[unisog] OS Vuln Scanners

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Fri May 9 19:28:01 GMT 2008


As was pointed out so well the other day, is it really so bad that these systems are knocked on their tails?  We're pretty tough about systems that are that weak; if I can kill it with a fairly benign scan just imagine what a determined hacker would do to it.

We create Nessus accounts for the owners of these systems that only let them scan their own, with the idea that they can use it to troubleshoot.  But we still run them randomly.  And we reserve the right to take them off the wire right now if they're too dirty, or if we see evidence of running a Trojan.

Dave

-----Original Message-----
From: unisog-bounces at lists.dshield.org [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Nipper, Johnny R.
Sent: Wednesday, May 07, 2008 1:15 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] OS Vuln Scanners

Hello all,

We are a new security department in the beginning stages of discovering vulnerabilities as well as rogue servers on our network.  We are discovering as we go and learning from our mistakes.  One issue we are tackling is departmental servers outside of our central IT.  We do not have a comprehensive list of every system.  I have been using different techniques for discovering servers and working with each administrator individually to do routine scans.  Recently we began running Nessus on the entire network one subnet at a time.  During this time, systems have crashed with our "safe scan" option set.  This undoubtedly helps us discover systems as well as vulnerabilities, but in the meantime this causes issues.  We would like to notify departmental administrators prior to each scan.  Our issue is, we did not previously know about these systems.

We have already sent out a communiqué with a protocol for every administrator to run scans on their system and report them to the security department.  The ones that are having issues now are systems that were not disclosed during our initial request several months ago.  

How would everyone tackle this situation?  Would you send out a communication to the entire campus in advance for all scans?  When would you run your scans?  Do you make this part of your change control procedure?  Any help would be very appreciated.

Thanks,
Johnny


-----Original Message-----
From: unisog-bounces at lists.dshield.org [mailto:unisog-bounces at lists.dshield.org] On Behalf Of BACHAND, Dave (Info. Tech. Services)
Sent: Wednesday, April 23, 2008 10:17 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] OS Vuln Scanners

Hello-

We use Nessus to scan the entire university frequently.  The freeware version is the same as the paid commercial version, except that the signatures are delayed on the free one.  All that said, it's an extremely useful tool, and is not very hard to use.

One thing I like is the "safe checks" flag.  IE for Internet facing services, we probe it more harshly, whereas for more protected services we can scale back the aggressiveness.  But beware that "safe checks off"
can and will wax a weakly configured system. :-)


++++++++++++++++++++++++++++++++++ 
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376 
++++++++++++++++++++++++++++++++++ 



-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Kevin Lanning
Sent: Friday, April 18, 2008 11:49 AM
To: UNIversity Security Operations Group
Subject: [unisog] OS Vuln Scanners

I'd appreciate info from list members regarding best products in this category from your real life experience as a security professional in higher ed.

thanks,
--
Kevin Lanning, MSIS GSEC CISSP
Information Security
UNC-Chapel Hill
ITS Manning, # 2810
lanning at unc
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list