Re: False-negatives in several Vulnerability Assessment tools

On Tue, 15 Apr 2003, Muhammad Faisal Rauf Danka wrote:

> Very Informative article I must say,

agreed, yet, this is not always a positve angle on the generated reports. *How* those reports are evaluated by the 'professionals' in an organization is not a standard. Example, I work in an organization whence the security folks run a couple of scanners weekly to determine the networks, and various servers common exposures. New systems are scanned by iis and nessus prior to being placed into some production environs. What folks who manages these systems gets from the sec pros is a pile of printed results of these scans, sometimes with an e-mail stating the system passes and can be placed, or the system failed due to this port/vuln being spotted from the scanners. Damned if we diid not have a couple of solaris 8 servers repeatedly fail due to suspected pcanywhere ports open on the systems! Course, these servers were running portsentry, and though the ports had noting on them <closed> portsentry was monitoring those ports, which resulted in the scanners -=thinking=- they wer open and and used by pcanywhere. We turn off pcanywhere and have the systems rescanned and all 'reports' well. Real sec professionals might well have concluded the likelyhood that a sun box would be running pcanywhere was highly suspect and most likely tapped the admin staff to evaluate the false positives. But, we seldom see these 'sec pros', course it's not that we would be kind, afterall they were the ones that determined that the proper thing to do under code red and nimda, to eliminate the firewalls clogging with internal systems trying to spew cruft to infect our internet neighbors was to just kill the firewalls off for the most part and let our infected packets reak havoc on the internet at large.

The point<s> here being; 1> scanner are merely a tool, one of the tools at the disposal of those doing sec work in it's various forms, and that one single scan run and it's deriviative report are meaningless without further insight and evaluation. 2> the quality of those working in security related positions varies drmatically, as well as their abilities to really fnction in the capacity they were hired to preform. 3> not all sec folks understand the motto/pledge of 'do no harm'.

Thanks,

Ron DuFresne

>
> Another thing, now are we looking towards re-designing of several

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  
http://www.securityfocus.com/BlackHat-pen-test 
----------------------------------------------------------------------------