Re: [PEN-TEST] Online Security Vulnerability Services

[Jason Sheffield <jsheffield () AXENT COM>]

Mark,
  I have actually had Gibson Research's  (www.grc.com) downloadable client
used against me (Previous job with an International Telecom) to scan hosts
visible to the Internet.  I was a lone PIX admin with the job of tracking
down possible intrusion attempts.  All that it requires is that you have a
dual NIC'ed (or modem and NIC) host and you assign one of your interfaces
the IP of the box you are trying to scan.  The client will ask which IP of
your "LOCAL" machine you would like to scan, and Viola, you have an
anonymous port scanner at your fingertips.  All sniffer traces point right
back to GRC, and stop there.  Nice "feature" don't you think.

My personal experience is that I don't trust them to do a complete job, and
I know that a lot of unknowing users on the Internet trust these online
scanners to give them, that "nice, warm, fuzzy feeling" about security.  Big
mistake, as complacency makes you drop your guard.  Besides, who knows what
sorts of data these scanners collect on the back end.

Just my $.02

Regards,
Jason

-----Original Message-----
From: Teicher, Mark [mailto:mark.teicher () NETWORKICE COM]
Sent: Monday, August 21, 2000 7:09 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Online Security Vulnerability Services


Has anyone checked them out?  Who would you recommend?  Are Online Security
Vulnerability services any different from penetration and attack testing?

/thanks in advance for the info

/mark