John Hinton wrote:
On 6/30/2010 8:54 PM, John Jasen wrote:
Well, I'm a security admin, so of course protection is more important than utility! :)
But seriously, the assessment tools provide information on your environment, based on certain standard metrics. Its (HOPEFULLY! PCI compliance notwithstanding ....) up to the people who end up reading them to fix the environment, determine that its not a problem, or accept the risk that was discovered.
Sorry to drag this back out to the front... I've been beyond busy and just now catching up.
One of the things that is blaring to me in these 'security' scans is that there is no check of passwords. We can jump through every hoop in the world to provide a 'secure' environment, yet without 'verifying' with the client a quality password and password policy, this is simply a moot point. Yes, one would hope... but if they don't check this how do they know? I have had requests for password changes to the most ignorant and guessable things. We don't allow any of our users to set their passwords, but I do wonder about these supposedly 'secure' sites.
Well, security assessment tools should just be a part of your holistic security posture. Hopefully, if passwords are a concern, you've set requirements for complex password in your authentication system, and are routinely running password scans against them.
FWIW, nessus does have a check for stupid default passwords for default accounts.