RE: Audit Tools

From: Evan Mann (emann@questinc.org)
Date: 08/31/01 

Message-ID: <558BEC967F3DD4119779009027FC98F3255E05@exchange.questinc.org>
From: Evan Mann <emann@questinc.org>
To: focus-ms@securityfocus.com
Subject: RE: Audit Tools
Date: Fri, 31 Aug 2001 12:47:58 -0400

I suppose I wasn't very clear, but I agree, for standard users, this type of
reporting is unecessary, but standard users don't user tools like Retina,
and standard users don't subscribe to security mailing lists. Everyone is
on this list because it's part of their job or they want to learn and be on
top of things. Anyone who knows enough to get on this list is most likely
going to know what are obvious false reporting.

-----Original Message-----
From: SysAdmin [mailto:breeze@granis.net]
Sent: Thursday, August 30, 2001 6:46 PM
To: focus-ms@securityfocus.com
Subject: RE: Audit Tools

Over alerting is one thing, but giving inaccurate information just confuses
the standard user and generally scares the hell out of them. One thing we
need are users who are confident and knowledgeable about what they do on a
network. That way they can describe the problem in articulate terms and
not be afraid to talk to their netadmin. Not to mention that a
knowledgeable
and confident user is more likely to partake of an online transaction.

And there once was a boy who cried wolf....

>Off the topic here, but...

>I have yet to personally use Retina, but I tend to prefer 'fluff' when it
>comes to security. Example:

>BlackICE Defender as a home based firewall reports 99.5% of the time false
>positives, showing you port probes and pings as "attacks". Most home
>firewall users blast the program for doiung that claiming false sense of
>paranoia on home users. Me personally? I liked it (when I used BlackICE,
>I've since switched to Tiny Personal Firewall). For someone who knows what
>they're doing and has some form of a clue about security, all those false
>positives and fluff are good indicators of what is happening to your system
>and what it's doing to react. Even if you don't need to know it, and it
>takes extra time to sift through, I wouldn't call a product bad or not
>effective just because it wastes a little bit of my time.

>>Retina is full of false positives. Many of the "Security Risks" it
>>identifies, requires sifting through too much fluff to actually get to the
>>items that are pertinent. The reporting is far from "Top Notch".