> > A good estimate of time for a "Once Over" breaks down like this: I can't imagine anyone doing a "once over", but I am sure that there are customers out there willing to pay for such a thing. > What is the difference between vuln assessment and pen test? From my experience: Pen test: conducted from the outside, designed to simulate a sophisticated attacker, but in a compressed time frame. Even with proper contract wording in place, it's only real value is to test the reactions of your IR team (assuming you have one), or to see if your sysadmins notice anything. Vuln Assessment: Conducted internally, with the full cooperation of the admins. Host information is retrieved, as well as segment, network, and infrastructure data (configs from perimeter devices, RAS devices, etc.) This information is analyzed on a per-host basis, as well as an infrastructure-level basis, to provide a complete picture. For even more relevance, policies are reviewed and key personnel are interviewed. A tour of the facilities may also be conducted to view the layout, physical and personnel security measures, etc. > I have not done either but this seems like a highly subjective area to me. It is. > Are you really going to do a vuln assess on a dynamic web site - with all > its custom scripts and database connectivity and possibly middleware - in 20 > minutes? No, of course not. In many cases, code reviews are additional. Otherwise, throw whisker at it and see what you get back. > It sounds like a vuln assess consists of running Nessus or > something similar, searching bugtraq archives and possibly throwing in a > google search for extra credit. Some folks don't even go that far. > Even on a workstation it seems like you couldn't get much done in 20 > minutes. I don't even see how you could reliably enumerate all the > installed software in less than 20 minutes. Actually, yes you can. I've written code that will pull the entire configuration from a system... Registry settings, permissions on various objects (Reg keys, files, directories, etc), network settings, installed software, etc, etc, etc...in 20 minutes or less. But that is only the collection of this raw data. Analysis of that data, plus analysis of all of the data from all systems examined, takes much longer than that. The collection of data will take longer if you want you to completely comprehensive. If you find a FAT file system on an NT/2K system, then your time is reduced dramatically. However, let's say you wish to include searches for alternate data streams, hidden files, and want to dump the EventLogs, as well. All this takes time, and the more data you collect, the more time it takes for analysis. What I'm referring to above is not running Nessus or (gawd forbid) ISS. It's collecting raw configuration data from systems, and analyzing it. Commercial scanning tools must decide upon an arbitrary level of security...one that doesn't take router and firewall ACLs, NAT'd networks, VLANs, etc, into account. Also, my experience with ISS (5.8 - 6.01) has shown that it will return some false positives that can be very embarrassing to the consultant group, and potentially have an effect on the credibility of the company. So rather than run one or more commercial tools that are just going to give me a list of vulnerabilities, I prefer to collect the raw data, and conduct the analysis. Most folks are going to say that doing so takes longer, and you're correct. However, taking longer to provide a deliverable that is meaningful to the customer is acceptable. Dumping the ISS report to Word and printing it on company letterhead (and yes, there are companies that still do that) does nothing and adds no value for the customer. With the available commercial tools, and even the freeware ones, the differentiator for consulting businesses is the analysis conducted. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:15:14 PDT