Re: Catch22's in Vulnerability Management

[Wolfgang Kandek <wkandek () qualys com>]

*Dave,

we recommend our customers use authenticated scans to get the most accurate
picture of their computing infrastructure and the vulnerabilities
encountered. We believe that the value of the information gathered
especially for the typical client-side only vulnerabilities such as in
browsers, PDF readers, Java and others that are often out of date and
vulnerable, outweighs the risk associated with the use of the credentials.
In addition the authentication methods we use do do not cause credentials
to be cached. We try to offer the best possible options for authentication,
which includes public key on *nix systems and  Kerberos/NTLMv2 on Windows
by default, with the option of disabling the downgrade to NTLMv1. We do not
think that the risk of MITM or session hijacking on a scan is any higher
than for the sessions that get established during normal business use.

We go to considerable lengths to harden our product platform, both on the
scanner and on the web application, starting with an SDL, periodic code
audits, structured builds and strong separation of duties for code
deployment. We encrypt important customer data and offer free 2-factor
authentication to secure access to the system.

In addition customers can configure their scanners to retrieve credentials
from a local password vault if they prefer to store usernames and passwords
onsite. Password vaults assure that the scanner always has the latest
credential for the scan, which is not an easy task in larger organizations
and help enforcing password rotation policies.

-
Wolfgang Kandek
Qualys*


On Wed, Feb 6, 2013 at 11:03 AM, Dave Aitel <dave () immunityinc com> wrote:

>  I love both our Qualys and Tenable friends, but I have to say, I worry
> about "authenticated scans". Perhaps my worry is unwarranted, but having a
> domain admin that is connecting to and trying to authenticate to every host
> on the network seems like a very bad idea.
>
> For example:
>
>    - What if you do a NTLM proxy attack?
>     - What if you downgrade your accepted protocols to NTLMv1 and then
>    crack the hash and now are domain admin for free?
>     - What if there is some vulnerability in the web apps or host box
>    that supports these programs?
>     - When Qualys, for example, logs into MS SQL, and I have MITM on that
>    network, why can't I just take over the connection and be admin from then
>    on?
>
>
> https://community.qualys.com/docs/DOC-4095
> http://static.tenable.com/documentation/nessus_credential_checks.pdf
>
> If these attacks work, it's a bit of a catch22. In order to achieve
> compliance, you must be out of compliance!
>
> I assume people are using authenticated scans, because without it, you're
> generally getting lots of false positives to weed through, which is
> annoying (and for which we sell CANVAS plugins :>).
>
> -dave
>
> --
> INFILTRATE - the world's best offensive information security conference.
> April 2013 in Miami Beachwww.infiltratecon.com
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave