Re: Auditing and requirements

From: Brian Russo (brianr@entropy.net)
Date: Thu Jan 10 2008 - 16:36:05 EST

• Next message: Francois Larouche: "Re: SQL Injection: Issue with UNION SELECT ALL"
• Previous message: Ivan .: "Re: Bluetooth hacking tutorial"
• In reply to: xelerated: "Auditing and requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

AV software is a category 1 requirement (A few months ago it was anyway, not sure if it's changed) to connect to a DoD network; it's also referenced in the NISPOM somewhere in chapter 8 but that language is more flexible; it requires you implement malicious code/virus features 'as appropriate'.

I guess I don't understand why there wouldn't be antivirus software?
Nor do I really understand your question.. WRT STIGs being applied to systems they don't apply to (?).

Sorry if that doesn't help..

  -bri

On Thu, Jan 10, 2008 at 12:36:46PM -0500, xelerated wrote:
> I wanted to ask here, since in my experience many pen testers have
> atleast some audit
> experience.
>
> My question has to do with DISA STIG's. Now, it is my understanding,
> and that of everyone that
> I have asked so far that the DISA STIG's are only requirements for DoD
> IA systems.
>
> So, who out there would give a company a finding for not having A/V on
> a Unix system
> based on DISA STIG's when the STIG's do not apply to the company nor
> the systems in question.
> And, the actual policy's and requirements that DO apply to said
> company and systems
> (NIST included) do not have any hard requirements for doing this.
>
> Also, as a side note, does it make any sence to go through a company
> and try to apply
> ALL STIG's possible and the ones that don't leave a system unusable
> then write a justification
> for those?
>
> I thank you all for your input, Its an important issue to me right now
> and I greatly
> appreciate your feedback.
>
> Thanks
> Chris
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Francois Larouche: "Re: SQL Injection: Issue with UNION SELECT ALL"
• Previous message: Ivan .: "Re: Bluetooth hacking tutorial"
• In reply to: xelerated: "Auditing and requirements"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT