Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability Assessment

From: Pete Herzog <lists () isecom org>
Date: Tue, 24 Jul 2007 22:52:37 +0200
Hi John,


I find that vulnerability scanners are useful when they can do credentialed
scans to verify that the services are actually running and check patch
levels based on current patch data and such.  Nessus in particular is good
for this, and it also allows you to use it for configuration validation as
well provided that you pay for the commercial feed.  There are limitations
though.
I agree that Vulnerability scanners can be useful if it is the answer to a question. The problem is many people start with the VS as the question as if it's a necessity. Scanners have evolved through marketing to being the means to a vulnerability assessment rather than a tool of one. Maybe it's the "final" report that throws so many people off-- that once the report is generated the work is done and not just the job. 



Depending on what you find and the policy you are being held to further
validation may need to be done, but I think they're at least a good starting
point as long as you know its not 'point-click-and-ship' and the report is
gospel.
I think just popping the results of nmap, hping2, hydra, unicornscan, and netcat into a database and correlating the results is the basic starting point and alone provides a lot more value than the vulnerability scanner. But this is for people who ask the right questions of their data. It also requires the ability to make a security analysis of the data- which is not too much to ask for from an IT security professional, right? Which is why so many members of the OSSTMM community pushed us to start the OPSA five years ago. It's a basic thing to know what you're asking for out of your tool data and not just happy with what the tool is telling you about it in a report. Even if that tool is a scanner.
You know many IT security professionals can't even tell you why Nessus runs a traceroute to each and every host in the list. To them it's just another thing in the report because Nessus didn't say why it was doing it. I haven't seen the newest versions of Nessus lately but I wouldn't be surprised if now they said on the report as to why. 



Nothing is better than having the ultimate validation: actual exploit of
said vulnerabilities and having nc running on a host listening for you're
every command ;-)  The only issue is you're bound by policy there as well.
Even verification, or ultimate validation, is not necessary if you don't have a problem that requires this type of verification. You don't need to break a window to tell people it could be broken. However, if the investment is in an unbreakable window, then you can't walk away without swinging a hammer. Vulnerability assessments are the same. Not all bugs will be patched because most are already mitigated through architecture changes, shutting down services, and various controls. Not all bugs matter. Realistically, very little needs to be exploited to prove a vulnerability assessment. An exploit is only if you have to prove penetration. To even use it to prove that a patch is applied is nonsense because you can only prove that the exploit still works despite patching because if it doesn't, you have only proved that the exploit did not work for you. It can't prove a patch. 

Sincerely,
-pete.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: