Re: Vulnerability Scanning

["BRIAN HUNTER" <bdhunter () bkd com>]

You are correct about false positives being an issue with all vulnerability scanners.  Any time you automate the 
process of verifying vulnerabilities, this is going to be a problem.  I can tell you that when I do internal testing, I 
do not use vulnerability scanners at all.  This does not mean I don't utilize other tools, but not vulnerability 
scanners.  We address internal testing as if someone inside your network decided to access/damage/remove data, what 
could they get to.  We usually have a limited amount of time onsite and are looking for the lowest hanging fruit first. 
 Do to the time restrictions, our goal is to compromise and gain administrative control of the network versus 
identifying every potential security vulnerability.  The vulnerabilities that we do identify and utilize are documented 
and recommendations to fix them are provided, but a full security assessment of all network nodes is not the intent of 
our testing.  The intent is to show the network is vulnerable and that management/IT need to take steps to rectify 
this.  If the customer is not comfortable doing this on their own, we are willing to do a full network security 
assessment and help them close all potential vulnerabilities/holes.  Realize that this is outside of our testing 
engagement though.  I guess to sum it up, I would question as to whether you are trying to provide more service than 
needed for a test.



> > > "wirepair" <wirepair () roguemail net> 02/29/04 00:03 AM >>>
lo all,
After reviewing some scan results and finding a number of false positives from nessus (primarly in XP hosts), I began 
to become a 
bit more concerned than I already was.
This is in no way reflecting upon nessus's ability to find vulnerabilities and I truely believe all scanners have these 
issues.
The question is, what does everyone else do about this? Obviously scanners are never going to be 100% accurate. So I 
started
to think of ways of checking if these vulnerabilities exist or not. First using a known exploit obviously gives a more 
accurate
analysis, but known exploits aren't always available. Yes I can write my own for said vulnerability but sometimes this 
isn't 
exactly
possible, for instance some vulnerabilities require a user to say click on a malicious link, which isn't always 
feasible when
testing 300 workstations. So what else can we do? Check the registry manually, this is an option but very time 
consuming, does
anyone actually do this??? At this point I believe I'm going to have to start trying. Does anyone simply say, some of 
these are
false positives and we can't do anything about it? I highly doubt a client will like to hear that. Also some 
vulnerabilities are
simply too dangerous, windows vulnerabilities in particular that can cause the host to reboot. Not every vulnerability 
is 
perfectly
exploited. So what are the other options people use/feel comfortable with?
Thanks for any responses...
-wire
  
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf

---------------------------------------------------------------------------
----------------------------------------------------------------------------




****** BKD, LLP Internet Email Confidentiality Footer ******
Privileged/Confidential Information may be contained in this message.
If you are not the addressee indicated in this message (or responsible
for delivery of the message to such person), you may not copy or
deliver this message to anyone.  In such case, you should destroy
this message, and notify us immediately.  If you or your employer does
not consent to Internet email messages of this kind, please advise us
immediately.  Opinions, conclusions and other information expressed in
this message are not given or endorsed by my firm or employer unless
otherwise indicated by an authorized representative independent of this
message.

---------------------------------------------------------------------------
----------------------------------------------------------------------------