PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Scanning for Intalled Security Software

From: bcg at struxural.com (Ben Greenfield)
Date: Sun, 25 Apr 2010 21:38:02 -0400
In my experience very very few organizations are capable of auditing
changes on workstation assets in a way that provides real assurance.

I think where most organizations completely drop the ball is on having
the audit capability per workstation (or per server or per device in
many organizations I've worked with).

I think the common practice is to stop with the easy task of
documenting that a particular asset class ought to and is approved to
receive an update, without ever doing the actual verification to
achieve the assurance that all workstations received the patch.

In some Military environments I've worked in their is a requirement
that in order to maintain network accreditation, daily credentialed
patch scans must be run.  There is usually a separate and distinct
role of Information Assurance Manager whose task is to verify that the
appropriate patch levels are being achieved.  Just so everyones clear,
if the network loses accreditation, that means that your upstream
provider disconnects you.

I think part of what creates the culture where organizations stop
before reaching assurance is that they see a cost benefit in not
separating the duties of patch application and patch verification.  I
think there are other, less admirable causes in some case as well,
such as ignorance or negligence.  I'm just using patching as an
example here, this applies to penetration tests, firewall audits, and
other areas.  The problem with not having the separation of duties is
that it creates a conflict of interest where a very often stressed-out
Administrator is the ground-zero for an organizations actual security
posture.



On Fri, Apr 23, 2010 at 3:42 PM, Daniel <Daniel at virturity.com> wrote:

When you say configuration management system, are you thinking a fully
developed CMDB with integration into Change management systems, proper audit
records, etc or more something like SMS/SCCM where the focus is more on the
deployment/reporting? I wonder how many organizations do disciplined
configuration management for workstation class assets.

-----Original Message-----
From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Carlos Perez
Sent: 23 April 2010 20:18
To: PaulDotCom Security Weekly Mailing List
Cc: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Scanning for Intalled Security Software

I would see this as a great oportunity to offer the client and asset
management system and a configuration management system if your
company sell those. I worry a bit when I find clients who's policies
lack proper configuration and asset managements measures that include
all networked devices

Carlos

Sent from my Mobile Phone

On Apr 23, 2010, at 10:39 AM, Shane Kelly <i0null at nightcoder.org> wrote:


Thanks for all your great suggestions!

With regards to machines that sit outside the domain they will be
looked at manually by the client, as these machines should most likely
not exist on the network.

I've personally not used the Nessus to do authenticated scans, so it's
good to hear it suggested. I'll have a look at each, but the client in
this case probably be more confertable using with us using Nessus.

Thanks!
Shane

On 23 April 2010 14:40, ?<daniel at virturity.com> wrote:

I second that; works very well for machines in the domain. Had this
set up
to check for AV (installed/running/revision of pattern and engine),
patching solution and some other bits. You can send a mail if non
compliant
with your policies to support staff as well. Non domain members are
still a
problem tho.

Daniel

On Fri, 23 Apr 2010 09:30:29 -0400, Carlos Perez
<carlos_perez at darkoperator.com> wrote:

Of they are In the domain you can use wmi thru powershell, wmic,
wsh..etc to automate the process and read the registry keys for
install apps plus get a list of running procceses

Carlos

Sent from my Mobile Phone

On Apr 23, 2010, at 8:22 AM, Shane Kelly <i0null at googlemail.com>
wrote:


Hey Guys,

Does anyone have any experiance with doing agentless scanning for
installed software in a network?
I'm looking for instances where workstations may exist that do not
have Safeguard Easy or Anti-virus Installed.


Many thanks in advance,
Shane
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com





-- 
--
Benjamin C. Greenfield, CISSP

bcg [at] struxural.com

Domains and Hosting for Less from Struxural:
http://www.struxural.com
Previous By Date Next
Previous By Thread Next

Current thread: