Firewall Wizards mailing list archives

Re: concerning ~el8 / project mayhem

From: "Anton J Aylward, CISSP" <aja () si on ca>
Date: 21 Aug 2002 22:25:06 -0400

On Wed, 2002-08-21 at 17:57, Dave Piscitello wrote:


IMO, vulnerability assessment tools are too often too complex for those who 
need them, and too slow for those who do not.


I think the issue is that the focus on vulnerability, not RISK.

Yes, they're great for final checks, sort of like rattling the door-know
AFTER you've locked to door to make sure it DID latch.

But if the VA tool shows up many flaws, you've got some serious problems
over and above what it shows, and those flaws are in your security
PROCESSES.  (insert quote by Bruce Schneier) 

And if they don't show flaws it may be because of the shortcomings of
their database or the imagination of the designers - Word Macro viruses
being an example of that in the AV area some years back.

And they also beg the question about the "hard outer shell and soft
squishy center".

Some years back, us "greybeards" were irritated by the Big N-1 companies
send out junior/trainee accountants who were doing scans using the old,
old ISS tool and just hanging over the reports with no interpretation.  
I's sure the junior accounts preferred this to pouring over boxes of
scrappy expense receipts.  I recall bing called upon by a manager at a
bank in panic with one of these reports that was over 350 pages thick.
Only 2 items were significant and becuase of mitigating controls were
very low risk.  But the Big N-12 company charger nearly three months
worth of my pre-tax salary for that report.  I later went back and found
a serious problem with encryption key storage that it didn't find - a
real no-brainer that even the non-techie manager could understand.

Like many crutches, these tools can result in "learned disability".


/anton
-- 
It is against the grain of modern education to teach children to program.
What fun is there in making plans, acquiring discipline in organizing
thoughts, devoting attention to detail, and learning to be self-critical?
                -- Alan Perlis


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: concerning ~el8 / project mayhem, (continued)
- - - Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
  - Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
    - Re: concerning ~el8 / project mayhem Anton A. Chuvakin (Aug 21)
    - Re: concerning ~el8 / project mayhem Paul Robertson (Aug 21)
    - Re: concerning ~el8 / project mayhem Barney Wolff (Aug 21)
    - Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
    - Re: concerning ~el8 / project mayhem Anton Chuvakin (Aug 21)
    - RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Josh Welch (Aug 21)
    - Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 21)
    - Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
    - Message not available
    - Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)
    - Message not available
    - Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 22)
    - Re: concerning ~el8 / project mayhem Adam Shostack (Aug 23)
  - Message not available
    - Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
    - Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 18)
    - RE: concerning ~el8 / project mayhem Bill Royds (Aug 18)
    - Re: concerning ~el8 / project mayhem Barney Wolff (Aug 18)
    - Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 19)
    - Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
    - Re: concerning ~el8 / project mayhem Darren Reed (Aug 18)

(Thread continues...)