>> I never mentioned anything about budget issues. I suspect the lack of >> flexibility granted people to use Linux often has little to do with >> budgetary issues, directly. This person may be at the mercy of the IT dept >> for his equipment.
>In which case there is NO need for Nessus. If one is not part of the team >involved with servers and security there is no legitimate purpose to use >Nessus or any other scanner. I don't think it is uncommon for security engineers and the IT group to be not only not directly on the same "team", but also reporting to different bosses. Not only that, I don't think it is uncommon for the security engineer to have no authority or control over server/netowrk configuration to directly dictate changes. Sometimes they run their scans, make their assessments/reports, pass it to their boss who passes it to the IT manager who passes it down to his people in IT directing what issues to fix. Obviously to have some kind of coherent method to do this, the security engineer has to coordinate with IT people to arrange such things as when to scan as to minimize network disruption, but that doesn't mean the security engineer has the authority to demand IT do anything whatsoever. Including providing him the exact equipment and OS he want to use to do his scan with. That also doesn't mean the security engineer doesn't have a use for a good security scanner. Obviously this would not be the best arrangement to have, certainly not. But it doesn't mean this doesn't happen (perhaps more frequently than one might think) and security engineers have to deal with it. There are a lot of big companies out there with all kinds of political problems like this where people are protecting their little empires. In a conference sessions at Infosec last year, serveral people indicated such problems existed within their companies. Now, I don't know if it got down to the level where they could not get a Linux system to use, but it wouldn't suprise me. - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
