Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Vulnerability scanning routines - what is overkill.
From: Marco Ivaldi <raptor () mediaservice net>
Date: Mon, 12 Sep 2011 17:09:28 +0200 (ora legale Europa occidentale)

On Sat, 27 Aug 2011, Duncan Alderson wrote:

Hi Cribbar,

I can see the auditors point but he may not be putting the best case forward

If the organisation has a good security model in place with patching and hardening, there is still a need to scan the whole environment. Look at it as a defence in depth scan. What happens if a rouge device is added to network? A change on a device is added that has insecure consequences?

Not to mention the fact that the best (only?) way to verify that the security model in place is indeed "good" or at least "good enough" is to perform a thorough operational security audit [1]. Otherwise you're just guessing at best.

I know there can be other controls in place to stop this happening but you cannot rely on a silver bullet product/process to secure your environment.

You will need hundreds of bullets for each threat scenario you are defending against.

Agreed. That's why the focus should be shifted from threats to operations.

[1] See the OSSTMM 3, available at www.osstmm.org.

Marco Ivaldi                          OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl                Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://www.mediaservice.net/
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]