Educause Security Discussion mailing list archives
Re: Vulnerability Scanning Problem
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 14 Dec 2006 12:06:30 +1300
Hi Curt, Curt Wilson wrote:
Thanks for your thoughts Russell. Nessus, Retina, etc. seem useful for known vulns in network-facing systems, and this is important. However, I am increasingly concerned about client-side vulns, and without credentials to a system or an agent how do you easily test for those (NAC/agent technologies is one possible solution).
Agreed -- we had different treat scenarios in mind. Mike Wiseman also highlights this point about brower based attacks and then there is social engineering e.g. being duped into downloading fake codecs for a media player. I'm guessing that most of us would agree that current anti virus system are now inadequate defence with the worst threats mutating every day (do they actually monitor virus total to decide when it's time to release a new variant?). We are now reduced to using snort to detect infected machines connecting to controllers. Preventing malware from getting privilege to install a root kit is *very* important since once the root kit is in place your A-V software is useless -- even if it hasn't been disabled already.
I don't like the idea of having common authentication credentials on an array of systems for deeper host checks by a network assessment service (risk of cracking and/or interception),
Many organisations already have AD with domain access to workstations for remote maintenance. I really don't see any other way to manage thousands of machines. There certainly is potential for abuse but the alternative of having poorly managed systems seem to be an even greater risk. User workstation support at Auckland is done by local faculty groups and they take different approaches. I find it very interesting seeing who has the most problems and correlating it with how they are managing the workstations. I am in no doubt that those faculties who have adopted automated tool (such as SMS or Altiris (sp?) etc) have fewer 'incidents' and get things patched far faster than those who don't. Having tools that get patches on to systems quickly is probably the best way to mitigate privilege escalation attacks following client compromises. Network scanning can help here too since if you detect that one recent patch is missing then it it a prompt for the administrator to check why it is missing and in fixing it while also making sure that any other missing patches are applied. To this end I run nxscan over the whole network twice every week and every time I pick up a hand full of machines, some are new boxes that have been installed but not patched, some are visitor's laptops, some are machines that have been sitting in the storeroom for a few months... We are also playing with NAC in this sphere and we have a locally build client software that we use for network access on student systems which we plan to roll out to staff next year. Ideally the commercial NAC and our local software can be integrated. I think what I am trying to say is that no single tool cuts it on its own, but by using a variety of tools and techniques you can provide a reasonably safe environment for your users. In some cases we end up having do to things that offend our sensibilities (I share Curt's dislike of global credentials) because the alternative is worse. Russell
Current thread:
- Vulnerability Scanning Problem Logan, Kimberly (loganks) (Dec 11)
- <Possible follow-ups>
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 11)
- Re: Vulnerability Scanning Problem Wang Cheng (Dec 11)
- Re: Vulnerability Scanning Problem Wyman Miles (Dec 12)
- Re: Vulnerability Scanning Problem Graham Toal (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 12)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 12)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 13)
- Re: Vulnerability Scanning Problem Michael Hornung (Dec 13)
- Re: Vulnerability Scanning Problem Mike Wiseman (Dec 13)
- Re: Vulnerability Scanning Problem Russell Fulton (Dec 13)
- Re: Vulnerability Scanning Problem Curt Wilson (Dec 15)
- Re: Vulnerability Scanning Problem Randy Marchany (Dec 15)