[rescue] Do you remember when? Security software.....

[Walter Belgers]

Michael A. Turner wrote:
> 	We once on this list had a rousing discussion about outside security
> consultants and how much they suck. In the process of the discussion several

Hm thanks :-/

> people made the statement that the fraudsters come in and "Just run program
> X and print the output!". I remember nessus was one of those programs and

Ah! That's not what we do (pfew). We do make use of those programs, but
they tend to have false postives and they also miss a lot of interesting
stuff. Also, there's no tools to check design, policies, custom
applications, firewall rules, ... That's all handwork.

Some programs are nessus and saint for general vulnerability scanning.
Ethereal is a good network sniffer. For web vulnerability scans you can
use whisker, nikto and arirang. For port scanning nmap is the tool of
choice. Nice OS scanning also by www.netcraft.com or xprobe.

Handy tools to have are also ngrep, netcat dsniff, mtr, amap,
icmpquery, etc.

> mentioned for doing security auditing. The subject has come up at work again
> and they are looking to hire a company monthly to do the auditing. I want to
> be able to cut them off at the pass by either A. Doing the job better than
> them saving us money, or B. Debunking them by calling shenanigans by

You cannot do a good security audit on your own network..

> recognizing the software that they are running. So can anyone though out any
> good software packages in this area? Also some good intrusion detection
> software wouldn't hurt also. 

If they run the tools above, they are not necessarily frauds. If the
report they write is basically a nessus output then yes, they're frauds.
If you want to prevent frauds coming in, why not ask the company for a
sample report and see what their modus operandi is?

Cheers,
Walter.
-- 
Walter Belgers         "Si hoc signum legere potes, operis boni in rebus
walter at belgers.com       Latinis alacribus et fructuosis potiri potes!"