Dailydave mailing list archives
Re: Catch22's in Vulnerability Management
From: Wolfgang Kandek <wkandek () qualys com>
Date: Mon, 11 Feb 2013 11:55:21 -0800
*Dave, we recommend our customers use authenticated scans to get the most accurate picture of their computing infrastructure and the vulnerabilities encountered. We believe that the value of the information gathered especially for the typical client-side only vulnerabilities such as in browsers, PDF readers, Java and others that are often out of date and vulnerable, outweighs the risk associated with the use of the credentials. In addition the authentication methods we use do do not cause credentials to be cached. We try to offer the best possible options for authentication, which includes public key on *nix systems and Kerberos/NTLMv2 on Windows by default, with the option of disabling the downgrade to NTLMv1. We do not think that the risk of MITM or session hijacking on a scan is any higher than for the sessions that get established during normal business use. We go to considerable lengths to harden our product platform, both on the scanner and on the web application, starting with an SDL, periodic code audits, structured builds and strong separation of duties for code deployment. We encrypt important customer data and offer free 2-factor authentication to secure access to the system. In addition customers can configure their scanners to retrieve credentials from a local password vault if they prefer to store usernames and passwords onsite. Password vaults assure that the scanner always has the latest credential for the scan, which is not an easy task in larger organizations and help enforcing password rotation policies. - Wolfgang Kandek Qualys* On Wed, Feb 6, 2013 at 11:03 AM, Dave Aitel <dave () immunityinc com> wrote:
I love both our Qualys and Tenable friends, but I have to say, I worry about "authenticated scans". Perhaps my worry is unwarranted, but having a domain admin that is connecting to and trying to authenticate to every host on the network seems like a very bad idea. For example: - What if you do a NTLM proxy attack? - What if you downgrade your accepted protocols to NTLMv1 and then crack the hash and now are domain admin for free? - What if there is some vulnerability in the web apps or host box that supports these programs? - When Qualys, for example, logs into MS SQL, and I have MITM on that network, why can't I just take over the connection and be admin from then on? https://community.qualys.com/docs/DOC-4095 http://static.tenable.com/documentation/nessus_credential_checks.pdf If these attacks work, it's a bit of a catch22. In order to achieve compliance, you must be out of compliance! I assume people are using authenticated scans, because without it, you're generally getting lots of false positives to weed through, which is annoying (and for which we sell CANVAS plugins :>). -dave -- INFILTRATE - the world's best offensive information security conference. April 2013 in Miami Beachwww.infiltratecon.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Catch22's in Vulnerability Management Dave Aitel (Feb 06)
- Re: Catch22's in Vulnerability Management Jonathan Cran (Feb 06)
- Re: Catch22's in Vulnerability Management Marc Maiffret (Feb 06)
- Re: Catch22's in Vulnerability Management Wim Remes (Feb 07)
- Re: Catch22's in Vulnerability Management Ron Gula (Feb 07)
- Re: Catch22's in Vulnerability Management Renaud Deraison (Feb 11)
- Re: Catch22's in Vulnerability Management Wolfgang Kandek (Feb 12)