Re: Vulnerability scanning routines - what is overkill.

[Duncan Alderson <duncan.alderson () webantix net>]

Hi Cribbar,

I can see the auditors point but he may not be putting the best case forward. 

If the organisation has a good security model in place with patching and hardening, there is still a need to scan the 
whole environment. Look at it as a defence in depth scan. What happens if a rouge device is added to network? A change 
on a device is added that has insecure consequences?

I know there can be other controls in place to stop this happening but you cannot rely on a silver bullet 
product/process to secure your environment.

You will need hundreds of bullets for each threat scenario you are defending against.

My 2c

Webantix

On 22 Aug 2011, at 14:28, cribbar <crib.bar () hotmail co uk> wrote:

> There was some debate the other day in our office (not tech IT myself) about
> what percentage of the infrastructure vulnerabilities in the nessus
> repository are taken out the equation if you have a thorough patch
> management policy for the infrastructure AND you scan the system before its
> brought into operation? 
>
> What’s your view? What % of nessus vulns are addressed by scanning after
> build process and addressing the problems, and then applying a thorough
> patch mgmt policy from when it goes live? 
>
> It’s been prompted by our auditors claims it is essential to run such scans
> must be run every month as new vulnerabilities are found all the time – but
> if they are patched, and stuff like default passwords / vendor back doors
> were addressed after the build process, before it went live, then what other
> kind of issues/events/activities cause a vulnerability that isn’t easily
> addressed by applying patches ASAP.
>
> We would probably fall into a “medium” security environment. 
>
> There must be more to it than this around vulnerability scanning. Your views
> most welcome. Should the auditors give some flexibility and accept they’re
> recs are overkill, or do they have a point.
>
> -- 
> View this message in context: 
> http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill.-tp32311141p32311141.html
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified. 
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------