RE: Top 15 Reasons Why Admins Use Security Scan ners

["Starford, Christopher D." <CHRISTOPHER.D.STARFORD () saic com>]

Yes I do agree with you Ron that audits in the Corp env's focus more on the
financial side. But, where is that financial data (confidential) being
passed. Yep, systems of course, that's why the bean counters count on the IT
auditor's (i.e. infosec analysts, engineers, and pen testers) to test those
systems and  in most cases will subcontract out these duties to the
experienced IT folks. Also the new Sarbanes-Oxley Act of 2002 has placed a
great significance on IT, which many Corp env's (i.e. healthcare) are
required to follow.

As far as tools used, yes there are some out there that use the point and
click with the generated canned reports.  However, in my past experience and
others I know (those smaller INFOSEC groups out there) can not afford to use
those expensive tools, which real hackers wouldn't be using in the first
place.  We wrote our own perl scripts and created our own testing procedures
based from all those nice resources google lets use have, and relied on
tools like nmap, nessus, sara, lopht crack, john ripper  just to name a few.
Yes of course some of these tools report false positives, but it is the job
of the IT Auditor to evaluate and analyze the results communicating with the
sys admins and IT folks being audited.  IT auditor should be performing
network scans (external/internal), checking firewall/router configs,
application tests (i.e if web app, cross site scripting, sql injections,
session hijacks), and run non-intrusive scripts on the OS's, even sometimes
manually looking at code.  Now of course this depends on the time and budget
use IT folks have been allotted by the financial auditors. J

The Fed environment goes even deeper and has tighter guidelines and IT
requirements, so many I don't have time to name them all.


__________________________________________________
Christopher D. Starford
SAIC Enterprise Security Sulutions




> -----Original Message-----
> From: Ron DuFresne [mailto:dufresne () winternet com] 
> Sent: Friday, April 30, 2004 11:48 AM
> To: Starford, Christopher D.
> Cc: 'Harlan Carvey'; 'full-disclosure () netsys com'
> Subject: RE: [Full-disclosure] Top 15 Reasons Why Admins Use 
> Security Scan ners
>
>
> On Wed, 28 Apr 2004, Starford, Christopher D. wrote:
>
> > Harlan,
> >
> > I believe many true IT Security Auditors out there would agree that 
> > your wrong on this one.
>
>
> Yet, audits in the corp env's tend to focus not on IT nor 
> security, but bean-counting.  I've seen as HYarlan mentions 
> that the vast majority of auditors have been of the 
> finnancial category, and clueless about IT and it's processes 
> and such.  Now, this is not the auditors fault, but 
> managments, as well as that of the partnering companies that 
> make the request and hire in the wrong folks.
>
> Of course then there are the snack-oil IT folks, those that 
> pentest and such with a point and click tool and canned 
> report.  A thourough IT sec audiit requires that the audirot 
> become familiar with the org being audited and actually look 
> into system configs.  There are many issues in how systems 
> are confuifugered that a point and launch tool are not going 
> to uncover and a canned report will not mention.
>
> Thanks,
>
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in 
> humanity.  It eliminates dreams, goals, and ideals and lets 
> us get straight to the business of hate, debauchery, and 
> self-annihilation." -- Johnny Hart
>       ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html