RE: System Self audit tool



Hello,
I checked Secunia PSI recently, and it was not to identify several Windows 7 failed to install patches, which clearly show up while checking upgrade status. To be honest, Nessus Professional Feed did not find them either. I would recommend Nessus users to run Nessus to identify vulnerabilities and then check Windows: Control Panel -> System and security -> Windows Update -> View update history. All failed updates will show up. I think that Windows 7 tricks us again, and possibly vulnerability scanners either.
Regards

Mikhail A. Utin, CISSP
Information Security Analyst
Commonwealth Care Alliance
30 Winter St.
Boston, MA
TEL: (617) 426-0600 x.288
FAX: (617) 249-2114
http://www.commonwealthcare.org
mutin@xxxxxxxxxxxxxxxxxxxx


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Todd Haverkos
Sent: Wednesday, May 25, 2011 3:02 PM
To: vedantamsekhar@xxxxxxxxx
Cc: Security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: System Self audit tool

"vedantamsekhar@xxxxxxxxx" <vedantamsekhar@xxxxxxxxx> writes:
Hi,

I was given a task to search and evaluate a self-audit tool which
allows users to run the tool from a central server. The tool should
verify the users system for missing/old AV dat files, missing patches
and so on..and also it should provide the links appropriate sites for
downloading the updates. Are there any such tools/solutions available
in market?

Sounds like you're in the market for a client-based or agent-based vulnerability scanning and patch management in one, but... in a way that puts the users on the hook for patch installation? Your task giver may need to be challenged on their conviction that users will actually apply patches if prompted to do so. In my experience, the vast majority of users simply won't, and will cheerfully click whatever button gets them to their work fastest.

Secunia PSI does almost exactly what you've described, but is licensed
(free) for non-commercial use only. In addition to the obvious license issue, for a business, it's a non starter in a corporate environment because it doesn't centrally report to anything that lets you know your risk posture..

Secunia's CSI product, however, is their corporate analog to it which has a central server (on your premises) and a rather crude (IMO) patch distribution mechanism that tries to piggyback on windows components without the value add that the Shavlik's of BigFixes of the world have done to do this right. However, it does a very nice job of reporting out of date client software with a supported/tracked software list that seems a lot more extensive than anyone else I've seen.

On a side note, your AV's central console is probably the best to use for the AV dat file issue, though dedicated credentialed vuln scanners like Tenable Security Center (which leverages Nessus as the vuln
scanner) also have plugins to flag out of date AV DAT's if you provide credentials to access the administrative shares on the box. However, those are vuln scan only--they won't automate the patching process and they aren't agent based. I'm not sure if Secunia will warn about out of date DAT's either.

The other flavor of products out there are the agent based solutions like BigFix (swallowed recently by IBM) and LANDesk. These are systems management suites and you can get patch and vulnerability management pieces to them, which handle the fix and detect problem respectively ... but you will need to get out your checkbook. And you will find that the list of vendors/software they'll detect as out of date and will patch is not necessarily huge. They aren't cheap, and they're most effective if you resign yourself to live in their world.

The sweet spot in ROI from my view is to get a vulnerability scanner your security people like, and then have the windows patch folks leverage Microsoft SCCM with something like Shavlik SCUPdates to handle the third party patching (Adobe, Quicktime, Java, and all the web plugins that still too many shops entirely neglect, but are the source of so much of client-side compromises).

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at http://www.commonwealthcare.org.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • RE: What are the costs of an ISMS?
    ... I know this depends also on a number of other factors like the current IT security maturity level and nature of the business. ... This email communication and any attachments may contain confidential ... For further information regarding Commonwealth Care Alliance's privacy policy, ... please visit our Internet web site at http://www.commonwealthcare.org. ...
    (Security-Basics)
  • Re: [Full-disclosure] virus in email RTF message MS OE almost disabled
    ... Information Security Analyst ... virus in email RTF message MS OE almost ... knows that you are vulnerable and that you open email attachments, ... This email communication and any attachments may ...
    (Full-Disclosure)
  • RE: [Packet-ninjas-syn-k1ck] Anyone know CENZIC?
    ... I don't know anyone that has used them for a pentest, ... mailing lists. ... and web application security testing company. ... This e-mail communication and any ...
    (Pen-Test)
  • Re: Security updates are too slow or none existant
    ... Any discussion of the handling security issues is always going to be ... regard to how the security update process is being handled with Fedora. ... The key question of course with regard to the httpd update is what was ... the issues of guidelines and communication on how to ...
    (Fedora)
  • Role based authorisation with .Net remoting
    ... Once the business logic components are distributed, I want to place security ... This implies I need to flow the users credentials to the server ... communication, and all DB connections are created using integrated security. ... The alternative would be to use LogonUser to impersonate a newly defined ...
    (microsoft.public.dotnet.framework.remoting)