This content has been updated and moved to its permanent location at the following URL:

http://danielmiessler.com/writing/va_vs_pt/

There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.” —President George W. Bush, Nashville, Tenn., Sept. 17, 2002

Nothing is more lame than trying to pull Windows hashes off a system in order to break the administrator account’s password when you are on the system because the admin password was blank.

Well, that’s actually not true. There’s one thing that’s more lame, and that’s doing it more than once.

Here’s my list of systems that I have admin access to, let me pull the hashes from this one that was wide open…la la la…pullng them….breaking them…admin password? Blank! Blank? Well what the hell does that get me? Ah, shit, I did it again…

Retardo the Destructor.

I’ve been doing some work for a client recently in the realm of vulnerability management. It’s an interesting area of information security because it draws on so many disciplines. The single biggest thing I’ve learned about this problem is the criticality of asset management.

Quite simply, you can’t hope to “manage” what you don’t know about. What I’d specifically like to see is a move toward security scanners that leverage rich data about an organization’s assets. I know of one product doing this (largely unsucessfully), but I’d like to see it become common in the space.

Here are a few things that asset management offers us:

• Show me all Vista systems that are vulnerable to MS08-001 that are in my building.
• Find all Solaris boxes in our Indiana offices that have SSH enabled, as of yesterday.
• Make me a report of all systems running Telnet that Bob Smith manages.

And if we factor in other rich, user-added security data into the database, such as “importance”, “exposure”, or “risk”, we could say:

• Display all high-risk systems in North America that run Windows Vista or XP, but don’t have HIPS installed.
• List all webservers running Apache 1.3.x in our Wyoming offices that are exposed to the Internet but aren’t running SELinux.

Then add to that the ability to run scans off of those queries. An information loop from the asset-management database to the security scanner, and then (potentially) back into the asset-database. This is how I think we should be moving forward — gathering as much information as possible on what you are protecting, and use that information to improve the quality of your security testing.

Thoughts?