Re: False-negatives in several Vulnerability Assessment tools
From: Jimi Thompson (jimit@myrealbox.com)
Date: 04/17/03
- Previous message: MACRIDES,NATHAN (HP-Australia,ex3): "RE: LC4 (L0phtCrack) error "Couldn't open SAM\Domains\Account\Use rs in SAM file. Possibly improper format.""
- In reply to: R. DuFresne: "Re: False-negatives in several Vulnerability Assessment tools"
- Next in thread: Craig H. Rowland: "RE: False-negatives in several Vulnerability Assessment tools"
- Reply: Craig H. Rowland: "RE: False-negatives in several Vulnerability Assessment tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Apr 2003 19:53:25 -0500 To: "R. DuFresne" <dufresne@sysinfo.com>, Muhammad Faisal Rauf Danka <mfrd@attitudex.com> From: Jimi Thompson <jimit@myrealbox.com>
><SNIP>
> > Numerous Vulnerability Assessment (VA) tools are available for security
>> engineers, pen-testers and network administrators. Their results are
> > mostly trusted by users since they don't have time nor competences to
></SNIP>
><SNIP>
>*How* those reports are evaluated by the 'professionals' in an
>organization is not a standard. Example, I work in an organization whence
>the security folks run a couple of scanners weekly to determine the
>networks, and various servers common exposures. New systems are scanned
>by iis and nessus prior to being placed into some production environs.
</SNIP>
>My current employer, which is a Fortune 10 company, shall be
>referred to as "Ralph Co." I've been with Ralph Co for 2 years now.
>Our security there is relatively pathetic. I have had to go to
>upper managment because our security manager will run a scan at
>random and decide a given service needs to be terminated because the
>scanning tool that he's demo-ing that week says that it's a
>"critical vulnerablity". I have had to try to explain to him
>several times that he pays us a lot of money to exercise our
>professional judegement in verifying what is and is not a real
>vulerablity. His answer is that "The tool says so, so it must be."
The nadir of this process was him insisting that we shut down a "Code
Red Infected Server". Too bad it turned to out be a developers Apple
iBook.
My point with all this is what you do with the scans AFTER you run
them. If you want intelligent analysis of the report, you get a
security professional that knows how to check things manually and
knows when output from the scanner looks dubious. Any reasonably
intelligent person can operate the scanner software and print out the
report when its done. The skill and expertise comes in interpreting
the output and making meaningful suggestions that actually improve
security.
-- Thanks, Ms. Jimi Thompson, CISSP, Rev. "I'm a great believer in luck, and I find the harder I work, the more I have of it." -- Thomas Jefferson --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
- Previous message: MACRIDES,NATHAN (HP-Australia,ex3): "RE: LC4 (L0phtCrack) error "Couldn't open SAM\Domains\Account\Use rs in SAM file. Possibly improper format.""
- In reply to: R. DuFresne: "Re: False-negatives in several Vulnerability Assessment tools"
- Next in thread: Craig H. Rowland: "RE: False-negatives in several Vulnerability Assessment tools"
- Reply: Craig H. Rowland: "RE: False-negatives in several Vulnerability Assessment tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
