On Tue, 15 Apr 2003, Muhammad Faisal Rauf Danka wrote: > Very Informative article I must say, > However, > > <quote> > Numerous Vulnerability Assessment (VA) tools are available for security > engineers, pen-testers and network administrators. Their results are > mostly trusted by users since they don't have time nor competences to > validate that output. > </quote> > > Users should not be the one to validate the output, The result of (VA) > tools should be thoroughly identified and manually checked by the > > <quote> > security > engineers, pen-testers and network administrators > </quote> agreed, yet, this is not always a positve angle on the generated reports. *How* those reports are evaluated by the 'professionals' in an organization is not a standard. Example, I work in an organization whence the security folks run a couple of scanners weekly to determine the networks, and various servers common exposures. New systems are scanned by iis and nessus prior to being placed into some production environs. What folks who manages these systems gets from the sec pros is a pile of printed results of these scans, sometimes with an e-mail stating the system passes and can be placed, or the system failed due to this port/vuln being spotted from the scanners. Damned if we diid not have a couple of solaris 8 servers repeatedly fail due to suspected pcanywhere ports open on the systems! Course, these servers were running portsentry, and though the ports had noting on them <closed> portsentry was monitoring those ports, which resulted in the scanners -=thinking=- they wer open and and used by pcanywhere. We turn off pcanywhere and have the systems rescanned and all 'reports' well. Real sec professionals might well have concluded the likelyhood that a sun box would be running pcanywhere was highly suspect and most likely tapped the admin staff to evaluate the false positives. But, we seldom see these 'sec pros', course it's not that we would be kind, afterall they were the ones that determined that the proper thing to do under code red and nimda, to eliminate the firewalls clogging with internal systems trying to spew cruft to infect our internet neighbors was to just kill the firewalls off for the most part and let our infected packets reak havoc on the internet at large. The point<s> here being; 1> scanner are merely a tool, one of the tools at the disposal of those doing sec work in it's various forms, and that one single scan run and it's deriviative report are meaningless without further insight and evaluation. 2> the quality of those working in security related positions varies drmatically, as well as their abilities to really fnction in the capacity they were hired to preform. 3> not all sec folks understand the motto/pledge of 'do no harm'. Thanks, Ron DuFresne > > Another thing, now are we looking towards re-designing of several > plugins for other languages and accordingly newer plugins to have > different languages versions and it would effect several signatures in > various (IDS) too. > > Did you contacted most if not all (VA) and (IDS) vendors regarding this, > and what's their response? > > > Regards > -------- > Muhammad Faisal Rauf Danka > > > _____________________________________________________________ > --------------------------- > [ATTITUDEX.COM] > http://www.attitudex.com/ > --------------------------- > > _____________________________________________________________ > Select your own custom email address for FREE! Get youat_private w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag > > --------------------------------------------------------------------------- > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the > world's premier event for IT and network security experts. The two-day > Training features 6 hand-on courses on May 12-13 taught by professionals. > The two-day Briefings on May 14-15 features 24 top speakers with no vendor > sales pitches. Deadline for the best rates is April 25. Register today to > ensure your place. http://www.securityfocus.com/BlackHat-pen-test > ---------------------------------------------------------------------------- > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 16 2003 - 10:06:45 PDT