[Dailydave] Drinking the Cool-aid

Andre Gironda andre at operations.net
Mon Mar 3 12:04:34 EST 2014 

On Mar 3, 2014 7:42 PM, "Joe Gatt" <gattjoseph at hotmail.com> wrote:
> > Authenticated scanners are a bad practice (imho)
>
> Can you expand on this a bit more? I would be interested to hear your
opinion as to why you say this. I think using authenticated scanners is an
excellent way to identify:
>
> 1.  Computers missed by the patch management process.
> 2.  Effectiveness of patch management process. I've seen patch products
report to the console that a host is patched; however, the scan proved that
a given patch failed to apply.
> 3.  Client software not managed and patched by IT (i.e., iTunes)
> 4.  Mis configurations (i.e., Autorun, no SEHOP, no DEP, etc.).

Hello again, Joe. Good times convo ;>

If the goal is patch management, why not move everything to virtual
infrastructure and utilize a hypervisor or host VM mechanism to verify
patch level and bring up to spec? Same question for configuration,
actually, too?

Perhaps the role of authenticated Nessus (or CIS-CAT, NeXpose, etc) is best
for partially or already out-of-scope hosts, e.g., when coordinated with
something else like Good Enterprise when looking for partially-scoped
mobile devices? Or perhaps Nessus is useful against non-production guest
VMs (perhaps converted P2V or V2V) in a lab? What I do agree with is that
authenticated scans do have a use, and can be good practice.

Lately, I have been more or less against continuous anything. It's some
sort of wave of sickness I'm about to impose on the industry. Take NSM for
example -- I'd like to suggest on-going capture assessments without
"always-on" sensors. Maybe twice a week is appropriate, using a very
locked-down/secured device, and scrubbing/anonymizing the data and
identifying where and how private information or confidential data (private
data and confidential information?) exists unencrypted before putting it
into a data store of any type. Another benefit being able to go all
data-scientist-version of McGyver on the resulting pcaps. Another benefit
being able to coordinate with memory (e.g., hibernation file) captures for
sharing-oriented compromise indicators, i.e., CybOX.

The problem with continuous anything is that it requires continuous people
looking at things continuously and they get continuously bored and
continuously miss continuously important things.

Best,
President Putin^H^H^H^H^HAndrei^H
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140303/3fa3971b/attachment.html>

More information about the Dailydave mailing list