Manual vs. Automated Scan Tests

What does it mean to say check my firewall with an automated pentest scan?

That means to test the firewall using various programs to review the vulnerabilities using an application like Nessus or Nikto to test the IP address for vulnerabilities known to Nessus or Nikto.

Nessus:

 

 

 

 

 

Nessusscreenshot-Filter_Remote

 

The above screenshot is a Nessus image from Tenable’s website the company that has developed and runs Nessus.

Nessus was started in 1998 as a way to provide a vulnerability scanner to the community, and first it was “free”  here is a good discussion of the history of Nessus: https://www.tenable.com/blog/nessus-mythbusters-edition

At one time many open source projects were very similar and used similar connectivity and programs. But as Nessus’ current owner (Tenable) states in the post to make enough of a differentiation with the past and to show it’s ability to sell  a licensable product they had to make a break with nmap (network map),  and Nikto as well.

The free (open source) versions of Nessus are Nikto and nmap.

niktoNikto

nmapsitelogo Nmap

Notice the nonstandard icon images that are typically used by open source efforts.

So if you are interested in scanning your machines on the Internet, there are a variety of options, but the reality is it is a choice between manual and automated.  By automated I mean you enter the IP address and then hit enter to wait for the results.

For manual, the commands have to be fashioned one by one, and as a response comes up that changes your test parameters, testing various methods until your goal is reached. The mapping of the Internet machine has to be done with a goal in mind, either it is to find the machine’s vulnerabilities or another purpose(like finding a way into the network for a pentest).

 

When I started this specific effort (Oversitesentry.com) I wanted to make an effort to help companies and others in general to give information and services so as to primarily help in securing computers on the Internet.

I started it in 2013 after a 18 year IT career in many different areas. But the thing i did not understand at the time is that most people do not know how to secure their devices and they do not want to spend resources in doing so.

We expect our computers to be secure, we do not want to spend additional funds in securing something that should be secure. It is a mystery to most people why there are so many security problems.

 

There is an additional psychological issue with the security industry, it is ruled by fear to spur action.

The thing is people in general do not understand their own fears, emotions, or gambling instincts. 70% of people given a choice of a low risk or high risk when for a gain  will choose the low risk.

BUT when given a choice for a low risk and high risk for a loss, most people choose the high risk. Most people don’t want to give out a little money just to still have some risk, we all want to make out with no costs (or our standard operaing costs).

We do not want to make changes and pay more for security. Only after many breaches and problems are companies now spending more on security.

If you dissect the decisions of Sony, they had multiple breaches years ago, but did not spend more money on security, or spent it effectively.

 

We know Security is not just technology, it is also process and  people.

pci-compliancevssecurity

 

Compliance to various standards are not as thorough as Security Frameworks such as ISO27001, because it includes people and process, whereas a single compliance standard is focused on the specific issue at hand (like protecting credit card data).