Re: Crash in system scanned

[DaKahuna <da.kahuna () gmail com>]

On Jan 7, 2008, at 10:48 AM, ahgaber_rehan () yahoo com wrote:

> I need to know if internal auditor is scanning a system over the LAN  
> during audit assignment, who should take the responsibility if the  
> scanned system went down/ crashed due to this scan. I am quite sure  
> scanning has to be prearranged with IT and IT Security and approved  
> on the targeted systems, and it’s important for IT auditor to  
> perform such scanning to avoid any scope limitations during the audit.

 It depends. In my company, Corporate IT Security has the right, by  
policy, to scan the network at any time without notifying anyone. We  
make sure that we do not DOS scans but other than that there is no  
guarantee. We have a requirement for all systems to be scanned on a  
monthly basis using one of a variety of tools and that scanning is  
done by IT / IT Security staff supporting the business.  Corporate IT  
Security is the only group authorized to scan across the WAN with out  
prior notification.  Internal audit in my company does not do network  
scanning.  If they want a network scan as part of the audit they are  
conducting, they get one of my staff or an SME from the business to  
support them.

As to who is responsible, in my opinion it is the application owner.   
Why should a nessus or nmap scan bring down a properly configured and  
fully patched application?

DK
------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------