RE: Another Low Blow From Microsoft: MBSA Failure!

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

 Drew,

> I apologize for alienating these users.

Clarification appreciated. As someone who has used Retina for years,
and performs vulnerability assessment and incident response for a living, I
share your concerns about the quality of MBSA (and appreciate the things
that Retina does well in this area).

However, we too have clients that cannot afford comprehensive assessment
services or even their own licenses for the assessment tools we use.

Recommendations must always be kept in business/organizational context.

> To such users: please start using the free Nessus tool. Use MBSA as a
> back-up. Check in-person on any suspicious anomalies.

Nessus has its' strengths and weaknesses, and is beyond the technical
capability of some clients to use _effectively_.

MBSA provides useful information outside the scope of Nessus, such as
configuration checks that are consistently accurate for the OS, and information
regarding MS-recommended configs for certain app severs. Understanding
MBSA's limitations and RTM is the key here; I'd hate to discourage someone
from using it due to the risk of false positive/negative information discussed
in this thread, if they currently do nothing at all (or cannot afford otherwise).

The combination of the free MS tools MBSA and SUS are a powerful audit
and patch management solution for the cost. I highly encourage MS shops
to use these unless they have or can afford better commercial solutions
(and there are _many_, Retina being a good VA/audit upgrade example).

Read the documentation well, the release notes on the patches, and with
some time spent manually validating MBSA's findings, you'll identify and
be able to account for the weaknesses in MBSA.

Nota Bene: MBSA is an *audit* tool, not a *vulnerability scanner*.

I do not use MBSA as an assessment tool, would not, and we do not use
it internally at FishNet Security. We do evaluate new releases as part of
our assessment services, to decide if it is an efficacious recommendation
for those clients that fall in the MBSA/SUS cost/benefit category, hence
my response.

[no control over attached auto-disclaimer] </sorry>

Arian Evans
Sr. Security Engineer
FishNet Security

Phone:  816.421.6611
Toll Free:  888.732.9406
Fax:  816.421.6677

http://www.fishnetsecurity.com

note: Microsoft Office XP breaks text-based
email by default.

Turn off the "remove extra line breaks" located
at |Tools|Options|Email Options if this formats
incorrectly.

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html