Home PC repair has been dead for a long time. I don't think many users use PCs for much anymore. Everything is done on a tablet or smartphone these days. I'd really like to see Android as a mainstream desktop OS in the future. I know remix is out there and I run Remix almost daily on as a VM, but it isn't efficient compared to Chrome OS. I have to give my android VM 3GB of RAM to get decent performance.

@Tim_G said in South Korean Firm Pays Massive Ransom:

@scottalanmiller said in South Korean Firm Pays Massive Ransom:

@Mike-Davis said in South Korean Firm Pays Massive Ransom:

I thought it was interesting that so many linux systems were hit. Has anyone heard of phishing attacks (or others) that went after linux boxes before?

I've heard of a few. they are rare, but Linux system are the much bigger payoff targets. The data, on average, on Linux servers are worth a lot more. but a lot harder to hit.

I'm sure that if Linux was as targeted as Windows is, there would be just as many vulnerabilities found... or at least a lot more than you think. However, I'm sure they would be fixed much faster than Microsoft fixes things, due to being open source.

Sorry, but this is wrong. I work in cyber security department and my focus is server vulnerabilities. Untouched and unpatched linux servers have far less vulnerabilities than Windows servers. It's really a staggering difference. If I take a sample of 100 Windows Servers and 100 Linux Servers. I would venture to guess you'd have at 10x the amount of vulnerabilities on Windows. Keep in mind that generally around 10 or so patches are released each month for Windows. Linux OS updates are much more rare.

@Tim_G said in South Korean Firm Pays Massive Ransom:

Also, you need to consider what it is that's vulnerable. Is it Linux? Is it Windows?... or is it a program running on top of Linux/Windows such as Apache, Office, video driver? Which doesn't mean the OS is vulnerable.

Does it matter from an attackers point of view? Windows software by design is usually less secure than Linux software. I mean we are looking at attack surface here. If you scan two web servers (Linux and Windows) the Windows one will be more vulnerable every day of the week.

I understand what you are saying, and yes alot of Windows vulns come from shitty coded applications. However, we cannot ignore that because it is relevant to protecting servers. Your original statement was

@Tim_G said

I'm sure that if Linux was as targeted as Windows is, there would be just as many vulnerabilities found... or at least a lot more than you think. However, I'm sure they would be fixed much faster than Microsoft fixes things, due to being open source.

No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw. It is the server admin's fault for having Adobe Reader on a server in this case. Maybe we see this pattern because of the difference in mindset between Windows and Linux admins, but for me it's held true in at least a dozen different organizations where I have done this type of work.

@stacksofplates said in South Korean Firm Pays Massive Ransom:

@IRJ said in South Korean Firm Pays Massive Ransom:

@DustinB3403 said in South Korean Firm Pays Massive Ransom:

@Tim_G Good Vulnerabilities?

I get what you mean, and I think @IRJ is simply stating that Windows is less maintained because of update schedules and patch release schedules.

Not exactly. Windows is just more vulnerable by default. There is really no comparison.

Do you guys not do vulnerability scanning on your networks? The proof is in the pudding, I challenge you to scan your Windows vs Linux servers to see what I am talking about. Everywhere I have been and done scanning, It has the same result no matter what the company. Linux is less vulnerable than Windows.

Seriously though, don't take my word for it. Test it yourselves.

Our Nessus scans show much less vulnerabilities for patched Linux than patched Windows.

You also have to look at the real world examples already. Windows makes up around 15-20% of the web. The rest is Linux. I'm pretty sure it's heavily targeted daily.

Yes, I have used Nessus, OpenVAS, and Qualys, and Nexpose. They are all virtually the same, but their results are consistent in showing Linux as more secure than Windows.

@Kelly said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

I am also interested in this @IRJ, so I'll be following your topics with interest even if I don't have specific questions.

@DustinB3403 and I working on setting his up through chat. I will share details in this thread when we are done

OWASP ZAP is the clear winnner for opensource web app scanning. The GUI is good, simple, and the reports are great! You can even brand them for your own company!

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The only negative thing about OWASP ZAP is the fact that you cannot run it from the command line, but it is cross platform and works on Windows and Linux.

https://github.com/zaproxy/zaproxy/wiki/Downloads

@stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

Is OpenVAS intuitive to use and pickup? Does it have built in scans and reporting that are easily assessed (read).

The GUI and reporting are not good. In fact the GUI is one of the ugliest GUIs I have ever seen, but you will get the same data as you would with paid solutions.

You don't like the lady?

Maybe if I had a 4k monitor I could appreciate her more!

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

No they wont. It's like walking or driving up to a house and looking and casing it out for a robbery. You aren't doing anything illegal until you breach the house.

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

I see about 10 scans a minute from all over the world on our external servers on a slow day!

@scottalanmiller said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@scottalanmiller said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

Exactly and if US law cannot do anything then what are countries like China and Russia going to do? lol

Execute you?

Yeah I am sure China's focus is to find everyone running nmap scans on American servers so they can execute them.

You never know.

They could always build another ghost city.

Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

For anyone that wants to test OpenVAS on something that is not remotely production and see OpenVAS light up like a christmas tree, OWASP has a very vulnerable VM you can download.

https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.

A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.

Yes, but in addition to the vulnerability scans you are going to see special scans depending on what they find. If I find a wordpress site, you better believe I am kicking off wpscan to look for weaknesses. If I know it is a DB server, I am going to try some SQL and oracle scans. You get the point.

So don't forget to run those type of scans with information you can gather from a non-credentialed scan.

Does OpenVAS do this now? I don't recall that it did before (admittedly, it has been a while since I've used it.

No. Most of those tools are available in Kali, but I prefer to use Ubuntu and install what I need.

Never using a UPS on a laser printer is probably the only useful thing I learned in A+.....

Have you had an assessment before?

Are you in an industry that has requirements like HIPAA, SOX, GLBA, etc?

Roughly how big is the company?

What is the exact scope of work? Are you really looking for a pen test or a security audit?

All these should factor in to who you choose for you pentest.

@Jimmy9008 said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

Have you had an assessment before?

Are you in an industry that has requirements like HIPAA, SOX, GLBA, etc?

Roughly how big is the company?

What is the exact scope of work? Are you really looking for a pen test or a security audit?

All these should factor in to who you choose for you pentest.

No previous assessment.

No industry requirements.

25 -35 employees. Thousands of customers.

Pentest. You get our company name, that is all. Can you get in? Could you almost get in? What could/did you change? etc.

You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

@Carnival-Boy said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

A Pentester is more focused on actually breaking into your network. They will show you the security holes and vulnerabilities they found while exploiting your network, but their focus is exploitation.

An assessment will take everything into account on your network and interview various people about policies and procedures. There more of a focus on finding security vulnerabilities and how to fix them vs breaking in.

So you should only get a pen test when you consider your organization ready for it. Otherwise it can be a waste if there are holes galore in your network.

@msff-amman-Itofficer said in F***kin WannaCry:

@EddieJennings said in F***kin WannaCry:

Sometimes for malware, you have to nuke and start over.

Maybe its time to format and move to Windows 10, I feel like I am the last of the
Windows 7 folks around here.

But atleast I have the LGBT version of 10, cause I am gay and I get attacked with stupid Viruses, cause I dont like to have realtime AV scanner install slowing down my system and I thought I much smarter to get infected... Oh i meant Windows 10 LTSB version

I would definitely nuke and move on.

I am not sure what you meant by the last part. I am confused?

@scottalanmiller said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

@scottalanmiller said in Pentest - Who would you recommend?:

@Carnival-Boy said in Pentest - Who would you recommend?:

@IRJ said in Pentest - Who would you recommend?:

You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.

Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?

One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.

Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.

Both are valuable, but one tells you a lot more, typically.

Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.

Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.

absolutely, and just like any company trying to sell you something, you will probably get both if you aren't sure what you are asking for

Openvas isn't as an informative as some other tools. Once you get the cve you can research it better using Google.