I have several comments in this area, as it's pretty much
the focus of Tenable's large enterprise customers.
First, if anyone wants to get a copy of Tenable's paper on
using our products, including Nessus, for PCI compliance,
please ping our sales group at [EMAIL PROTECTED]
Second, there are 100s of companies that claim to help
people with either measuring compliance or demonstrating
compliance. Tenable's value proposition in this area is
to help provide and demonstrate:
- asset discovery
- vulnerability management
- log/event management
- compliance reporting
I agree that some people feel that a vulnerability scan
is the end all for compliance auditing, but I really feel
it's just the beginning. You can have the most secured,
patched up W2K server that does not have the correct policy
settings and isn't even authorized to be in the DMZ. You
can also have a W2K server with 100s of vulnerabilities and
still be "compliant" if you have the proper controls in
place to compensate for the security issues.
For folks who've seen me speak at various conferences, they
also know I tend to harp on things like ITIL management. If
you are lucky enough to work in a culture of change management
and tight configuration control, maintaining "compliant"
operations and managing a reasonable amount of risk is much
easier. We also have a paper in that area located at:
http://www.tenablesecurity.com/whitepapers/compliance.shtml
Ron Gula, CTO
Tenable Network Security
At 10:56 PM 3/15/2006, Danny Mallory wrote:
I have found it very difficult to understand how some scanning
vendors might claim to provide these types of compliances. While
scanning and remediation are VERY important in achieving the pieces
of compliance that pertain to vulnerability management, it is
impossible to rely on a scanning tool completely and feel that one
is in compliance. In my opinion I think there are a lot of scanning
vendors out there that may bring that false sense of compliance to people.
Afew examples of things that would be part of compliance but may not
necessarily be the responsibility of a vulnerability assessment tool.
- Log retention (how long are you keeping your log files, prove that
you have 6 mos worth somewhere)
- Minimal log file sizes (different audits may have different requirements)
- Password complexity settings (different compliance organizations
may have different requirements for those settings)
- Password temporary or permanent lockout conditions (different
compliance organizations may have different requirements here as
well, 15min, 30min)
I am really not sure how much a person should rely on a
vulnerability assessment tool for such things although Nessus is
quite capable of adding "best practices". These list usually go on
and on and to date the best tool I have seen to validate would be
the CIS benchmark tests
(<http://www.cisecurity.org>www.cisecurity.org). In the opposite
argument, I would'nt expect their tools provide vulnerability management.
Danny
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
