The losing value of blind assessments
Posted by Tate Hansen Sun, 07 Jan 2007 20:44:00 GMT
Along with others I’m sure, we’re seeing a nascent phase for security services firms in the business of performing external security assessments. Rather than blast through the battery of scanners the game is changing to include tasks which traditionally fell outside the scope of a basic external assessment.
I like the changes because it follows more of a risk assessment approach. For example, as part of an “external assessment pack” we might obtain the configurations for routers, firewalls, switches, wireless access points, concentrators, review relevant policies, architecture diagrams, and to the best of the client’s ability incorporate their identification of segments or servers which touch sensitive data.
Contrary to acquiring infrastructure visibility, running blind external assessments are losing effectiveness - especially with the growth of the commercial exploit factories (e.g. argeniss, gleg, core security, immunity sec ). Making a statement like “We scanned with Nmap, Nessus, Qualys, Webinspect, checked Secunia, SF, etc., and found no major findings” is losing value - its assurance offered more yesterday than today.
My participation in a few recent incident response/forensic assignments is testament to the weakening value of blind assessments; the cause of each compromise would not have been revealed as a vulnerability by vulnerability scanners.
