Re: SEKCHEK

[mindthegap () telkomsa net]

Having dealt with sekcheck before, I think ure major concern is that you are going to be sending potentially sensitive 
information to a third party (sekcheck) with whom you have no contract or legal recourse in place. You may perhaps have 
a claim against your consulting/audit firm, however these are usually limited by the contracts u sign with them.

The executable Sekcheck runs collects all sorts of information from your systems, in different ways, depending on the 
type of operating system being assessed. If you look at the end reports, they include things like audits of actual 
password strenghts which can only mean that they actually extract the passwords along with your usernames...add to that 
they fact that they extract other information such as parts if not all of the registry on a windows machine for 
example, means that they have enough to know who you are, what your security looks like and what your passwords 
are...not great to have a third party know that now is it..

Their take on the whole scenario is that they take great care in securing this information...however, how many system 
admins do you know who stay at one company for ever...and more importantly, how many people do you know that take 
company information with them when they leave...my point being, are you willing to trust the system admins of a third 
party??..they are in a unique position to create a nifty little database of companies, usernames and passwords..

Besides all of this...sekcheck is not the greatest or most comprehensive tool for reviewing your security...it 
definitely leaves alot to be desired. It is however, quick and easy, which is perhaps why your auditor wants it.

MTG