APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Vulnerability Scanning

© August 2007 Michael Desrosiers


This month's topic is about how to approach security vulnerability scanners and how they fit into a full ISO 17799 based security assessment.

I am often on my security soapbox talking about how good security testing tools are an absolute necessity for information security success. This is especially true for operating system, web application and database vulnerability scanners. Security testing tools are quick and efficient and they can root out security weaknesses in your Operating Systems (OS) and applications that can take even the most seasoned security expert days or weeks to find. But you've got to take what they find and what they rank as vulnerabilities with a grain of salt. What vulnerability scanners find isn't always reality, they have to be interpreted and analyzed correctly.

Vulnerability scanners return information that the vendors think are important. The problem is that many of the vulnerabilities found and ranked as high, medium or low priority may not really apply to your environment. A glitzy report containing security weaknesses looks good, but it is likely not in your organization's best interest. I will sometimes come across issues that are flagged as "Level 5" or "Critical Priority", that really have no immediate impact in the environment that I am performing the test.

They have included the following issues:

Separating fact from fiction is all about context and what was being tested at the time, where it was being tested from, how it was being tested, who you were logged in as, why the vulnerability is exploitable, and whether or not there is a viable fix. This is where you can educate others on the fact that you can't lock everything down completely. There will always be a certain level of security risk that must be accepted by the owner.

With this in mind, here are some tips to incorporate in your daily routine:

  1. If your scanning tool flags something as a serious issue but it is not exploitable by a security framework suite like Metasploit or Core Impact, then it's probably not as urgent or as critical as first perceived;

  2. Know your network infrastructure and application environment. Work on knowing how everything on your network (routers, firewalls, workstations, servers, applications and databases) works together. This means creating and maintaining that ever elusive network diagram and change control plan;

  3. Use a good set of vulnerability scanning tools (i.e., one for operating systems, one for Web applications and one for databases);

  4. Focus on the urgent and important vulnerabilities that the scanners discover. Fix the vulnerabilities on your most critical systems that can be exploited with serious consequences right now;

  5. Always work toward enhancing your technical skills. Read articles and books, listen to webinars and attend seminars and conferences. This knowledge will help you understand the risk that these vulnerabilities can have on your infrastructure;

There you have it. No matter how sophisticated your security scanning tools are and no matter what the vendors say, you're still going to need to get involved and use your knowledge of your network and information security in general to determine which issues need to be addressed and which ones don't apply. You need good tools but in the end there's no better tool than the human element and good old-fashioned security experience.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.


Michael Desrosiers
Founder & Principal Consultant
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Vulnerability Scanning

1 comment

Inexpensive and informative Apple related e-books:

Take Control of Apple Mail, Third Edition

Take Control of Pages

Take Control of Preview

Digital Sharing Crash Course

Take Control of High Sierra

More Articles by © Michael Desrosiers

Fri Aug 24 02:37:40 2007: 3083   TonyLawrence

This reminded me of something I wrote some time ago: (link)

That was about security consultants misidentifying threats,, a similar problem..


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Good questions outrank easy answers. (Paul Samuelson)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode