I am curious how the community handles vulnerabilities found during a scan that are not currently patched?
A side question: If you just accept the vulnerability finding as mitigated or accepted, how do you handle the recurring hit on every report? Do you turn off that scan item, or just keep those hits in the scan report? What if my boss wants a clean report?
I use version 6.7 I've found when I scan a Windows server, I often will see some medium and even an occasional high alert for unpatched issues, some of which are persisting for quite some time. An example would be 6545: Microsoft Windows GDI+ EMF Stack Overflow Vulnerability.
I can't speak for the community but as a security professional I wouldn't manipulate what's reported just because there isn't a patch available. That can lead to a false sense of security that doesn't really reflect the reality of your enterprise. If your boss wants a clean report, pressure should be put on the vender to fix the vulnerability or the offending software should be removed.
Yeah, I definitely don't want to really disable an alert. From an auditor's perspective, how would he know I just don't turn off checks for things I don't want to fix?
Unfortunately, some vulns, especially some of those Windows OS ones are just not going to be patched, or at least Microsoft has said as much. Of course, that then begs the question on how anyone can pass a Foundstone scan with Windows?
I support Jeffrey perspective.
If you have a vuln that cannot be patched, you should accept the risk, so it must be reflected in the Foundscore.
You could disable that particular vuln check in you scan, by editing the vuln list, but again, that would only deliver a false sense of security.
Regarding your boss requiring a clean report, I remember reading somewhere that Vuln. Management "is 75 percent science and planning and 25 percent the art of persuasion and motivation.". Reading a clean report is easy, changing people perspective is hard.
RDMessage was edited by: epo909 on 11/24/09 3:56 AM
I concur with the others as well, a false sence of security is misleading. You are still vulnerable and management needs to know that. I do clean the reports to send to management but the only thing I remove is the "Informational" part and leave the "High", "Medium" and "Low". My reports are created using Excel, Access and connection to the SQL database.