Penetration Testing mailing list archives
Re: Auditing and requirements
From: Brian Russo <brianr () entropy net>
Date: Thu, 10 Jan 2008 21:36:05 +0000
AV software is a category 1 requirement (A few months ago it was anyway, not sure if it's changed) to connect to a DoD network; it's also referenced in the NISPOM somewhere in chapter 8 but that language is more flexible; it requires you implement malicious code/virus features 'as appropriate'. I guess I don't understand why there wouldn't be antivirus software? Nor do I really understand your question.. WRT STIGs being applied to systems they don't apply to (?). Sorry if that doesn't help.. -bri On Thu, Jan 10, 2008 at 12:36:46PM -0500, xelerated wrote:
I wanted to ask here, since in my experience many pen testers have atleast some audit experience. My question has to do with DISA STIG's. Now, it is my understanding, and that of everyone that I have asked so far that the DISA STIG's are only requirements for DoD IA systems. So, who out there would give a company a finding for not having A/V on a Unix system based on DISA STIG's when the STIG's do not apply to the company nor the systems in question. And, the actual policy's and requirements that DO apply to said company and systems (NIST included) do not have any hard requirements for doing this. Also, as a side note, does it make any sence to go through a company and try to apply ALL STIG's possible and the ones that don't leave a system unusable then write a justification for those? I thank you all for your input, Its an important issue to me right now and I greatly appreciate your feedback. Thanks Chris ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Auditing and requirements xelerated (Jan 10)
- Re: Auditing and requirements Brian Russo (Jan 10)