Re: Vulnerability scanning routines - what is overkill.

[Nick Besant <lists () hwf cc>]

Following on from the key point below: frequent scanning of your
environment will go some way towards highlighting any new devices on the
network and also changes in service availability to existing devices on
your network - however, it's not just new vulnerabilities you should be
aware of; quick-fixes, changes in configuration etc. can easily lead to
much older issues resurfacing (e.g. an admin may unintentionally restore
old versions of libraries/code as part of a fix). 

Additionally, I'd consider it good practice to be aware of existing
services disappearing or changing, which could simply be intentional,
authorised configuration changes or could be due to malicious activity.

I would also point out that while Nessus is a valuable tool, it is one
that should be used in conjunction with others (as Duncan points out) -
manual and/or automated, to provide as full a picture as your resources
allow.

Regards

Nick


On 27/08/2011 09:55, Duncan Alderson wrote:
> Hi Cribbar,
>
> I can see the auditors point but he may not be putting the best case forward. 
>
> If the organisation has a good security model in place with patching and hardening, there is still a need to scan the 
> whole environment. Look at it as a defence in depth scan. What happens if a rouge device is added to network? A 
> change on a device is added that has insecure consequences?
>
> I know there can be other controls in place to stop this happening but you cannot rely on a silver bullet 
> product/process to secure your environment.
>
> You will need hundreds of bullets for each threat scenario you are defending against.
>
> My 2c
>
> Webantix
>
> On 22 Aug 2011, at 14:28, cribbar <crib.bar () hotmail co uk> wrote:
>
> > There was some debate the other day in our office (not tech IT myself) about
> > what percentage of the infrastructure vulnerabilities in the nessus
> > repository are taken out the equation if you have a thorough patch
> > management policy for the infrastructure AND you scan the system before its
> > brought into operation? 
> >
> > What’s your view? What % of nessus vulns are addressed by scanning after
> > build process and addressing the problems, and then applying a thorough
> > patch mgmt policy from when it goes live? 
> >
> > It’s been prompted by our auditors claims it is essential to run such scans
> > must be run every month as new vulnerabilities are found all the time – but
> > if they are patched, and stuff like default passwords / vendor back doors
> > were addressed after the build process, before it went live, then what other
> > kind of issues/events/activities cause a vulnerability that isn’t easily
> > addressed by applying patches ASAP.
> >
> > We would probably fall into a “medium” security environment. 
> >
> > There must be more to it than this around vulnerability scanning. Your views
> > most welcome. Should the auditors give some flexibility and accept they’re
> > recs are overkill, or do they have a point.
> >
> > -- 
> > View this message in context: 
> > http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill.-tp32311141p32311141.html
> > Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------