Dailydave mailing list archives
Re: Drinking the Cool-aid
From: Andre Gironda <andre () operations net>
Date: Mon, 3 Mar 2014 20:04:34 +0300
On Mar 3, 2014 7:42 PM, "Joe Gatt" <gattjoseph () hotmail com> wrote:
Authenticated scanners are a bad practice (imho)Can you expand on this a bit more? I would be interested to hear your
opinion as to why you say this. I think using authenticated scanners is an excellent way to identify:
1. Computers missed by the patch management process. 2. Effectiveness of patch management process. I've seen patch products
report to the console that a host is patched; however, the scan proved that a given patch failed to apply.
3. Client software not managed and patched by IT (i.e., iTunes) 4. Mis configurations (i.e., Autorun, no SEHOP, no DEP, etc.).
Hello again, Joe. Good times convo ;> If the goal is patch management, why not move everything to virtual infrastructure and utilize a hypervisor or host VM mechanism to verify patch level and bring up to spec? Same question for configuration, actually, too? Perhaps the role of authenticated Nessus (or CIS-CAT, NeXpose, etc) is best for partially or already out-of-scope hosts, e.g., when coordinated with something else like Good Enterprise when looking for partially-scoped mobile devices? Or perhaps Nessus is useful against non-production guest VMs (perhaps converted P2V or V2V) in a lab? What I do agree with is that authenticated scans do have a use, and can be good practice. Lately, I have been more or less against continuous anything. It's some sort of wave of sickness I'm about to impose on the industry. Take NSM for example -- I'd like to suggest on-going capture assessments without "always-on" sensors. Maybe twice a week is appropriate, using a very locked-down/secured device, and scrubbing/anonymizing the data and identifying where and how private information or confidential data (private data and confidential information?) exists unencrypted before putting it into a data store of any type. Another benefit being able to go all data-scientist-version of McGyver on the resulting pcaps. Another benefit being able to coordinate with memory (e.g., hibernation file) captures for sharing-oriented compromise indicators, i.e., CybOX. The problem with continuous anything is that it requires continuous people looking at things continuously and they get continuously bored and continuously miss continuously important things. Best, President Putin^H^H^H^H^HAndrei^H
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Drinking the Cool-aid Dave Aitel (Feb 22)
- Re: Drinking the Cool-aid yersinia (Feb 24)
- Re: Drinking the Cool-aid Alfonso De Gregorio (Feb 24)
- Re: Drinking the Cool-aid dan (Mar 21)
- Re: Drinking the Cool-aid Scharf, Stephen (Mar 24)
- Re: Drinking the Cool-aid dan (Mar 24)
- Re: Drinking the Cool-aid dan (Mar 21)
- Re: Drinking the Cool-aid Andreas Lindh (Mar 03)
- Re: Drinking the Cool-aid Joe Gatt (Mar 03)
- Re: Drinking the Cool-aid Andre Gironda (Mar 03)
- Message not available
- Re: Drinking the Cool-aid Eggensperger, Roy E (Mar 03)