Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Probes for New Clients?

Cliff posted more than 10 years ago | from the just-to-start-off-with dept.

Security 40

archaic0 asks: "I've recently acquired a new client (I do on call tech work for several companies where I live) who have requested a security audit. In the past I've hired several friends (self-proclaimed security consultants) in the industry to run various exploits and tests for me, but due to the time involved and the cost, I'd like to find a short introductory type option to start a new client off with. I recently ran across a program called Retina, by eEye, and I'm quite impressed however it comes with a $1400 price tag per use (or $14,000 a year for a bulk license). Can anyone point me to tools they've used to do a pretty well-rounded security scan that can produce detailed reports? I know there is no substitute for a real security professional spending time confirming your network security, but I'd like to have at least one good tool to start a new client off with before throwing a huge security team at them."

cancel ×

40 comments

Sorry! There are no comments related to the filter you selected.

Anal probes for New Clients? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8267130)

Somethings to try out... (5, Informative)

rayamor (245814) | more than 10 years ago | (#8267145)

My company recently purchased an SSL cert from verisign and recently received an email from http://www.qualys.com [qualys.com] (in conj. with our purchase) to perform a web based security scan of internet facing machines, such as web servers. The results and demo reports appeared a bit better than our usual Nesus vulneravility scan [nessus.org] , however, Qualsys is not free. Try these tools out, for web servers, they have done quite well for my end.

Re: Qualys is Enterprise Scale (3, Informative)

illectro (697914) | more than 10 years ago | (#8271994)

It's easily the best product out there with the largest database of detections and reliable ones at that. Nessus is free and maybe has 2/3's of the database that Qualys has. Everyone else is a distant 3rd, with maybe 1/3 of Qualys' database.
For a free one off scan I'd suggest you use Nessus because they cost nothing to setup - just find a spare machine and install linux, and you can throw away the host after you've finished with it. One major thing to watch out for with Vulnerability scanners is that you make sure the host they're installed on is properly secured, I heard abotu a company that installed Foundstone's application, which needed an Microsoft SQL database to support the app - guess how many vulnerabilities adding that support machine added to their network? Qualys of course doesn't have any setup worries - either they run the scan from their remote servers, or you get one of their cute little 1u boxes, plug it in, give it an IP and it's done.
The other downside to the Nessus solution is that the presentation and management of the results isn't particulalry good, again that's one thing you see in the enterprise solutions, work flow management for rememdiation, as well as a lot of nice looking reports and summaries. If you're scanning your own network the Qualys scanner is a fabulous choice, I think qualys used to offer a pay-per scan service, so maybe you could get a deal for a one time scan. But if it finds any problems with you client then you're going to need to stump up more when the vulnerabilities are supposedly fixed.
So... maybe setup a nessus box, and maybe take advantage of Qualys free demo scans.
And make sure you get permission.
And of course turn off all the nessus tests which crash things.

Re: Qualys is Enterprise Scale (1)

zcat_NZ (267672) | more than 10 years ago | (#8272222)

And of course turn off all the nessus tests which crash things.

I'd say clone your production server if you can't afford for it to be down, but DO run the tests that crash things. You do want to know if some bored script-kiddie can take your site down with a trivial syn-flood or ping-of-death.

Re: Qualys is Enterprise Scale (0)

Anonymous Coward | more than 10 years ago | (#8285349)

...with a trivial syn-flood or ping-of-death.

1996 called, they want their 1337 haXXs back.

Qualys is sh*t (1)

Gothmolly (148874) | more than 10 years ago | (#8311576)

We use it at my shop, and all it does is provide a GUI to the clueless 'policy enforcers', i.e. the InfoSec guys. They scan you, Qualys says 'X is bad', and its a Federal Case. Of course, if you mention how X is not really true, because you're running in a chroot jail, for instance, it makes no difference. The Computer has spoken, and produces a Shiny HTML Report to prove that you have a Vulnerability. Qualys is just a pretty front and and control GUI for Nessus.
Much better to roll your own, because in the process, you'll have people actually LEARN security.

P.S. My solution? IPFilter on all my Solaris and HP boxen. The idiots only scan from 1 IP address, so its easy enough to send back TCP RSTs to that IP address.

Re:Qualys is sh*t (1)

Alex (342) | more than 10 years ago | (#8354888)

We use it at my shop, and all it does is provide a GUI to the clueless 'policy enforcers', i.e. the InfoSec guys. They scan you, Qualys says 'X is bad', and its a Federal Case. Of course, if you mention how X is not really true, because you're running in a chroot jail, for instance, it makes no difference. The Computer has spoken, and produces a Shiny HTML Report to prove that you have a Vulnerability. Qualys is just a pretty front and and control GUI for Nessus.
Much better to roll your own, because in the process, you'll have people actually LEARN security.


What said reflects badly on the people using the product - not the product.

Alex

Why Open Source is THE Security Risk (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8267146)

The nature of open source makes security problems an inevitable concern. There are a handful of ways that malicious code can make its way into open source and avoid detection during security testing, making government adoption of open source particularly worrisome.

An old adage that governments would be well-served to heed is: You get what you pay for. When you rely on free or low-cost products, you often get the shaft, and that, in my opinion, is exactly what governments are on track to get. Perhaps not today, nor even tomorrow, and not because open source products are less capable or less efficient than commercial products, but because sooner or later, governments that rely on free open source software will put their country's and their citizens' data in harm's way. Eventually--and inevitably--an open source product will be found to contain a security breach--not one discovered by hackers, security personnel, or a CS student or professor. Instead, the security breach will be placed into the open source software from inside, by someone working on the project.

This will happen because the open source model, which lets anyone modify source code and sell or distribute the results, virtually guarantees that someone, somewhere, will insert malicious code into the source. Malevolent code can enter open source software at several levels. First, and least worrisome, is that the core project code could be compromised by inclusion of source contributed as a fix or extension. As the core Linux code is carefully scrutinized, that's not terribly likely. Much more likely is that distributions will be created and advertised for free, or created with the express purpose of marketing them to governments at cut-rate pricing. As anyone can create and market a distribution, it's not far-fetched to imagine a version subsidized and supported by organizations that may not have U.S. or other government interests at heart.

Third, an individual or group of IT insiders could target a single organization by obtaining a good copy of Linux, and then customizing it for an organization, including malevolent code as they do so. That version would then become the standard version for the organization. Given the prevalence of inter-corporation and inter-governmental spying, and the relatively large numbers of people in a position to accomplish such subterfuge, this last scenario is virtually certain to occur. Worse, these probabilities aren't limited to Linux itself, the same possibilities (and probabilities) exist for every open source software package installed and used on the machines.

How Can This Happen?
The products of the open source software development model have become increasingly entrenched in large organizations and governments, primarily in the form of Linux, a free open-source operating system, the free open-source Apache Web server, and open source office suites. There are several reasons that open source software--and Linux in particular--are seeing such a dramatic uptick in use, including IBM's extensive Linux support effort over the past several years, and the widespread perception that Linux is more secure than Windows, despite the fact that both products are riddled with software security holes. (Use this menu to see the number of vulnerabilities reported by security watchdog group Secunia for an OS-by-OS comparison.)

So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered). Because anyone can create and market--or give away--a Linux distribution, there's also a reasonably high risk that someone will create a distribution specifically intended to subvert security. And how would anyone know?

Open source advocates rightfully maintain that the sheer number of eyes looking at the source tends to rapidly find and repair problems as well as inefficiencies--and that those same eyes would find and repair maliciously inserted code as well. Unfortunately, the model breaks down as soon as the core group involved in a project or distribution decides to corrupt the source, because they simply won't make the corrupted version public. Therefore, security problems for governments begin with knowing which distributions they can trust.

Can Self-Policing Work?
The open source model does a good job finding and winnowing out malicious code submitted as part of a project when the people in charge of the true project source are both actively looking for potential security problems and also not actively attempting to subvert the model. For example, it's likely that someone will find and notice such obvious attempts at any of the large, well-run projects. Still, I'd be very surprised if some open source software doesn't already contain well-hidden malicious code. It's an onerous thought, but many programmers will tell you that the temptation to build in special debugging and monitoring capabilities or to write back door code is powerful. The temptation for businesses is, in my opinion, even more powerful. If businesses think that they can gain a competitive advantage by altering their software to provide reports on other, competing products within an organization, marketing pressures will eventually force them to do exactly that.

This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid. That means that many of the advantages that individuals have gained by using open source software, specifically, those of choice and the possibility of altering their software to better suit their own needs, won't and can't apply in a secure government situation. To limit their vulnerability, governments can't afford to give everyone a choice, nor can they afford to provide access to the source code for their software.

Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.

I'm not naive enough to think that proprietary commercial operating system software doesn't have the same sort of vulnerability, but the barriers to implementing them are much higher, because the source is better protected. I think such a scenario is far less likely than finding a group of people willing and able to create and market a malware open source distribution.

Who's Watching the Watchers?
This problem isn't new. In fact, it's far older than any computer technology. The Latin phrase Quis custodiet ipsos custodies, which translates to "Who will guard the guards?" shows that people have been struggling with the same problem for centuries. You can set up as many layers of security as you like, but at some point, you have to trust the layers themselves.

In short, open source free and low-cost software products are likely to be widely adopted in governments, where spending public money for licenses is a difficult justification. Inevitably, that choice will lead to security breaches that will cost those same governments (and ultimately you), huge amounts of money to rectify.

You need Nessus (3, Informative)

Anaxagor (211917) | more than 10 years ago | (#8267192)

It's the shit. [nessus.org]

Scanning and Vuln Assessment (5, Informative)

NonNullSet (693466) | more than 10 years ago | (#8267212)

Good free ones: nessus, nmap, nikto. Besides Retina, look at Foundstone. There is also Qualsys, nCircle and several others (search for vulnerability assessment tools). Make sure that you understand the network topology, especially if firewalls & routers are involved. There are also host-based scanning tools designed to be run on individual systems, primarily to harden them.

Nessus (3, Informative)

ralphus (577885) | more than 10 years ago | (#8267216)

Check out Nessus [nessus.org] . Nuff said.

Re:Nessus (5, Insightful)

shfted! (600189) | more than 10 years ago | (#8267480)

Not "Nuff said." Any security person who uses only one tool is a damned fool!

Re:Nessus (2, Insightful)

ralphus (577885) | more than 10 years ago | (#8268995)

agreed completely. I guess I meant that as I took the poster to be asking what's a good single tool that doesn't cost as much as Retina. Furthermore, if you are going to be a damned fool and only use one tool, is there a more comprehensive open source one than Nessus (which is really several tools IMO)?

Re:Nessus (1)

shfted! (600189) | more than 10 years ago | (#8276008)

I agree that Nessus is by far the best out there for free. If I only had one to use, it would be it :)

Re:Nessus (1)

ralphus (577885) | more than 10 years ago | (#8284065)

yah! we are all a happy family again.

Kids, use many tools. Here's a good list [insecure.org] to start with.

Impressive. (1)

Anonymous Coward | more than 10 years ago | (#8267248)

They requested a security audit? They.. asked for one?

For most companies security is an afterthought that's not worried about until they they notice their server's been compromised for a couple of months.

Most impressive, congratulations for finding a clueful employer. I hope the audit goes well.

Some tools (5, Informative)

smoon (16873) | more than 10 years ago | (#8267556)

[links not provided: it is assumed you can google [google.com] ]

First you'll want "nessus" -- this scans and attempts to exploit vulnerabilities. Comes complete with up-to-date 'signatures' for attacks to ensure that systems are patched or that firewalls are blocking access.

Second you'll want "GFI Languard" and run that to scan the internal Windows PCs -- it will give a nice report of each machine and patches needed (assuming you've got approval and admin access on the domain). This costs like $1k, but has a 30 day free trial to get the client started. Can also be used to deploy patches.

If you don't want to use Languard, which is really quite a bit better, you should at least use Microsofts "Baseline Security" tool. Again, requires admin access, but gives a nice report for each machine you scan.

nmap is nice to document open ports on machines, particularly so-called DMZ or other firewalled internet-accessible hosts.

dsniff is a good tool to watch for insecure protocols. Always fun to report that everyones pop3 password seems to be the same as their domain login password.

lopht crack is good to give a baseline indication of how secure user passwords are. Run it for a set amount of time -- 1 hour say -- using all of the passwords found by dsniff over a day or two as part of it's dictionary.

There's a lot more to do -- check routers etc. for default passwords, war-dial all phone numbers of the company looking for rogue modems and more default passwords, etc. But the tools above should give a pretty good start.

All of these tools produce reports in some flavor, which you can then combine manually. I assume the client is paying you for the report, so some manual effort is OK.

Make sure to push for a 'follow-up' audit after the client has remediated the problems.

Social engineering considered most efficient (5, Insightful)

korpiq (8532) | more than 10 years ago | (#8267611)

war-dial all phone numbers of the company looking for rogue modems

Combine this with talking each answering person into giving their authentication information. I understand the easiest way to achieve that is by telling them you are hired by their company to make a security audit and said authentication information is necessary to point out flaws in their IT security. Not like I were experienced in the field but that's what they keep telling 'round the 'net, Mr. Mitnick for instance.

Have fun!

Re:Some tools (1)

Jeremiah Cornelius (137) | more than 10 years ago | (#8269466)

MBSA is a decent supplement, but it really is a Systems Administration tool - not a security audit tool. It is FAMOUS for false negative results, detecting registry artifacts of overwritten patches, etc...

GFI is a better bet. Retina really does the job.

Check out the Archives of the pen-test mailing list [securityfocus.com] at SecurityFocus.com

Re:Some tools (1)

Jjeff1 (636051) | more than 10 years ago | (#8274881)

Similar to GFI is HFNetCheck, which offers a 50 node demo that never expires. Works great for small networks or if you just want to manage your servers.

Security Audit != vuln assessment via the internet (4, Insightful)

martin (1336) | more than 10 years ago | (#8267802)


A proper security audit shoud include a vuln assessment from the internet, but how about

1. Dial in lines..
2. social engineering - ring someone and say "Hi I'm the new guy in IT and I've been asked to check everyones password, can I have yours". Ring the IT dept, "Hi I''m fred from xyz sales inc. we sell firewalls (or whatever) can I spend a few minutes talking about your network security" amd so on.
3. Do they have a security Policy. How to they enforce the policy.
4. What about disaster recovery?
5. What happens when the senior IT security is on holiday/off sick and you get a reported breach?
6. .......

Re:Security Audit != vuln assessment via the inter (0)

Anonymous Coward | more than 10 years ago | (#8268721)

7. Profit!

Cheap cheap (1, Informative)

TheOtherKiwi (743507) | more than 10 years ago | (#8267988)

For Windoze systems checkout the Microsoft Baseline Security Analyzer although it relies on Windows Update, not a good sign, but it can at least check against MS known vulnerabilities - the client can already download and run but it can be used as a base level of checking to show how good your "industrial strength" tools are.

At the end of the day, its a cost/benefit exercise in trying to balance the clients budget against their paranoia.

Not just tools! (3, Insightful)

Anonymous Coward | more than 10 years ago | (#8268116)

Others already posted links to various tools, so I'm not going to repeat that. However, you should be aware that these tools cover only a very small part of what a "security audit" should look into.

Corporate security is about much more than buffer overflows. Sure, it's worth keeping your PCs patched, but that doesn't mean that you're doing your security right. If I were hiring a contractor to do some sensitive work, I would look very carefully at e.g.

- physical security (office access controls, guards, cameras)

- personnel (qualifications, turnover, hiring practices, background checks)

- policies about acceptable behavior and whether they are followed (e.g. are you allowed to take your work home? is hard disk encryption mandatory for all laptops? can you give "guest accounts" for your friends or ex-employees?)

- continuity (offsite backups? redundant machines? ability to continue if a key person leaves?)

A security standard such as BS7799 should give you a more complete list of what matters.

Re:Not just tools! (0)

Anonymous Coward | more than 10 years ago | (#8271591)

- personnel (qualifications, turnover, hiring practices, background checks)

Oh, yeah, and don't forget "background checks." That's where you take somebody who you have already established is qualified for a position, and whose references you have already checked, and you tell them they can't earn a livelihood because TRW says they got too many parking tickets in California. I can't think of a faster way to create people who are (often justifiably) pissed off at your organization.

Really think about whether this is a good idea... (4, Insightful)

PinglePongle (8734) | more than 10 years ago | (#8268434)

Security is a process, not a product (no, I didn't make that up - check Bruce Schneier's company).
Security is a fairly wideranging topic, and involves at least half a dozen different, highly specialized disciplines. You may not need to be particularly thorough in all of them, but if you follow the great advice to use Nessus for network scanning, you may not realize that your client has left a gaping big hole in their ASP code which will allow arbitrary database requests to be executed against your client's database.
Or, you could have tightened down your network and website, but have no protection against viruses or worms on the desktop. Or there may be a wifi point allowing access to all and sundry. Or the server room may be accessible from the kitchen where many casual staff work. Or your client's CEO's daughter's boyfriend might have access to his PC with a VPN connection that automatically starts without prompting for a password....
So, yes, it's a good idea to use automated tools to do a basic audit. Nessus is good. You could do worse than read "Hacking Exposed" - it mentions a lot of good tools, both free and commercial, as well as the basic process for conducting a security audit.
However, make sure your client realizes that a clean bill of health (or fixing the issues your tools reported) does not mean they are "safe", (nor that they can sue you for any breaches that might occur), but rather that their organisation is not vulnerable to the attacks you tested for. If you didn't "test" hiring practices, they have no idea whether they are protected against employee fraud (which is still by far the most common form of computer crime). If you didn't "test" their virus protection policy, they have no idea of how exposed they are to the next email worm.
And of course, you are never "safe" - new threats emerge every day, and a server that was as safe as Fort Knox yesterday might be more like a crackhouse when the latest spl0it is released. So it's an ongoing process - assess, evaluate, repair, repeat & rinse.
Now, if your client is a small local firm with family members as employees, who use computers only for non-critical tasks, the "we'll run Nessus once a month" approach might be okay. If they are - oh, say, Microsoft...- that approach is clearly not sufficient.

Think about the interests of your client - not just in terms of saving them money, but protecting them from risk.

These guys do scans for a living (3, Informative)

WayneConrad (312222) | more than 10 years ago | (#8268677)

These guys [edgeos.com] do inexpensive automated scans for a living. They run all the tools you know and love (nessus, nmap, etc.), and can be set to scan on a schedule, or you can do one-offs.

This is a plug (they're friends), but check it out: It seems to be what you're looking for.

On the cheap (3, Funny)

MarkusQ (450076) | more than 10 years ago | (#8269107)


If you are really wanting to do a thorough job on the cheap, there are various places on the net were you can get a team of experts on it for no charge, just by posting their IP addresses, etc.

Reporting is a problem though.

-- MarkusQ

P.S. Hint for the humour-challenged: this is the kind of post that comes with a "hint for the humour-challenged" attached.

No tool will give you an audit... (2, Interesting)

awillcox (518217) | more than 10 years ago | (#8269368)

All the comments I've read here talk about penetration testing, etc. None of these provide a true "security audit," if that's what your client is requesting. Although it's important to look at technology tools when doing security audit, it can be more important to look at your processes and approaches to doing work, too.

things to look out for (2, Informative)

gothzilla (676407) | more than 10 years ago | (#8269818)

Slightly off topic, but I've done work in vulnerability assesment, forensics, and security testing. The first lesson anyone going in this realm should know is that if you claim that a network is secure and it gets hacked, your credibility goes right into the toilet.

Make sure you stress heavily that the only secure machine is an unplugged machine and all you can do is look for existing security holes, like missed security updates and firmware or poorly set up computers. Make sure your client understands that most security breaches come from a company's own employees. I've worked on projects that found a company's own network was secure, but their ISP had a security hole that allowed us to completely bypass all their security. I've seen post-its on monitors with username/password written on them. One time we had a guy walk into a bank, claim to be a new employee, and get set up on a terminal with an account. I've seen entire IT departments escorted out of a building by security while the Cisco vans pulled up out front to fix a down network because a router was missing a 6 month old firmware update and some skript kiddie took it down. There's nothing like wiping the grin off of a smug IT Admin's face, but it's a scary business if you don't practice a lot of C.Y.A. or try to claim that someone's network is totally secure.

Run a firewall, antivirus, and keep software and firmware updated and you won't have to worry about outside attacks so much. No software can find post-its with account info stuck to a monitor.

Hit them upside the head with a 2x4 (1)

mbstone (457308) | more than 10 years ago | (#8270539)

I would break the ice with a new client by giving the CEO a printout of his or her organization's userids and passwords (with some of the characters in the passwords obscured with *s). This usually gets their attention.

Re:Hit them upside the head with a 2x4 (1)

jhoffoss (73895) | more than 10 years ago | (#8270914)

Until the CEO asks where you got them and why you were performing a "pen-test" before an agreement was settled. That is, why you hacked them.

This tactic may get you one job because they're afraid of blackmail/extortion, but that's it. If you set things up with the client properly the first time, you could have a scan-every-six-months client for life.

Re:Hit them upside the head with a 2x4 (3, Informative)

mbstone (457308) | more than 10 years ago | (#8271390)

I wouldn't even attempt a vulnerability scan, let alone touch one of the client's keyboards, unless the client first signed a permission slip -- one that I paid a lawyer to draft.

hackersafe / scanalert (1)

Wycliffe (116160) | more than 10 years ago | (#8270702)

Does anyone have any experience with: http://www.scanalert.com/ [scanalert.com] , They apparently check your system on a monthly basis for security holes, etc... I have no idea how thorough they are, but at less than $200/month, the price is right.

maybe (3, Informative)

dtfinch (661405) | more than 10 years ago | (#8271085)

These are some of the best security audit tools I know of. Using any of them without written permission, or without giving a good explanation of what they do and what impact they'll have on their network, could subject you to lawsuits or prison.

nessus will scan for known vulnerabilities. I've heard it's the best, but haven't tried it myself. Be aware that running it will most likely crash some servers.
nmap will tell you all the open ports on all the systems on the network, and attempt to identify them.
ethereal will spy on network traffic. Look for suspicious traffic and cleartext passwords that shouldn't be cleartext.
The Microsoft Baseline Security Analyzer will identify missing patches and weak passwords. Though in my opinion simply running it requires you to be insecure, because it depends on "hidden" administrative shares to access the hard drives of all the systems on the network, which you may wish to disable.
l0phtcrack and Hydra are popular password crackers, used to detect accounts with weak passwords.

And like always (assuming they run Windows):
Check the firewall logs.
Make sure all security updates are installed.
Run the IIS lockdown tool on servers running IIS.
Make sure workstations are free of spyware/adware and other unwanted startup programs.
Look into the Windows gold standard and other popular security templates intended for locking down workstations and servers.
Make sure your wireless routers use adequate encryption. WEP is encrypted but uses weak keys.
Etc. Can go for hours.

Even Eeye reccommends Nessus (2, Informative)

vitroth (554381) | more than 10 years ago | (#8271113)

If you don't have the budget for Retina, try Nessus. Even Eeye reccommends it, in this post on bugtraq [securityfocus.com] .

Tools... (1)

JackAsh (80274) | more than 10 years ago | (#8274933)

Foundstone (http://www.foundstone.com), ISS Internet Scanner (http://www.iss.net).

Also try Nessus (http://www.nessus.org) on the free side of things.

-Jack Ash

If you have to ask, don't. (4, Insightful)

bpalmer (568917) | more than 10 years ago | (#8276600)

Frankly, if you have to ask these questions, you should shy away from offering security consulting. Pay someone that lives, eats, sleeps and breathes IT security and you'll serve your customer better. I do IT security work (and only IT security work) for a living. I don't know how many times we've gone into a company that paid someone to do a security assessment, asked to see the previous report and been handed the stock report that NessusWX generates. Invariably when we do our work and write our report detailing the risks the customer feels their previous 'security consultants' cheated them. Often we find massive security issues that for one reason or another the automated scanners don't pick up. It won't do your reputation any good to do a poor job. The ability to do proper analysis is not a black art, but it becomes easier with experience and study.

Tough Crowd. (0)

Anonymous Coward | more than 10 years ago | (#8292608)

What you'll find is people really defend to the death what they think is security based on how much they *really* know which you'll find is usually about the level of what they read in Computerworld magazine. Even the self-proclaimed experts. You are best off doing what you can, even if it's just scanners, but realize it's not exactly a definitive or even realistic test of security. But it is something and worth doing. Remember to keep it practical and most of all, make sure you can measure it. One problem with a lot of these scanners and semi tests is that they give you some arbitrary high-medium-low talk. Try to put real numbers in there so you can actually measure risk. For more details on practical testing with risk measurement is in the Open Source Security Testing Methodology Manual [osstmm.org] and a lot of information over at the Institute for Security and Open Methodologies [isecom.org] . Inform yourself better and with ISECOM you can at least know it's a lot of information from many many security people (800+) giving peer review.

Re:Tough Crowd. (1)

jrexilius (520067) | more than 10 years ago | (#8294322)

good post and good point about doing something is better than nothing, although I think many people are talking about not giving the client a false sense of confidence with a one-pass scan.

I am working with a client now that doesn't understand technology at all and has paid $900 for a verisign cert and installed a black ice firewall with a default accept policy and thinks he is rock-solid secure. He didnt listen closely to the vendors who sold him those products and thought he was secure.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?