Re: Vulnerability Assessment

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa@pacbell.net)
Date: Tue Jul 31 2007 - 23:08:54 EDT

"Compliance with SB1386"

That's pretty interesting since SB1386 is primarily a privacy bill that
requires businesses to disclose a security breach.
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
"includes personal information, as defined, to disclose in specified
ways, any breach of the security of the data, as defined, to any
resident of California whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized person"

Even the sister bill/law of AB1950 states
http://info.sen.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.html
"This bill would require a business, other than specified entities, that
owns or licenses personal information about a California resident to
implement and maintain reasonable security procedures and practices to
protect personal information from unauthorized access, destruction, use,
modification, or disclosure."

Compliance with these regulations are interpretive. What is
'reasonable' in the eyes of one person is not in another, nor should it
be depending on the risk assessment of each firm. As these regulations
are by design, vague and subject to interpretation (and certainly
subject to legal precedent setting of which there's been little set thus
far). PCI standards are a bit more exact, but even then, beware of
anything that states that they document compliance with "fill in the
blank" regulation.

Vulnerability assessment is only one part of a possible compliance with
regulations.

Tima Soni wrote:
> One important thing-
>
> Qualysguard reports can be custumised easily to document compliance
> with regulatory laws like PCI, HIPAA, GLBA, SB 1386 and Sarbanes-Oxley
> etc. With the inbuilt ticketing functionality it has, vulnerabilities
> can be tracked and remediated by ticket trending by asset group, user
> and vulnerability. You can then analyse the groups, users and
> vulnerabilities that are being reported frequently ...
>
>
> GFI Languard, on the other hand can reach even on isolated segments,as
> it can be installed even on laptops. So you can connect your laptop to
> an isolated device may be by a cross cable and scan it..... But Qualis
> guard is a hardware box kept in one segment of the network. Possibly,
> you might have to open access to all segments of the network for the
> device, so that it cn perform scans. It might not be a good idea
> always. GFI can report out all known vulnerabilities reported in the
> OVAL, CVE and SANS Top 20 databases. You can even evaluate file folder
> permissions with it.
>
>
> The best solution would be to use two vulnerability scanning tools, so
> that a comparative analysis can be done .. One tool has excellent
> reporting features (Qualysguard) and the other tool can be used for
> more technical indepth of the vulnerabilities and the methods of
> fixing them. And even to reach out segments that are not reachable by
> the other tool. This also able to discover any false positives
> discovered by one scanner....
>
> SO incase you are planning to document compliance with regulatory
> laws, Qualysguard will be helpful.
>
>
>
> Regards,
>
> Tima
>
> On 7/27/07, US Infosec <usinfosec@gmail.com> wrote:
>
>> I am not sure who told you that Foundstone can not scan public IP
>> Addresses, but they do and I use it for that purpose a lot. Also, as
>> I think I pointed out before, when you look at Foundstone be sure to
>> also check out Preventsys which improves the reporting quite a bit. I
>> have no vested interest in your decision and will just tell you that I
>> perform vulnerability assessments all the time and frequently will
>> scan customers that have Qualys and I end up finding stuff that it
>> didn't. So, again I would recommend that you do a proof of concept
>> with both in your environment and see which one produces the results
>> you are looking for.
>>
>> One last thought. A lot of places want to "automate" vulnerability
>> assessments. You can schedule them but all of the rest of the process
>> really needs people involved. As others would probably agree,
>> relying on an automated process for vulnerability assessment and then
>> patch management can lead to some serious problems and a false since
>> of security.
>>
>> Good Luck
>>
>> On 7/25/07, Uzair Hashmi <uzair@kse.com.pk> wrote:
>>
>>> Hello,
>>>
>>> First of all I would like to thank everyone in this list who replied to
>>> my message and gave enough different perspectives, I really appreciate
>>> it. Thankyou very much.
>>>
>>> Currently we are using Nessus, nmap, nc, Metasploit, and obviously
>>> ethereal (I cant breathe without it), for all the Vulnerability
>>> Assessment exercises. Security dept. need to entertain Operations dept.
>>> and Audit Dept. separately; Giving them compliance report with certain
>>> level of authenticity and trust, with specific solutions as well (taking
>>> care of change management process, also like what need to be updated and
>>> what not). We have 20,000 local IPs and 8 public. With current situation
>>> its quite difficult to manage the reporting and change tracking; the
>>> whole automation of this process, and giving the reasons to audit why
>>> and what we have communicated to. All records has to be maintained.
>>>
>>> I have evaluated almost all possible products / solutions / services,
>>> every person has suggested. For products like ISS, Retina, CoreImpact
>>> etc, are not feasible due to various technical and policy based reasons.
>>> Also some support issues in the operating city.
>>>
>>> We are not debating about what tools and processes can make up a
>>> credible infrastructure for security management. But to a very very
>>> specific area of vulnerability assessment, infact vulnerability
>>> assessment automation.
>>>
>>> Please give technical answers that can really help in taking the
>>> decision. The comparative answers I got from most persons in this list,
>>> doesn't satisfy at all, because I have no concern what market share and
>>> cliental one product have, etc. Also most of the persons comparing
>>> QualysGuard and Foundstone looks like that they worked or evaluated only
>>> one of the product, or got biased by some marketing strategy.
>>>
>>> Anyway, here is the cons of both products with vendor justifications:
>>>
>>> QualysGuard:
>>> Data is stored at qualys.com. The vendor mentioned that the data and
>>> maps stored are in encrypted format, encryption key is based on the
>>> users password. In case if you forget the password, a new account will
>>> be created, the old account with whatever data it holds is dumped /
>>> deleted. Whereas, Foundstone store all data on its local hard disk. The
>>> vendor is willing to sign-up and legal NDA for information disclosure.
>>>
>>> McAfee Foundstone:
>>> Cannot scan public IPs. It is quite possible to scan public IPs from
>>> DMZ, but again the Foundstone doesn't target those audience. Also while
>>> scanning from DMZ one cannot strictly check the firewalls and other
>>> devices configurations from alien perspective. QualysGuard is good at
>>> it.
>>>
>>> Note: Vulnerability database is updated locally before each new scan (if
>>> required), and hence need internet availability to download/update the
>>> database.
>>>
>>> Now the pros part, QualysGuard has far better reporting compared to
>>> Foundstone also from Retina and Nessus. Both QualysGuard and Foundstone
>>> support threat correlation (Foundstone comes with additional cost for
>>> this module, not by default). Both support risk management matrix, and
>>> role base user access control.
>>>
>>> I have not considered the scan speed and network utilization, of the two
>>> products while evaluating, so if someone can give his/her input in this
>>> regards, or any other technical consideration. I look forward and
>>> appreciate if someone can really help is selecting one from the two.
>>>
>>>
>>> Best Regards,
>>> Uzair
>>>
>>>
>>>
>>> _
>>> | | o
>>> _ _ _ _ _|_ __, , _ | | __ _|_
>>> / |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
>>> | | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
>>> /|
>>> \|
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> This list is sponsored by: Cenzic
>>>
>>> Need to secure your web apps NOW?
>>> Cenzic finds more, "real" vulnerabilities fast.
>>> Click to try it, buy it or download a solution FREE today!
>>>
>>> http://www.cenzic.com/downloads
>>> ------------------------------------------------------------------------
>>>
>>>
>>>
>> ------------------------------------------------------------------------
>> This list is sponsored by: Cenzic
>>
>> Need to secure your web apps NOW?
>> Cenzic finds more, "real" vulnerabilities fast.
>> Click to try it, buy it or download a solution FREE today!
>>
>> http://www.cenzic.com/downloads
>> ------------------------------------------------------------------------
>>
>>
>>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT