In my experience very very few organizations are capable of auditing changes on workstation assets in a way that provides real assurance.
I think where most organizations completely drop the ball is on having the audit capability per workstation (or per server or per device in many organizations I've worked with). I think the common practice is to stop with the easy task of documenting that a particular asset class ought to and is approved to receive an update, without ever doing the actual verification to achieve the assurance that all workstations received the patch. In some Military environments I've worked in their is a requirement that in order to maintain network accreditation, daily credentialed patch scans must be run. There is usually a separate and distinct role of Information Assurance Manager whose task is to verify that the appropriate patch levels are being achieved. Just so everyones clear, if the network loses accreditation, that means that your upstream provider disconnects you. I think part of what creates the culture where organizations stop before reaching assurance is that they see a cost benefit in not separating the duties of patch application and patch verification. I think there are other, less admirable causes in some case as well, such as ignorance or negligence. I'm just using patching as an example here, this applies to penetration tests, firewall audits, and other areas. The problem with not having the separation of duties is that it creates a conflict of interest where a very often stressed-out Administrator is the ground-zero for an organizations actual security posture. On Fri, Apr 23, 2010 at 3:42 PM, Daniel <[email protected]> wrote: > When you say configuration management system, are you thinking a fully > developed CMDB with integration into Change management systems, proper audit > records, etc or more something like SMS/SCCM where the focus is more on the > deployment/reporting? I wonder how many organizations do disciplined > configuration management for workstation class assets. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Carlos Perez > Sent: 23 April 2010 20:18 > To: PaulDotCom Security Weekly Mailing List > Cc: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Scanning for Intalled Security Software > > I would see this as a great oportunity to offer the client and asset > management system and a configuration management system if your > company sell those. I worry a bit when I find clients who's policies > lack proper configuration and asset managements measures that include > all networked devices > > Carlos > > Sent from my Mobile Phone > > On Apr 23, 2010, at 10:39 AM, Shane Kelly <[email protected]> wrote: > >> Thanks for all your great suggestions! >> >> With regards to machines that sit outside the domain they will be >> looked at manually by the client, as these machines should most likely >> not exist on the network. >> >> I've personally not used the Nessus to do authenticated scans, so it's >> good to hear it suggested. I'll have a look at each, but the client in >> this case probably be more confertable using with us using Nessus. >> >> Thanks! >> Shane >> >> On 23 April 2010 14:40, <[email protected]> wrote: >>> I second that; works very well for machines in the domain. Had this >>> set up >>> to check for AV (installed/running/revision of pattern and engine), >>> patching solution and some other bits. You can send a mail if non >>> compliant >>> with your policies to support staff as well. Non domain members are >>> still a >>> problem tho. >>> >>> Daniel >>> >>> On Fri, 23 Apr 2010 09:30:29 -0400, Carlos Perez >>> <[email protected]> wrote: >>>> Of they are In the domain you can use wmi thru powershell, wmic, >>>> wsh..etc to automate the process and read the registry keys for >>>> install apps plus get a list of running procceses >>>> >>>> Carlos >>>> >>>> Sent from my Mobile Phone >>>> >>>> On Apr 23, 2010, at 8:22 AM, Shane Kelly <[email protected]> >>>> wrote: >>>> >>>>> Hey Guys, >>>>> >>>>> Does anyone have any experiance with doing agentless scanning for >>>>> installed software in a network? >>>>> I'm looking for instances where workstations may exist that do not >>>>> have Safeguard Easy or Anti-virus Installed. >>>>> >>>>> >>>>> Many thanks in advance, >>>>> Shane >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- -- Benjamin C. Greenfield, CISSP bcg [at] struxural.com Domains and Hosting for Less from Struxural: http://www.struxural.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
