This is cache of http://feeds.feedburner.com/~r/StillsecureAfterAllTheseYears/~3/293979749/are-current-vul.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Are current vulnerability and compliance testing tools like answering the phone at 3am?
2008-05-19 23:16:18 by HASH0x8af1430 in StillSecure, After All These Years
 

I was at a meeting for a potentially large customer engagement for vulnerability assessment and compliance testing last week.  The requirements for this customer was not unusual. They wanted to test for conventional CVE type vulnerabilities. Additionally, they also wanted to test for configuration compliance. Hotfixes, patch level, AV, etc.  This direction is where a lot of the traditional vulnerability management solutions have been heading.  Whether adding a separate compliance module or audit and local check capability, most of the traditional vulnerability scanning solutions offer some coverage in this area.  However, in speaking to this potential customer and in thinking about their needs, an inherent problem with this solution is that it is only as good as the devices that are available on the network when the scan takes place.

In traditional vulnerability scanning, when the scan takes place was not as much of an issue, usually you are scanning servers and other devices that are on the network 24/7. In fact doing the scans during off hours was usually preferred. Too many of the network based vulnerability scanners took up too much bandwidth and other resources to accomplish during the prime time hours of the day. In compliance scanning though, you need the status of laptops, desktops and other devices that may not be connected to the network 24/7.  Therefore it is important to reach and test these devices when they are on the network.  That is the rub.  How do you really make sure the devices connecting to your network are compliant if you are only testing them at a point in time and that usually at an off hour?

This problem reminded me of the Clinton-Obama flap over who answers the phone at the White House at 3am.  That is an important question for who is president, but for compliance answering the phone when someone is there to talk to is more important.  I think this is where NAC provides an advantage.  By utilizing NAC to detect devices coming on the network and than using a low impact compliance test as well as traditional vulnerability scanning, you get a picture of vulnerability posture and compliance status as of the last time they accessed the network. You can still do follow on tests at any time you desire, but at least when a device is logging on you are sure of a test.

Will NAC supplement vulnerability testing in this manner? I think so.  Many customers we have spoken to about this like the idea of "scan on connect" and we have already enabled our own NAC product Safe Access and vulnerability management platform VAM to do this.  What do you think?

 
Tags: compliance, configuration compliance, compliance status, status, prime time hours, time, network, detect devices, devices
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia