On Mar 3, 2014 7:42 PM, "Joe Gatt" <[email protected]> wrote: > > Authenticated scanners are a bad practice (imho) > > Can you expand on this a bit more? I would be interested to hear your opinion as to why you say this. I think using authenticated scanners is an excellent way to identify: > > 1. Computers missed by the patch management process. > 2. Effectiveness of patch management process. I've seen patch products report to the console that a host is patched; however, the scan proved that a given patch failed to apply. > 3. Client software not managed and patched by IT (i.e., iTunes) > 4. Mis configurations (i.e., Autorun, no SEHOP, no DEP, etc.).
Hello again, Joe. Good times convo ;> If the goal is patch management, why not move everything to virtual infrastructure and utilize a hypervisor or host VM mechanism to verify patch level and bring up to spec? Same question for configuration, actually, too? Perhaps the role of authenticated Nessus (or CIS-CAT, NeXpose, etc) is best for partially or already out-of-scope hosts, e.g., when coordinated with something else like Good Enterprise when looking for partially-scoped mobile devices? Or perhaps Nessus is useful against non-production guest VMs (perhaps converted P2V or V2V) in a lab? What I do agree with is that authenticated scans do have a use, and can be good practice. Lately, I have been more or less against continuous anything. It's some sort of wave of sickness I'm about to impose on the industry. Take NSM for example -- I'd like to suggest on-going capture assessments without "always-on" sensors. Maybe twice a week is appropriate, using a very locked-down/secured device, and scrubbing/anonymizing the data and identifying where and how private information or confidential data (private data and confidential information?) exists unencrypted before putting it into a data store of any type. Another benefit being able to go all data-scientist-version of McGyver on the resulting pcaps. Another benefit being able to coordinate with memory (e.g., hibernation file) captures for sharing-oriented compromise indicators, i.e., CybOX. The problem with continuous anything is that it requires continuous people looking at things continuously and they get continuously bored and continuously miss continuously important things. Best, President Putin^H^H^H^H^HAndrei^H
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
