lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <E2F63ACD0DE93C4A99AF7BF75837161CDEECD4@rec-its-exs01.mail.saic.com>
From: CHRISTOPHER.D.STARFORD at saic.com (Starford, Christopher D.)
Subject: Top 15 Reasons Why Admins Use Security Scan
	 ners

First an auditor checks for vulnerabilities of course (this is for
validation not to make that determination based on the auditee's saying or
reports from third party scanners). Then the auditor will determine the
extent and security surrounding those vulns and what the auditee is either
required (policy/procedure) or recommended (best practice) to fix those
vulnerabilities and stay secure.


__________________________________________________
Christopher D. Starford
SAIC Enterprise Security Sulutions




> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89@...oo.com] 
> Sent: Wednesday, April 28, 2004 3:05 PM
> To: Starford, Christopher D.
> Cc: 'full-disclosure@...sys.com'
> Subject: RE: [Full-Disclosure] Top 15 Reasons Why Admins Use 
> Security Scan ners
> 
> 
> 
> And you know something, Chris...that's fine.  Really. 
> I just left a position in the private sector w/ a
> company that was audited over a dozen times a year by
> various customers.  Even their external auditors (ie,
> *not* customers) were clueless when it comes to IT or
> security.  One audit did include a knowledgeable
> security professional on staff...but just one.  
> 
> But there's also another way to look at the original 
> comment...security is a process.  Running a vulnerability 
> scanner isn't a process...it's a point-in-time check, a 
> snapshot.  A good IT security auditor won't focus on the fact 
> that certain systems have vulnerabilities...he or she will 
> focus on *why* they have the vulnerabilities.
> 
> > I believe many true IT Security Auditors out there
> > would agree that your wrong on this one.
> > 
> > > -How will I ever pass my IT Security Audits?
> > >  
> > > Don't worry about it...most audits don't seem to
> > have
> > > an IT background, and even when they do, they
> > don't
> > > take the time to understand your business
> > processes or
> > > your network infrastructure.
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ