RE: CONTENT DECISION: Presence of Services or Applications (SA)
-----BEGIN PGP SIGNED MESSAGE-----
In this case what I would do (hypothetically, and if you are running
the tool yourself you would be making the decisions based on your
requirements), is notify you that finger is running on one or more of
your hosts and advise you of the risks associated with finger. At that
point you, as the owner of the network need to make a decision based
on that information. If you determine that finger is essential to
your operations, the threat of someone exploiting finger is low enough
for you to live with then you make the call to apply the suggested
safeguards, i.e., turn off the service, etc. or not. At that point
you are managing the risk to your network.
I have a feeling we could discuss this to infinity if we wanted to.
I agree with you that scans/audits should check for running services.
You need to be able to determine if the service is running by default
as a part of the install or as part of your network policy. If it is
your policy that finger be allowed, than well and good. If your
policy states that finger should not be running on the network, and
the tool discovers that certain hosts have it running, than you have a
problem that needs to be addressed.
These are my opinions, I am sure that others will be able to add to,
disagree, agree, whatever.
- -----Original Message-----
From: Dave Mann [mailto:email@example.com]
Sent: Thursday, August 05, 1999 3:39 PM
To: Prosser, Mike
Subject: Re: CONTENT DECISION: Presence of Services or Applications
"Prosser, Mike" wrote:
> I am not saying don't check for a service running, we do. I believe
> Aleph One says it best when he said it is a risk vice an actual
> vulnerability. A client may not even realize they are running a
> particular "risky" service, or they may be fully aware of it and
> it for their business. All a scanner does by checking for the
> is alert the user to the fact the service is running. Speaking for
> myself, not for other vendors, having a "risky" service running or
> not is a decision that the client has to make based on their needs.
> We try to provide them with all the options to make that decision.
> All part of risk management.
Let's say that I am one of your customers. Let's say my
policy states that finger should not be running on any
of my boundary machines. Let's say your scanner determines
that finger is, in fact, running on one of my boundary machines.
Question: Has your scanner just identified a vulnerability
on my system?
Note, if you say no, it is not a vulnerability on the grounds
that finger is not flawed on its own, then you admit that
vulnerabilities can be understood independant of policy.
That is, you do not need to consider what my policy is to
make the determination of whether finger is a vulnerability
or not. On the other hand, if you say yes according to *my*
restrictive policy it is a vulnerability, then you make the case
for the more inclusive notion of vulnerability -- since the
more inclusive notion of vulnerability will allow us to
describe things that are vulnerabilities on some systems
but not others depending on the respective policies.
David Mann || phone: (781) 271 - 2252
INFOSEC Engineer/Scientist, Sr ||
Enterprise Security Solutions || fax: (781) 271 - 3957
The MITRE Corporation ||
Bedford, Mass 01730 || e-mail: firstname.lastname@example.org
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2
-----END PGP SIGNATURE-----