Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Auditing and requirements

From: Brian Russo <brianr () entropy net>
Date: Thu, 10 Jan 2008 21:36:05 +0000
AV software is a category 1 requirement (A few months ago it was anyway, not sure if it's changed) to connect to a DoD 
network; it's also referenced in the NISPOM somewhere in chapter 8 but that language is more flexible; it requires you 
implement malicious code/virus features 'as appropriate'.

I guess I don't understand why there wouldn't be antivirus software?
Nor do I really understand your question.. WRT STIGs being applied to systems they don't apply to (?).

Sorry if that doesn't help..

  -bri


On Thu, Jan 10, 2008 at 12:36:46PM -0500, xelerated wrote:

I wanted to ask here, since in my experience many pen testers have
atleast some audit
experience.

My question has to do with DISA STIG's. Now, it is my understanding,
and that of everyone that
I have asked so far that the DISA STIG's are only requirements for DoD
IA systems.

So, who out there would give a company a finding for not having A/V on
a Unix system
based on DISA STIG's when the STIG's do not apply to the company nor
the systems in question.
And, the actual policy's and requirements that DO apply to said
company and systems
(NIST included) do not have any hard requirements for doing this.

Also, as a side note, does it make any sence to go through a company
and try to apply
ALL STIG's possible and the ones that don't leave a system unusable
then write a justification
for those?

I thank you all for your input, Its an important issue to me right now
and I greatly
appreciate your feedback.

Thanks
Chris

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: