Penetration Testing mailing list archives
Re: False-negatives in several Vulnerability Assessment tools
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 16 Apr 2003 12:03:46 -0400 (EDT)
On Tue, 15 Apr 2003, Muhammad Faisal Rauf Danka wrote:
Very Informative article I must say, However, <quote> Numerous Vulnerability Assessment (VA) tools are available for security engineers, pen-testers and network administrators. Their results are mostly trusted by users since they don't have time nor competences to validate that output. </quote> Users should not be the one to validate the output, The result of (VA) tools should be thoroughly identified and manually checked by the <quote> security engineers, pen-testers and network administrators </quote>
agreed, yet, this is not always a positve angle on the generated reports. *How* those reports are evaluated by the 'professionals' in an organization is not a standard. Example, I work in an organization whence the security folks run a couple of scanners weekly to determine the networks, and various servers common exposures. New systems are scanned by iis and nessus prior to being placed into some production environs. What folks who manages these systems gets from the sec pros is a pile of printed results of these scans, sometimes with an e-mail stating the system passes and can be placed, or the system failed due to this port/vuln being spotted from the scanners. Damned if we diid not have a couple of solaris 8 servers repeatedly fail due to suspected pcanywhere ports open on the systems! Course, these servers were running portsentry, and though the ports had noting on them <closed> portsentry was monitoring those ports, which resulted in the scanners -=thinking=- they wer open and and used by pcanywhere. We turn off pcanywhere and have the systems rescanned and all 'reports' well. Real sec professionals might well have concluded the likelyhood that a sun box would be running pcanywhere was highly suspect and most likely tapped the admin staff to evaluate the false positives. But, we seldom see these 'sec pros', course it's not that we would be kind, afterall they were the ones that determined that the proper thing to do under code red and nimda, to eliminate the firewalls clogging with internal systems trying to spew cruft to infect our internet neighbors was to just kill the firewalls off for the most part and let our infected packets reak havoc on the internet at large. The point<s> here being; 1> scanner are merely a tool, one of the tools at the disposal of those doing sec work in it's various forms, and that one single scan run and it's deriviative report are meaningless without further insight and evaluation. 2> the quality of those working in security related positions varies drmatically, as well as their abilities to really fnction in the capacity they were hired to preform. 3> not all sec folks understand the motto/pledge of 'do no harm'. Thanks, Ron DuFresne
Another thing, now are we looking towards re-designing of several plugins for other languages and accordingly newer plugins to have different languages versions and it would effect several signatures in various (IDS) too. Did you contacted most if not all (VA) and (IDS) vendors regarding this, and what's their response? Regards -------- Muhammad Faisal Rauf Danka _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
Current thread:
- False-negatives in several Vulnerability Assessment tools Nicolas Gregoire (Apr 07)
- <Possible follow-ups>
- Re: False-negatives in several Vulnerability Assessment tools Muhammad Faisal Rauf Danka (Apr 16)
- Re: False-negatives in several Vulnerability Assessment tools R. DuFresne (Apr 16)
- Re: False-negatives in several Vulnerability Assessment tools Jimi Thompson (Apr 17)
- RE: False-negatives in several Vulnerability Assessment tools Craig H. Rowland (Apr 17)
- Port Scanners / Sniffers Review Sam (Apr 24)
- Re: Port Scanners / Sniffers Review cdowns (Apr 24)
- Re: Port Scanners / Sniffers Review Mary-RR (Apr 24)
- Re: Port Scanners / Sniffers Review Paul Vlissidis (Apr 27)
- Re: Port Scanners / Sniffers Review Philippe Biondi (Apr 30)
- Re: False-negatives in several Vulnerability Assessment tools R. DuFresne (Apr 16)