Hi John,
I find that vulnerability scanners are useful when they can do credentialed
scans to verify that the services are actually running and check patch
levels based on current patch data and such. Nessus in particular is good
for this, and it also allows you to use it for configuration validation as
well provided that you pay for the commercial feed. There are limitations
though.
I agree that Vulnerability scanners can be useful if it is the answer to a
question. The problem is many people start with the VS as the question as
if it's a necessity. Scanners have evolved through marketing to being the
means to a vulnerability assessment rather than a tool of one. Maybe it's
the "final" report that throws so many people off-- that once the report is
generated the work is done and not just the job.
Depending on what you find and the policy you are being held to further
validation may need to be done, but I think they're at least a good starting
point as long as you know its not 'point-click-and-ship' and the report is
gospel.
I think just popping the results of nmap, hping2, hydra, unicornscan, and
netcat into a database and correlating the results is the basic starting
point and alone provides a lot more value than the vulnerability scanner.
But this is for people who ask the right questions of their data. It also
requires the ability to make a security analysis of the data- which is not
too much to ask for from an IT security professional, right? Which is why
so many members of the OSSTMM community pushed us to start the OPSA five
years ago. It's a basic thing to know what you're asking for out of your
tool data and not just happy with what the tool is telling you about it in
a report. Even if that tool is a scanner.
You know many IT security professionals can't even tell you why Nessus runs
a traceroute to each and every host in the list. To them it's just another
thing in the report because Nessus didn't say why it was doing it. I
haven't seen the newest versions of Nessus lately but I wouldn't be
surprised if now they said on the report as to why.
Nothing is better than having the ultimate validation: actual exploit of
said vulnerabilities and having nc running on a host listening for you're
every command ;-) The only issue is you're bound by policy there as well.
Even verification, or ultimate validation, is not necessary if you don't
have a problem that requires this type of verification. You don't need to
break a window to tell people it could be broken. However, if the
investment is in an unbreakable window, then you can't walk away without
swinging a hammer. Vulnerability assessments are the same. Not all bugs
will be patched because most are already mitigated through architecture
changes, shutting down services, and various controls. Not all bugs matter.
Realistically, very little needs to be exploited to prove a vulnerability
assessment. An exploit is only if you have to prove penetration. To even
use it to prove that a patch is applied is nonsense because you can only
prove that the exploit still works despite patching because if it doesn't,
you have only proved that the exploit did not work for you. It can't prove
a patch.
Sincerely,
-pete.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
