Re: Vulnerability scanners

From: Alvin Oga (alvin.sec@Mail.Linux-Consulting.com)
Date: 03/27/03

  • Next message: Rob Shein: "RE: Vulnerability scanners" 
    Date: Thu, 27 Mar 2003 13:31:10 -0800 (PST)
From: Alvin Oga <alvin.sec@Mail.Linux-Consulting.com>
To: "Jeff Williams @ Aspect" <jeff.williams@aspectsecurity.com>

    hi ya

    On Thu, 27 Mar 2003, Jeff Williams @ Aspect wrote:

    > Let's assume that you're talking about 256 IPs (based on Qualys' published
    > pricing), and you want to scan weekly. That's at least a day a week of

    their "mail server scanning" is pointless ??? ( when we tried it out )
            - just a bunch of dictionary names for your-domain.com

    vulnerability scanning and pen-testing ...
            - you can do quickie tests..
            ( few minutes - couple hours )

            - you can and SHOULD do it every time something changed
            ( incremental costs should be minimal )

            - you should go back and see what other vuln tests you or your
            other hired testors didnt check earlier...
            ( few days, few weeks )

            - repeat round and round

    - most of the scanning can be automated

    - think one can also apply all the scriptkiddie scripts automatically ??

    - automation is the key ... people will get tired of running the same
      repeatative tests

    > effort for someone (probably more to generate a very nice report and
    > summaries). The cost of a full-time sysadmin (including salary, benefits,
    > office, etc...) probably costs well north of $100K. You'd have to include
    > some equipment costs in there. So I doubt you could do it much cheaper.
    > I think vulnerability scanning is a reasonable thing to outsource for
    > companies that are not in the security or networking field already.

    you do need a qualified testor ... newbies wont knwo what to look for
    and how to test it ..

    i'd say a good vulnerability scanner and pen-testor would run
    $150K in salaries + double it for insurance, benefits, office space,
    phones, lab, PCs, test archives, etc
            plus probably an additional knowledgeable secretary to type up
            pretty reports and attachements

    "good" == they can find the obvivious holes... in a matter of minutes
            - break into any pc running sendmail earlier than 8.12.8
            - break into any apache w /443 left on
            - break into wireless sites w/ telnet/ftp/pop3 left on inside
            ... blah .. blah ..

    c ya
    alvin

    top spam and e-mail risk at the gateway.
    SurfControl E-mail Filter puts the brakes on spam & viruses
    and gives you the reports to prove it. See exactly how much
    junk never even makes it in the door. Free 30-day trial:
    http://www.surfcontrol.com/go/zsfptl1

  • Next message: Rob Shein: "RE: Vulnerability scanners"