Bugtraq mailing list archives
Re: Security Scanners and other Auditing Tools [was Re: ISS Inter
From: PgMerrick () KPMG COM AU (Merrick, Pete G)
Date: Fri, 12 Feb 1999 11:06:35 +1100
I agree with most of what was said here (see below). However, from an audit point of view, how this should be implemented (at the tool level) I do not personally agree with. I believe that the scanner should perform in exactly that manner (performs the scan and suggests that the vulnerability exists). It is then up to the auditor to follow up the reports and determine whether or not the machine is vulnerable. The auditor would do this by exploiting the vulnerabililty manually). Anyway, just my thoughts.
All security scanners and intrusion testing software should actually exploit the vulnerability that they are testing for to determine if it is actually vulnerable. Audit reports should not be generated using security audit tools that only check for vulnerabilities based on the version number and patch levels but instead use this information generated by tools like ISS, strobe, COPS, NetRanger, etc. as a guideline as to what resources need further testing and investigation. The reason for this is that there may be some security program that might actually prevent vulnerability exploitation from happening.
"This email is intended only for the use of the individual or entity named above and may contain information that is confidential and privileged. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this email is strictly prohibited. When addressed to our clients, any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. If you have received this email in error, please notify us immediately by return email or telephone +61 2 9335 7000 and destroy the original message. Thank you."
Current thread:
- Re: Security Scanners and other Auditing Tools [was Re: ISS Inter Merrick, Pete G (Feb 11)