Full Disclosure mailing list archives

RE: Top 15 Reasons Why Admins Use Security Scan ners

From: "Starford, Christopher D." <CHRISTOPHER.D.STARFORD () saic com>
Date: Wed, 28 Apr 2004 16:13:23 -0400

First an auditor checks for vulnerabilities of course (this is for
validation not to make that determination based on the auditee's saying or
reports from third party scanners). Then the auditor will determine the
extent and security surrounding those vulns and what the auditee is either
required (policy/procedure) or recommended (best practice) to fix those
vulnerabilities and stay secure.


__________________________________________________
Christopher D. Starford
SAIC Enterprise Security Sulutions

-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com] 
Sent: Wednesday, April 28, 2004 3:05 PM
To: Starford, Christopher D.
Cc: 'full-disclosure () netsys com'
Subject: RE: [Full-disclosure] Top 15 Reasons Why Admins Use 
Security Scan ners

And you know something, Chris...that's fine.  Really. 
I just left a position in the private sector w/ a
company that was audited over a dozen times a year by
various customers.  Even their external auditors (ie,
*not* customers) were clueless when it comes to IT or
security.  One audit did include a knowledgeable
security professional on staff...but just one.  

But there's also another way to look at the original 
comment...security is a process.  Running a vulnerability 
scanner isn't a process...it's a point-in-time check, a 
snapshot.  A good IT security auditor won't focus on the fact 
that certain systems have vulnerabilities...he or she will 
focus on *why* they have the vulnerabilities.

I believe many true IT Security Auditors out there
would agree that your wrong on this one.

-How will I ever pass my IT Security Audits?
 
Don't worry about it...most audits don't seem to

have

an IT background, and even when they do, they

don't

take the time to understand your business

processes or

your network infrastructure.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Top 15 Reasons Why Admins Use Security Scan ners Starford, Christopher D. (Apr 28)
- <Possible follow-ups>
- RE: Top 15 Reasons Why Admins Use Security Scan ners Ng, Kenneth (US) (Apr 28)
- RE: Top 15 Reasons Why Admins Use Security Scan ners Stuart Fox (DSL AK) (Apr 28)
- RE: Top 15 Reasons Why Admins Use Security Scan ners Stuart Fox (DSL AK) (Apr 28)
  - RE: Top 15 Reasons Why Admins Use Security Scan ners Ron DuFresne (Apr 30)
- RE: Top 15 Reasons Why Admins Use Security Scan ners Starford, Christopher D. (Apr 30)