Penetration Testing mailing list archives
Re: Vulnerability scanning routines - what is overkill.
From: Duncan Alderson <duncan.alderson () webantix net>
Date: Sat, 27 Aug 2011 09:55:17 +0100
Hi Cribbar, I can see the auditors point but he may not be putting the best case forward. If the organisation has a good security model in place with patching and hardening, there is still a need to scan the whole environment. Look at it as a defence in depth scan. What happens if a rouge device is added to network? A change on a device is added that has insecure consequences? I know there can be other controls in place to stop this happening but you cannot rely on a silver bullet product/process to secure your environment. You will need hundreds of bullets for each threat scenario you are defending against. My 2c Webantix On 22 Aug 2011, at 14:28, cribbar <crib.bar () hotmail co uk> wrote:
There was some debate the other day in our office (not tech IT myself) about what percentage of the infrastructure vulnerabilities in the nessus repository are taken out the equation if you have a thorough patch management policy for the infrastructure AND you scan the system before its brought into operation? What’s your view? What % of nessus vulns are addressed by scanning after build process and addressing the problems, and then applying a thorough patch mgmt policy from when it goes live? It’s been prompted by our auditors claims it is essential to run such scans must be run every month as new vulnerabilities are found all the time – but if they are patched, and stuff like default passwords / vendor back doors were addressed after the build process, before it went live, then what other kind of issues/events/activities cause a vulnerability that isn’t easily addressed by applying patches ASAP. We would probably fall into a “medium” security environment. There must be more to it than this around vulnerability scanning. Your views most welcome. Should the auditors give some flexibility and accept they’re recs are overkill, or do they have a point. -- View this message in context: http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill.-tp32311141p32311141.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Vulnerability scanning routines - what is overkill. cribbar (Aug 26)
- Re: Vulnerability scanning routines - what is overkill. Duncan Alderson (Aug 28)