<p dir="ltr"><br>
On Mar 3, 2014 7:42 PM, "Joe Gatt" <<a href="mailto:gattjoseph@hotmail.com">gattjoseph@hotmail.com</a>> wrote:<br>
> > Authenticated scanners are a bad practice (imho)<br>
><br>
> Can you expand on this a bit more? I would be interested to hear your opinion as to why you say this. I think using authenticated scanners is an excellent way to identify:<br>
><br>
> 1. Computers missed by the patch management process.<br>
> 2. Effectiveness of patch management process. I've seen patch products report to the console that a host is patched; however, the scan proved that a given patch failed to apply.<br>
> 3. Client software not managed and patched by IT (i.e., iTunes)<br>
> 4. Mis configurations (i.e., Autorun, no SEHOP, no DEP, etc.).</p>
<p dir="ltr">Hello again, Joe. Good times convo ;></p>
<p dir="ltr">If the goal is patch management, why not move everything to virtual infrastructure and utilize a hypervisor or host VM mechanism to verify patch level and bring up to spec? Same question for configuration, actually, too?</p>
<p dir="ltr">Perhaps the role of authenticated Nessus (or CIS-CAT, NeXpose, etc) is best for partially or already out-of-scope hosts, e.g., when coordinated with something else like Good Enterprise when looking for partially-scoped mobile devices? Or perhaps Nessus is useful against non-production guest VMs (perhaps converted P2V or V2V) in a lab? What I do agree with is that authenticated scans do have a use, and can be good practice.</p>
<p dir="ltr">Lately, I have been more or less against continuous anything. It's some sort of wave of sickness I'm about to impose on the industry. Take NSM for example -- I'd like to suggest on-going capture assessments without "always-on" sensors. Maybe twice a week is appropriate, using a very locked-down/secured device, and scrubbing/anonymizing the data and identifying where and how private information or confidential data (private data and confidential information?) exists unencrypted before putting it into a data store of any type. Another benefit being able to go all data-scientist-version of McGyver on the resulting pcaps. Another benefit being able to coordinate with memory (e.g., hibernation file) captures for sharing-oriented compromise indicators, i.e., CybOX.</p>
<p dir="ltr">The problem with continuous anything is that it requires continuous people looking at things continuously and they get continuously bored and continuously miss continuously important things.</p>
<p dir="ltr">Best,<br>
President Putin^H^H^H^H^HAndrei^H<br>
</p>