Re: Security Scanners and other Auditing Tools [was Re: ISS Inter

[PgMerrick () KPMG COM AU (Merrick, Pete G)]

I agree with most of what was said here (see below).  However, from an audit
point of view,  how this should be implemented (at the tool level) I do not
personally agree with.  I believe that the scanner should perform in exactly
that manner (performs the scan and suggests that the vulnerability exists).
It is then up to the auditor to follow up the reports and determine whether
or not the machine is vulnerable.  The auditor would do this by exploiting
the vulnerabililty manually).
Anyway, just my thoughts.

> All security scanners and intrusion testing software should actually
> exploit
> the vulnerability that they are testing for to determine if it is
> actually
> vulnerable.  Audit reports should not be generated using security
> audit tools
> that only check for vulnerabilities based on the version number and
> patch
> levels but instead use this information generated by tools like ISS,
> strobe,
> COPS, NetRanger, etc. as a guideline as to what resources need further
> testing
> and investigation.  The reason for this is that there may be some
> security
> program that might actually prevent vulnerability exploitation from
> happening.

"This email is intended only for the use of the individual or entity
named above and may contain information that is confidential and
privileged.  If you are not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
email is strictly prohibited.  When addressed to our clients, any
opinions or advice contained in this email are subject to the terms
and conditions expressed in the governing KPMG client engagement
letter.  If you have received this email in error, please notify us
immediately by return email or telephone +61 2 9335 7000 and destroy
the original message.  Thank you."