Security Basics mailing list archives
RE: to be or not to be of vulunerbility assesment report
From: <alex () cc technion ac il>
Date: Sun, 30 Jan 2011 07:44:01 +0000
Hi I would try to identify 20% of missing patches that cause to 80% of vulnerabilities. In this manner you will make it short. But also you should take in account false positives that the vulnerability scanning tool may show. When I did it, I used metasploit to show how I can compromise unpatched system and it made the affect. Alex -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of a.alii85 () gmail com Sent: Friday, January 28, 2011 8:02 AM To: security-basics () securityfocus com Subject: to be or not to be of vulunerbility assesment report hey sec techies :) I'm in the process of making a vulnerability assessment report. The report contains high-level vulnerabilities details that i have identified using the scan tools such as nessus and nexpose. In the non-technical (executive summary) portion i have made a table which describe three things to its readers. 1) risk 2) effort required 3) resources required These values are taken from instances of each vulnerabilities. These instances form different attack vector for the hacker to get into the system. Now here comes the problem or the interesting part; in the dynamic analysis report i have been given dozens of vulnerabilities which are associated with missing patches (neXpose full audit report). Now each missing patch fixes around 20 or more vulnerability but my table is based on 1-1 relationship not 1-Many. So i have now the mapping issue how do i relate a multiples vulnerability effort requirement,risk and resource required attribute to a single missing patch. I don't want to break down the patches into individual vulnerabilities as that would add un-necessary volume something the higher management would hate and dislike to the point they want to throw the report into the dustbin. So what should i do? Do i really have to write a missing patch as in true classic definition of what is a "vulnerability" which is weakness that it....because all this is saying that your system is vulnerable because you forgot to update your anti-virus ( or something trivial like this) These single instance / point vulnerabilities are more fun because they exists when the admins are confident about their system that it is decently patched and they are safe but they are not aware that most of the times these independent and third-parties services and packages existing on your platform environment (e.g oracle) needs patching and security tightening too. So guys please help me devise a workaround this problem an easy and effective solution would be much appreciated and welcomed. Thanks ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- to be or not to be of vulunerbility assesment report a . alii85 (Jan 28)
- RE: to be or not to be of vulunerbility assesment report alex (Jan 31)
- RE: to be or not to be of vulunerbility assesment report Sheldon Malm (Jan 31)
- RE: to be or not to be of vulunerbility assesment report Sheldon Malm (Jan 31)