Re: Security Audit

From: Jonathan Rickman (
Date: 09/07/01

Date: Thu, 6 Sep 2001 19:40:07 -0400 (EDT)
From: Jonathan Rickman <>
To: Dave Wray <>
Subject: Re: Security Audit
Message-ID: <>

On Wed, 5 Sep 2001, Dave Wray wrote:

This is not directed at you Dave...just used your message as a
"jumping off point".

> Nessus is a great tool, I use it frequently and personally prefer it to many
> commercial tools which I also use, but there are *MANY* reasons for doing
> parts of a test manually.

Yes. Nessus is an excellent tool...more on that later.

> Only two weeks ago, one of our clients was tested according to our internal
> procedure. Several automated tools came back all clear. Within 15 minutes of
> manual testing we found the web server to be vulnerable to both the UTF-8
> and double decode vulnerabilities. The reason for this was simply that the
> tools (which I will not name) presumed that Windows NT is always installed
> in a directory called winnt, when in this case it was installed in a
> directory called winnt40. This was enough to throw the automated tools way
> off of the scent.

That's what is so nice about Nessus. You can modify the scripts to pick up on
things like this.

> I think a more suitable question is why would you pay a 'Consultant' good
> money to hit a big green go button and print the results?

Because the consultant might have spent lots of time modifying the code behind
the "big green go button". I'm not knocking manual testing. There's no way to
eliminate the need for it. But some consultants have HUGE libraries of Nessus
plugins written based on previous discoveries at other customer's sites.
They dont necessarily disclose these to every Tom, Dick and Harry.
Of course, discovering those vulnerabilities required manual testing...but that
doesn't mean you re-invent the wheel next time around. Map the network, run an
automated scanner (or several), rule out false positives manually, then spend
the rest of your time poking around manually. If your automatic scanner pass
leads to total compromise of every system (hypothetically speaking), you can
save all that time spent poking around with netcat and just give yourself a
shell (or cmd prompt) and turn the pen-test into an internal audit.

The bottom line is...

There will always be those who deplore the use of automated tools.
They will always claim that anyone who does is a charlatan. They will
always believe that anyone who is doing things differently than they are
has got it all wrong. At the end of the day, a security consultant's job
is to give the customer the most bang for the buck. You have to cover as
much ground as possible in the time you are allowed. If the customer asks
you to spend an hour on the whole network, you should assess the situation.
If, after taking a look at things, you feel you need more time...ask. If
the customer says no, so be it. The customer is always right...remember.
Do the best job you possibly can, and point out what you could have done if
allotted more time. What do you think would happen if the local security
company showed up and refused to install a burglar alarm unless the customer
payed them to put up a 10 foot razor wire fence???

Jonathan Rickman
X Corps Security

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: