There are dozens of security vulnerability scanning tools. Increasingly security analysts take great pains to emphasize their hacking skills. Companies pay out great money to find if they are 'vulnerable'. And in the middle of this, Traenk wonders what the point is to the exercise.
I remember a fellow consultant telling me that his old company discouraged organizations from commissioning an intrusion study. That seemed wrong to me then. Now, I'm not sure.
I leaf through dozens of security newsletters each week. Intrusion studies seem to be good money. Security analysts increasingly proclaim their 'hacking skills'. Some even list themselves as gray hat intrusion specialists, as if security work is a courageous trip through Mordor with your customer Hobbits following along.
Let me save you some money. I don't know you, haven't seen you, and know nothing about your organization. If you have more than 5 PC's and 3 servers, I'm going to predict that you are vulnerable. If you are using technology glowingly called 'confirmed' versus 'obsolete', you've got issues. If your ratio of support staff to customers is lagging, you need help.
An intrusion study may or may not confirm this. Let's put GrayHat on your network today and have him work for 3 months. You may pass scrutiny. Afterall, the next worm that will gut your network comes out 3 months and 1 week later. That's the way it is; risk is in a constant state of flux. One intrusion study, 'passed' or 'failed', proves nothing.
But let's posit the best results from the study. You are vulnerable. Now what? So now you contract for GrayHat to tell you the patches to apply and the technologies to update. And after he leaves, you're back to Vulnerability City within 3 weeks. Risk Flux claims another victim.
Cut to the chase. Skip the intrusion study and focus on reasonably secure baseline configurations for your technologies. Apply the intrusion money towards a patching architecture. Upgrade the licenses for your production software.
I mentioned to one person that some package needs patching or it opens root access. "Prove it!", I was told. Sure, and let me prove the effectiveness of air bags by careening into a telephone pole. Instead, I pointed the guy to some great security articles.
I don't think I've ever run metasploit. Nessus? Nah. But, if you want to know about the reasonably secure baseline configurations for Samba or for Windows Server 2003, let's talk.
With less money in the Security coffers for '09, I believe shrewd organizations will want more than security shows. They will want solid analysis and knowledge of sound system security management processes.