Penetration Testing mailing list archives
Re: False-negatives in several Vulnerability Assessment tools
From: Jimi Thompson <jimit () myrealbox com>
Date: Wed, 16 Apr 2003 19:53:25 -0500
<SNIP> > Numerous Vulnerability Assessment (VA) tools are available for securityengineers, pen-testers and network administrators. Their results are> mostly trusted by users since they don't have time nor competences to </SNIP> <SNIP> *How* those reports are evaluated by the 'professionals' in an organization is not a standard. Example, I work in an organization whence the security folks run a couple of scanners weekly to determine the networks, and various servers common exposures. New systems are scanned by iis and nessus prior to being placed into some production environs.
</SNIP>
My current employer, which is a Fortune 10 company, shall be referred to as "Ralph Co." I've been with Ralph Co for 2 years now. Our security there is relatively pathetic. I have had to go to upper managment because our security manager will run a scan at random and decide a given service needs to be terminated because the scanning tool that he's demo-ing that week says that it's a "critical vulnerablity". I have had to try to explain to him several times that he pays us a lot of money to exercise our professional judegement in verifying what is and is not a real vulerablity. His answer is that "The tool says so, so it must be."
The nadir of this process was him insisting that we shut down a "Code Red Infected Server". Too bad it turned to out be a developers Apple iBook.
My point with all this is what you do with the scans AFTER you run them. If you want intelligent analysis of the report, you get a security professional that knows how to check things manually and knows when output from the scanner looks dubious. Any reasonably intelligent person can operate the scanner software and print out the report when its done. The skill and expertise comes in interpreting the output and making meaningful suggestions that actually improve security.
-- Thanks, Ms. Jimi Thompson, CISSP, Rev."I'm a great believer in luck, and I find the harder I work, the more I have of it." -- Thomas Jefferson
---------------------------------------------------------------------------Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
Current thread:
- False-negatives in several Vulnerability Assessment tools Nicolas Gregoire (Apr 07)
- <Possible follow-ups>
- Re: False-negatives in several Vulnerability Assessment tools Muhammad Faisal Rauf Danka (Apr 16)
- Re: False-negatives in several Vulnerability Assessment tools R. DuFresne (Apr 16)
- Re: False-negatives in several Vulnerability Assessment tools Jimi Thompson (Apr 17)
- RE: False-negatives in several Vulnerability Assessment tools Craig H. Rowland (Apr 17)
- Port Scanners / Sniffers Review Sam (Apr 24)
- Re: Port Scanners / Sniffers Review cdowns (Apr 24)
- Re: Port Scanners / Sniffers Review Mary-RR (Apr 24)
- Re: Port Scanners / Sniffers Review Paul Vlissidis (Apr 27)
- Re: Port Scanners / Sniffers Review Philippe Biondi (Apr 30)
- Re: False-negatives in several Vulnerability Assessment tools R. DuFresne (Apr 16)