Following on from the key point below: frequent scanning of your
environment will go some way towards highlighting any new devices on the
network and also changes in service availability to existing devices on
your network - however, it's not just new vulnerabilities you should be
aware of; quick-fixes, changes in configuration etc. can easily lead to
much older issues resurfacing (e.g. an admin may unintentionally restore
old versions of libraries/code as part of a fix).

Additionally, I'd consider it good practice to be aware of existing
services disappearing or changing, which could simply be intentional,
authorised configuration changes or could be due to malicious activity.

I would also point out that while Nessus is a valuable tool, it is one
that should be used in conjunction with others (as Duncan points out) -
manual and/or automated, to provide as full a picture as your resources
allow.

Regards

Nick

On 27/08/2011 09:55, Duncan Alderson wrote:
> Hi Cribbar,
>
> I can see the auditors point but he may not be putting the best case forward.
>
> If the organisation has a good security model in place with patching and hardening, there is still a need to scan the whole environment. Look at it as a defence in depth scan. What happens if a rouge device is added to network? A change on a device is added that has insecure consequences?
>
> I know there can be other controls in place to stop this happening but you cannot rely on a silver bullet product/process to secure your environment.
>
> You will need hundreds of bullets for each threat scenario you are defending against.
>
> My 2c
>
> Webantix
>
> On 22 Aug 2011, at 14:28, cribbar <crib.bar (at) hotmail.co (dot) uk [email concealed]> wrote:
>
>> There was some debate the other day in our office (not tech IT myself) about
>> what percentage of the infrastructure vulnerabilities in the nessus
>> repository are taken out the equation if you have a thorough patch
>> management policy for the infrastructure AND you scan the system before its
>> brought into operation?
>>
>> Whatâ??s your view? What % of nessus vulns are addressed by scanning after
>> build process and addressing the problems, and then applying a thorough
>> patch mgmt policy from when it goes live?
>>
>> Itâ??s been prompted by our auditors claims it is essential to run such scans
>> must be run every month as new vulnerabilities are found all the time â?? but
>> if they are patched, and stuff like default passwords / vendor back doors
>> were addressed after the build process, before it went live, then what other
>> kind of issues/events/activities cause a vulnerability that isnâ??t easily
>> addressed by applying patches ASAP.
>>
>> We would probably fall into a â??mediumâ? security environment.
>>
>> There must be more to it than this around vulnerability scanning. Your views
>> most welcome. Should the auditors give some flexibility and accept theyâ??re
>> recs are overkill, or do they have a point.
>>
>> --
>> View this message in context: http://old.nabble.com/Vulnerability-scanning-routines---what-is-overkill
.-tp32311141p32311141.html
>> Sent from the Penetration Testing mailing list archive at Nabble.com.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]