Yannick, I suppose the thing to bear in mind is that the company directors and board are liable if there is a breach, so ultimately the responsibility is with them to approve the policy.
Part of all 'life-cycles' is the operations & maintenance bit at the end. By limiting themselves to just testing with nessus they are effectively 'clipping' the testing parameters, making assumptions and closing out other possible threats, including some of which are, of course, non-technical. It's too true that people go to the trouble of installing expensive security hardware/software/training/consultancy, then cut corners by not looking after it exposing themselves to attack by closing their eyes. The maintenance bit is part of the cost of the solution and should be built into the plan from the outset. If I was the security manager I would be doing everything in my power to ensure that I was aware of all vulnerabilities of my equipment, and would build these tests/checks into the security administrators monthly maintenance plan. It is just part of their role and resource needs to be allocated as such. He/she sould make management aware of resource shortfall (and may get a bashing for not predicting it at implementation). How long does it take to subscribe to the manufacturers mailing list, search bugtraq/Certs/CVE against the name of the protecting device/software and run any tests once a month? 2-3 hours, perhaps? They will already be updating the nessus database and keeping an an eye on the OS/firewall patch levels. Present the options to senior management, explain the cost and risks of *not* implementing/checking and let them decide. If I were on the board, for the sake of peace of mind, I would make sure there was resource available to gather as much information about the solutions as possible. In fact, it's probably part of the security manager�s job description already. Nessus is a very valuable tool, but only part of the protection arsenal. It's difficult to comment on 'companies like them', as normally the protection implemented depends on the value of the data, and the cost of protecting it. Who cares what other companies are doing anyway, it's not their data you are protecting. Checking all possible sources of information and using many available penetration tools is, however, relatively cheap. Depending on the value of the data, I would suggest that yearly penetration test by an independent company would be of benefit and not necessarily as cost-prohibitive as one may think. What about "We undertake to test the firewall configuration using all reasonable means currently available to the company. From a technical perspective, this will include ensuring that all patch levels and security parameters are set to the manufacturer recommended levels, monthly testing with de-facto vulnerability scanners (such as nessus/xxx/xxx), extensive search of vulnerability lists (such as CET/Bugtraq/xxx). From a non-technical perspective we will employ strict change control, regular policy & procedure re-evaluation and other administrative methods to ensure our firewall policy is acceptable to the company. By taking all reasonable steps freely available to us, we can place a high level of confidence in the security mechanisms in place at the time of examination" Regards James --- yannick'san <[EMAIL PROTECTED]> wrote: > Hello folks, > > Well, a couple of days ago, I had a strong discussion > with friends about how > to regularly evaluate the security level of a firewall. > > First of all, everybody agreed that we can't > install/configure a firewall > and then sleep and consider that everything behind it is > in a secure area . > In any security approach we have to think about the "life > cycle" of the > firewall. thus, security managers has to plan for a > recursive process for > regularly looking for its state and the vulnerabilities > which could have > came out on it. > In fact, our discussion became very strong when we > started to talk about the > methods we were using for. They told me that they were > only evaluating the > security level by regularly launching tools (like nessus) > against their > firewall. So, somewhere in a procedure it was clearly > written a sentance > like this one : > > "We considere (today) that the firewall and its > configuration is secure > according to the results given by nessus."... and that's > all. > > It seems that I was the only one to considere that we > could not only > evaluate a security level regarding to the results given > by this tool but we > also had to look for vulnerabilities in CERTS or CVE. In > case of a > 0-vulnerability result, the tools will let us think that > the security level > is good while in fact it is completly wrong. I considered > that it was a > wrong way of thinking and told them that my sentance will > have been : > > "We considere (today) that the firewall and its > configuration is secure > according to the results given both by a search on CVE or > CERTS databases > and the actual configuration and last update. Nessus (or > other tools) are > used to improve our view but are not considered as > sufficient." > > I've been told that looking for CVE or CERTS > vulnerabilities takes too long > time for a lonely security manager who both has to deal > with a lot of > equipments and other security stuffs. They said nessus > give them a good > security view and without any security organisation to > help them, the task > is too hard. > > I answered that if a security manager can't take the time > to check for > vulnerabilities in specific databases, he must write > somewhere the reasons > and the security consequences of his choice. Reason and > security > consequences of just using tools like nessus. Our > discussion about this > subject has covered subjects like process, procedures, > methods, risk > analysis (especialy identification of the threats), > security management,..., > but finaly I was told that most of companies do like them > and my approach > was not used. > > I would to know your point of view, your experiences, for > exemple : do you > only use nessus (or anything else) and considere the > results as valuable ?? > Any comments (flame or not) is welcome :) > > Thanks in advance. > > -Yannick > > > --------------------------------------------------------------------------- > Thinking About Security Training? You Can't Afford Not > To! > > Vigilar's industry leading curriculum includes: Security > +, Check Point, > Hacking & Assessment, Cisco Security, Wireless Security & > more! Register Now! > --UP TO 30% off classes in select cities-- > http://www.securityfocus.com/Vigilar-security-basics > ---------------------------------------------------------------------------- > __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
