Security Basics mailing list archives
Re: SEKCHEK
From: mindthegap () telkomsa net
Date: 9 Nov 2005 22:47:33 -0000
Having dealt with sekcheck before, I think ure major concern is that you are going to be sending potentially sensitive information to a third party (sekcheck) with whom you have no contract or legal recourse in place. You may perhaps have a claim against your consulting/audit firm, however these are usually limited by the contracts u sign with them. The executable Sekcheck runs collects all sorts of information from your systems, in different ways, depending on the type of operating system being assessed. If you look at the end reports, they include things like audits of actual password strenghts which can only mean that they actually extract the passwords along with your usernames...add to that they fact that they extract other information such as parts if not all of the registry on a windows machine for example, means that they have enough to know who you are, what your security looks like and what your passwords are...not great to have a third party know that now is it.. Their take on the whole scenario is that they take great care in securing this information...however, how many system admins do you know who stay at one company for ever...and more importantly, how many people do you know that take company information with them when they leave...my point being, are you willing to trust the system admins of a third party??..they are in a unique position to create a nifty little database of companies, usernames and passwords.. Besides all of this...sekcheck is not the greatest or most comprehensive tool for reviewing your security...it definitely leaves alot to be desired. It is however, quick and easy, which is perhaps why your auditor wants it. MTG
Current thread:
- SEKCHEK cweatherford (Nov 08)
- Re: SEKCHEK xyberpix (Nov 09)
- <Possible follow-ups>
- Re: SEKCHEK mindthegap (Nov 10)
- Re: Re: SEKCHEK pro_logos (Nov 15)