Re: Distributed Vulnerability Scanners

From: Peter Mercer (inom@ozemail.com.au)
Date: Thu Mar 06 2003 - 22:24:41 EST


For discussion purposes, here are 2 of my concerns with automated and "coin
operated scanners".

A) Removing the human element will not mimic real life or what you might
call "join the dots exploiting"
Example) Scanner finds ssh running and no telnet, great they are using
encryption. No high risk there, scanner moves on.
Now what if the whois lookup has the Administrative Contact: as
smithf@scanned_company.com you go the next few steps (I am sure you can
work them out) and find passwd "company01".
Automated or "coin operated" going to find that?

B) Business can be easily confused when it comes to security spend.
Example) That just doing (and paying for ) a scan covers that companies
responsibilities and corp governance requirements for security.
So many time I have heard business say "but we have had a scan last year, we
fixed the holes. Why do we need to spend more on security".

Disclaimer) I know that both of the above are extreme cases...

I think that using automated and "coin operated" scanner is fine so long as
they are well understood, don't have the whole of security placed on them
and that are used only to confirm security levels not as the only security.

I hope that in selling these tools the vendors are push the above facts and
not just their bottom line.

Thanks for your time.

Kind regards,
Peter Mercer

[When I spend any money on security I like to ask, "is this money I spend
now, still going to be of benefit to me in 1 to 5 years"]

From: "charl van der walt" <charl@sensepost.com>
To: <pen-test@securityfocus.com>
Cc: <talisker@networkintrusion.co.uk>
Sent: Friday, March 07, 2003 11:01 AM
Subject: RE: Distributed Vulnerability Scanners

hey,

i wasn't going to mention this until i saw qualys and vigilante
being mentioned. it feels awfully like i'm doing a plug, but i think this
approach is worth mentioning:

over the last few years we've been developing an Internet-based scanning
solution called "HackRack" - check www.hackrack.com. The live site is
running version 2 of the system but i'm going to describe version 3, which
is currently in Alpha testing.

HackRack is essentially a web front end for Nessus, but is also more, less
and different.

it's more because, in addition to the Nessus scans, we also scan for key
DNS entries, open and closed ports and 'pingable' ips within a given
range. in addition, HackRack stores all its findings in a database and
presents its findings in an interactive web interface that allows for
'drill-in' information regarding the problem, real-time retesting of a
specific issue and rescanning of an entire host. it allows for direct,
interactive support, which we offer as part of the subscription. the
reporting interface can also be "taught" which issues are important and
which should be deprioritized or ignored in the future. finally, hackrack
can initiate additional scans or reports intelligently based on the
findings of previous scans. i.e. if we find an new ip 'up' on the network,
we can automagically initiate a scan on that ip and deliver the report.

HackRack is less because it doesn't attempt to be a heavy-duty scanner.
rather, it attempts to provide only the most important vulnerability
information timeously in a simple, succinct form.

HackRack is different because it focuses on detecting changes. we don't
deliver full reports, only reports on what has changed since the previous
day's scans. with this approach, combined with the support and the
'learning' feature our aim is to ensure that every single report we
deliver is studied, because the client knows it will be important.

it's a humble product, but a philosophy i believe in.

rgds

charl

----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html

----------------------------------------------------------------------------

Are your vulnerability scans producing just another report?
Manage the entire remediation process with StillSecure VAM's
Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT