Re: False-negatives in several Vulnerability Assessment tools

From: R. DuFresne (dufresne@sysinfo.com)
Date: Wed Apr 16 2003 - 12:03:46 EDT


On Tue, 15 Apr 2003, Muhammad Faisal Rauf Danka wrote:

> Very Informative article I must say,
> However,
>
> <quote>
> Numerous Vulnerability Assessment (VA) tools are available for security
> engineers, pen-testers and network administrators. Their results are
> mostly trusted by users since they don't have time nor competences to
> validate that output.
> </quote>
>
> Users should not be the one to validate the output, The result of (VA)
> tools should be thoroughly identified and manually checked by the
>
> <quote>
> security
> engineers, pen-testers and network administrators
> </quote>

agreed, yet, this is not always a positve angle on the generated reports.
*How* those reports are evaluated by the 'professionals' in an
organization is not a standard. Example, I work in an organization whence
the security folks run a couple of scanners weekly to determine the
networks, and various servers common exposures. New systems are scanned
by iis and nessus prior to being placed into some production environs.
What folks who manages these systems gets from the sec pros is a pile of
printed results of these scans, sometimes with an e-mail stating the
system passes and can be placed, or the system failed due to this
port/vuln being spotted from the scanners. Damned if we diid not have a
couple of solaris 8 servers repeatedly fail due to suspected pcanywhere
ports open on the systems! Course, these servers were running portsentry,
and though the ports had noting on them <closed> portsentry was monitoring
those ports, which resulted in the scanners -=thinking=- they wer open and
and used by pcanywhere. We turn off pcanywhere and have the systems
rescanned and all 'reports' well. Real sec professionals might well have
concluded the likelyhood that a sun box would be running pcanywhere was
highly suspect and most likely tapped the admin staff to evaluate the
false positives. But, we seldom see these 'sec pros', course it's not
that we would be kind, afterall they were the ones that determined that
the proper thing to do under code red and nimda, to eliminate the
firewalls clogging with internal systems trying to spew cruft to infect
our internet neighbors was to just kill the firewalls off for the most
part and let our infected packets reak havoc on the internet at large.

The point<s> here being; 1> scanner are merely a tool, one of the tools at
the disposal of those doing sec work in it's various forms, and that one
single scan run and it's deriviative report are meaningless without
further insight and evaluation. 2> the quality of those working in
security related positions varies drmatically, as well as their abilities
to really fnction in the capacity they were hired to preform. 3> not all
sec folks understand the motto/pledge of 'do no harm'.

Thanks,

Ron DuFresne

>
> Another thing, now are we looking towards re-designing of several
> plugins for other languages and accordingly newer plugins to have
> different languages versions and it would effect several signatures in
> various (IDS) too.
>
> Did you contacted most if not all (VA) and (IDS) vendors regarding this,
> and what's their response?
>
>
> Regards
> --------
> Muhammad Faisal Rauf Danka
>
>
> _____________________________________________________________
> ---------------------------
> [ATTITUDEX.COM]
> http://www.attitudex.com/
> ---------------------------
>
> _____________________________________________________________
> Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
>
> ---------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts. The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches. Deadline for the best rates is April 25. Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-pen-test
> ----------------------------------------------------------------------------
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-pen-test 
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT