I agree with most of what was said here (see below). However, from an audit point of view, how this should be implemented (at the tool level) I do not personally agree with. I believe that the scanner should perform in exactly that manner (performs the scan and suggests that the vulnerability exists). It is then up to the auditor to follow up the reports and determine whether or not the machine is vulnerable. The auditor would do this by exploiting the vulnerabililty manually). Anyway, just my thoughts. >All security scanners and intrusion testing software should actually >exploit >the vulnerability that they are testing for to determine if it is >actually >vulnerable. Audit reports should not be generated using security >audit tools >that only check for vulnerabilities based on the version number and >patch >levels but instead use this information generated by tools like ISS, >strobe, >COPS, NetRanger, etc. as a guideline as to what resources need further >testing >and investigation. The reason for this is that there may be some >security >program that might actually prevent vulnerability exploitation from >happening. "This email is intended only for the use of the individual or entity named above and may contain information that is confidential and privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this email is strictly prohibited. When addressed to our clients, any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. If you have received this email in error, please notify us immediately by return email or telephone +61 2 9335 7000 and destroy the original message. Thank you."
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:07 PDT