses
> that spread via known exploits?
What is "resistant enough"? You can roll out Norton
on your email server (and other servers) as well as on
your desktops, and manage them all from a central
location, pushing out updates as they become
available? Do you? A security scanner won't tell you
if you do or not.
> -Are we in compliance with HIPAA, Sarbanes-Oxley and
> other regulations?
The only way a security scanner will tell you this is
if it's compliant, as well.
> -What have I missed in locking down a server or
What do your policies and procedures say?
> -Do I have my network perimeter and interior
> sufficiently protected?
> -Have I identified and protected my network
> resources from external threats?
> -Do I know which systems are now well protected?
> -How vulnerable are we from the inside?
From what threat? Are you refering to users, or to
> -How will I ever pass my IT Security Audits?
Don't worry about it...most audits don't seem to have
an IT background, and even when they do, they don't
take the time to understand your business processes or
your network infrastructure.
> -How do I locate computers on my network, that are
> not within compliance?
> -How do I report to Management that we have done all
> we could to lock down?
Very carefully. IT guys and management don't speak
the same language.
> -How do I detect unknown and/or rogue
By understanding your infrastructure. If you know
what IP address ranges are assigned and to where, then
you'll know that whatever device is on 10.2.1.52
shouldn't be responding to ICMP...
Full-Disclosure - We believe in it.