RE: System Self audit tool

["Mikhail A. Utin" <mutin () commonwealthcare org>]

Hello,
I checked Secunia PSI recently, and it was not to identify several Windows 7 failed to install patches, which clearly 
show up while checking upgrade status. To be honest, Nessus Professional Feed did not find them either. I would 
recommend Nessus users to run Nessus to identify vulnerabilities and then check Windows: Control Panel -> System and 
security -> Windows Update -> View update history. All failed updates will show up. I think that Windows 7 tricks us 
again, and possibly vulnerability scanners either.
Regards

Mikhail A. Utin, CISSP
Information Security Analyst
Commonwealth Care Alliance
30 Winter St.
Boston, MA 
TEL: (617) 426-0600 x.288
FAX: (617) 249-2114
http://www.commonwealthcare.org
mutin () commonwealthcare org


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Todd Haverkos
Sent: Wednesday, May 25, 2011 3:02 PM
To: vedantamsekhar () gmail com
Cc: Security-basics () securityfocus com
Subject: Re: System Self audit tool

"vedantamsekhar () gmail com" <vedantamsekhar () gmail com> writes:
> Hi,
>
> I was given a task to search and evaluate a self-audit tool which 
> allows users to run the tool from a central server. The tool should 
> verify the users system for missing/old AV dat files, missing patches 
> and so on..and also it should provide the links appropriate sites for 
> downloading the updates.  Are there any such tools/solutions available 
> in market?

Sounds like you're in the market for a client-based or agent-based vulnerability scanning and patch management in one, 
but... in a way that puts the users on the hook for patch installation?  Your task giver may need to be challenged on 
their conviction that users will actually apply patches if prompted to do so.  In my experience, the vast majority of 
users simply won't, and will cheerfully click whatever button gets them to their work fastest. 

Secunia PSI does almost exactly what you've described, but is licensed
(free) for non-commercial use only.  In addition to the obvious license issue, for a business, it's a non starter in a 
corporate environment because it doesn't centrally report to anything that lets you know your risk posture.

Secunia's CSI product, however, is their corporate analog to it which has a central server (on your premises) and a 
rather crude (IMO) patch distribution mechanism that tries to piggyback on windows components without the value add 
that the Shavlik's of BigFixes of the world have done to do this right.  However, it does a very nice job of reporting 
out of date client software with a supported/tracked software list that seems a lot more extensive than anyone else 
I've seen. 

On a side note, your AV's central console is probably the best to use for the AV dat file issue, though dedicated 
credentialed vuln scanners like Tenable Security Center (which leverages Nessus as the vuln
scanner) also have plugins to flag out of date AV DAT's if you provide credentials to access the administrative shares 
on the box.  However, those are vuln scan only--they won't automate the patching process and they aren't agent based.  
I'm not sure if Secunia will warn about out of date DAT's either. 

The other flavor of products out there are the agent based solutions like BigFix (swallowed recently by IBM) and 
LANDesk.  These are systems management suites and you can get patch and vulnerability management pieces to them, which 
handle the fix and detect problem respectively ... but you will need to get out your checkbook.  And you will find that 
the list of vendors/software they'll detect as out of date and will patch is not necessarily huge.  They aren't cheap, 
and they're most effective if you resign yourself to live in their world.

The sweet spot in ROI from my view is to get a vulnerability scanner your security people like, and then have the 
windows patch folks leverage Microsoft SCCM with something like Shavlik SCUPdates to handle the third party patching 
(Adobe, Quicktime, Java, and all the web plugins that still too many shops entirely neglect, but are the source of so 
much of client-side compromises).  

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------