> Hi Cribbar,
>
> I can see the auditors point but he may not be putting the best case forward
>
> If the organisation has a good security model in place with patching and
> hardening, there is still a need to scan the whole environment. Look at it as
> a defence in depth scan. What happens if a rouge device is added to network?
> A change on a device is added that has insecure consequences?
Not to mention the fact that the best (only?) way to verify that the security
model in place is indeed "good" or at least "good enough" is to perform a
thorough operational security audit [1]. Otherwise you're just guessing at
best.
> I know there can be other controls in place to stop this happening but you
> cannot rely on a silver bullet product/process to secure your environment.
>
> You will need hundreds of bullets for each threat scenario you are defending
> against.
Agreed. That's why the focus should be shifted from threats to operations.
[1] See the OSSTMM 3, available at www.osstmm.org.
--
------------------------------------------------------------------
Marco Ivaldi OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
> Hi Cribbar,
>
> I can see the auditors point but he may not be putting the best case forward
>
> If the organisation has a good security model in place with patching and
> hardening, there is still a need to scan the whole environment. Look at it as
> a defence in depth scan. What happens if a rouge device is added to network?
> A change on a device is added that has insecure consequences?
Not to mention the fact that the best (only?) way to verify that the security
model in place is indeed "good" or at least "good enough" is to perform a
thorough operational security audit [1]. Otherwise you're just guessing at
best.
> I know there can be other controls in place to stop this happening but you
> cannot rely on a silver bullet product/process to secure your environment.
>
> You will need hundreds of bullets for each threat scenario you are defending
> against.
Agreed. That's why the focus should be shifted from threats to operations.
[1] See the OSSTMM 3, available at www.osstmm.org.
--
------------------------------------------------------------------
Marco Ivaldi OPSA, OPST, OWSE
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://www.mediaservice.net/
------------------------------------------------------------------
PGP Key - https://keys.mediaservice.net/m_ivaldi.asc
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]