Re: security compliance vs. old software versions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



John Hinton wrote:
> On 6/30/2010 8:54 PM, John Jasen wrote:
>> Well, I'm a security admin, so of course protection is more important
>> than utility! :)
>>
>> But seriously, the assessment tools provide information on your
>> environment, based on certain standard metrics. Its (HOPEFULLY! PCI
>> compliance notwithstanding ....) up to the people who end up reading
>> them to fix the environment, determine that its not a problem, or accept
>> the risk that was discovered.
>>
>>    
> Sorry to drag this back out to the front... I've been beyond busy and 
> just now catching up.
> 
> One of the things that is blaring to me in these 'security' scans is 
> that there is no check of passwords. We can jump through every hoop in 
> the world to provide a 'secure' environment, yet without 'verifying' 
> with the client a quality password and password policy, this is simply a 
> moot point. Yes, one would hope... but if they don't check this how do 
> they know? I have had requests for password changes to the most ignorant 
> and guessable things. We don't allow any of our users to set their 
> passwords, but I do wonder about these supposedly 'secure' sites.

Well, security assessment tools should just be a part of your holistic
security posture. Hopefully, if passwords are a concern, you've set
requirements for complex password in your authentication system, and are
routinely running password scans against them.

FWIW, nessus does have a check for stupid default passwords for default
accounts.


-- 
-- John E. Jasen (jjasen@xxxxxxxxxxxxxxxxxx)
-- "Deserve Victory." -- Terry Goodkind, Naked Empire
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux