Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > pen-test > 03 > 040595.html (Request Expert securityfocus.com Support)

RE: False-negatives in several Vulnerability Assessment tools

From: Craig H. Rowland <crowland(at)cisco.com>
Date: Thu Apr 17 2003 - 13:28:43 EDT


> >My current employer, which is a Fortune 10 company, shall be

Exactly. When you go to the hospital for a broken bone you have a X-Ray technician operate the machine, and an experienced radiologist who interprets the results. They don't simply hand you the X-Ray for personal interpretation and the bill.

This is an important point that is frequently overlooked. I've seen a number of audits that were paid for by customers and consisted of nothing more than a nicely bound printout of a commercial scanner with almost no interpretation. Personally, I think this is a serious breach of responsibility.

The results of a scanner can be misleading if you don't have a good knowledge of common vulnerabilities, commonly affected hosts, and patterns indicating misuse. Expecting a scanner alone to identify 100% of all threats is not practical for several reasons:

  1. The author of the vulnerability check may have written it incorrectly. Or, more likely, it worked in their testlab environment but failed out in the field for a variety of reasons.
  2. Performing an exhaustive scan against all the systems in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems, and the dynamic nature of network deployments (wireless, DHCP, etc.).
  3. The scanner does not have an internal view of the host being audited and can miss critical mis-configurations that result in an insecure setup, but appear "secure" from the outside with automation.

I guess my point in all this is that proper interpretation of security tool results is critical. As much as the security industry would like to have the software do everything for the inexperienced user, it just isn't practical or advisable given the nature and seriousness of this business.

  • Craig

Opinions are my own. There is no endorsement of the (random) advertisement appended to this message.


Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test
Received on Thu Apr 17 15:38:04 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:35 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library