Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: "Anton J Aylward, CISSP" <aja () si on ca>
Date: 21 Aug 2002 22:25:06 -0400
On Wed, 2002-08-21 at 17:57, Dave Piscitello wrote:
IMO, vulnerability assessment tools are too often too complex for those who need them, and too slow for those who do not.
I think the issue is that the focus on vulnerability, not RISK. Yes, they're great for final checks, sort of like rattling the door-know AFTER you've locked to door to make sure it DID latch. But if the VA tool shows up many flaws, you've got some serious problems over and above what it shows, and those flaws are in your security PROCESSES. (insert quote by Bruce Schneier) And if they don't show flaws it may be because of the shortcomings of their database or the imagination of the designers - Word Macro viruses being an example of that in the AV area some years back. And they also beg the question about the "hard outer shell and soft squishy center". Some years back, us "greybeards" were irritated by the Big N-1 companies send out junior/trainee accountants who were doing scans using the old, old ISS tool and just hanging over the reports with no interpretation. I's sure the junior accounts preferred this to pouring over boxes of scrappy expense receipts. I recall bing called upon by a manager at a bank in panic with one of these reports that was over 350 pages thick. Only 2 items were significant and becuase of mitigating controls were very low risk. But the Big N-12 company charger nearly three months worth of my pre-tax salary for that report. I later went back and found a serious problem with encryption key storage that it didn't find - a real no-brainer that even the non-techie manager could understand. Like many crutches, these tools can result in "learned disability". /anton -- It is against the grain of modern education to teach children to program. What fun is there in making plans, acquiring discipline in organizing thoughts, devoting attention to detail, and learning to be self-critical? -- Alan Perlis _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: concerning ~el8 / project mayhem, (continued)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Re: concerning ~el8 / project mayhem Anton A. Chuvakin (Aug 21)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 21)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Anton Chuvakin (Aug 21)
- RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Josh Welch (Aug 21)
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 23)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 18)
- RE: concerning ~el8 / project mayhem Bill Royds (Aug 18)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 18)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)