[geeks] Security People haven't heard of OpenBSD!
Kurt Huhn
geeks at sunhelp.org
Fri Nov 2 17:42:53 CST 2001
> "Security audit" of our network. What they handed us was a Nessus report
> printout. (www.nessus.org). The UNIX admins groaned and said "we could
> have saved you whatever you paid them.." but they were a BIG NAME
COMPANY..
>
> It was full of stuff like "this system is running NFS". We were like
> "no shit."
>
When I worked at DefendNet (now Guardent) someone got the bright idea to
hire Tiger Security to do a scan of our networks - an external audit. At
the same time I fired up my AT&T dialup account, started Nessus, and
performed a full scan (with all plugins enabled).
Their report sucked! A happy smiley meant no problems, a frowny smiley
meant problems. The report had not a single frowny in it - despite the fact
that my Nessus scan picked up an open SMTP relay on the Dev network, and
that TCP connections were being allowed to the DNS servers. It seems the
only hosts scanned were the web server and the router. When I asked why
they didn't do a dig or a host to discover names on the network, their
response was "What's dig?". I found out that the scan cost us about $10k
for a three month continuous evaluation...
Kurt
More information about the geeks
mailing list