On 7/6/2010 4:49 PM, John Jasen wrote: > John Hinton wrote: > >> On 6/30/2010 8:54 PM, John Jasen wrote: >> >>> Well, I'm a security admin, so of course protection is more important >>> than utility! :) >>> >>> But seriously, the assessment tools provide information on your >>> environment, based on certain standard metrics. Its (HOPEFULLY! PCI >>> compliance notwithstanding ....) up to the people who end up reading >>> them to fix the environment, determine that its not a problem, or accept >>> the risk that was discovered. >>> >>> >>> >> Sorry to drag this back out to the front... I've been beyond busy and >> just now catching up. >> >> One of the things that is blaring to me in these 'security' scans is >> that there is no check of passwords. We can jump through every hoop in >> the world to provide a 'secure' environment, yet without 'verifying' >> with the client a quality password and password policy, this is simply a >> moot point. Yes, one would hope... but if they don't check this how do >> they know? I have had requests for password changes to the most ignorant >> and guessable things. We don't allow any of our users to set their >> passwords, but I do wonder about these supposedly 'secure' sites. >> > Well, security assessment tools should just be a part of your holistic > security posture. Hopefully, if passwords are a concern, you've set > requirements for complex password in your authentication system, and are > routinely running password scans against them. > > FWIW, nessus does have a check for stupid default passwords for default > accounts. > > > My point is these 'secuity metrics' businesses that are paid, generally by credit card companies, to do these software scans and don't ever do these most basic checks. Not that my quoted text is the name of one of these companies or anything. ;) I really feel the scans are just scams. Pun intended. John Hinton