hi2all From: "JCovington" <jcovingtoat_private> > It's pretty difficult to break the time down per host. Servers may have > a bunch of services running and each one needs to be scanned, searches > done for new vulnerabilities, etc. A workstation on the other hand may > only have only a few services and it becomes a check for > misconfigurations. It's really hard to break the time ... specially because this is a service where the client must invest not to get profite, but to fight possible losses. More time means more money to spend. You may have a server with 50 services running, and all without known vulnerabilities ... should the pen-tester skip to the next server, or jump in to the unknown? You may have a workstation with a pretty (m)nice configuration, but it's a laptop and has a modem card ... should the pen-tester skip to the next workstation, or try to find out if this user is accessing the net from a dial-up, or who knows from home to RAS in to work? How will you find his work and home phone numbers to check this? Now, if I say that I spend one day (8/10 hours work) just with one server and usually think that is not enough, it's because i'm crazy ... > It can also depend on the scanning tools used. A big commercial scanner > could check all machines pretty efficiently. But then good pentesters > will follow up on what the scanner found and verify so false positives > are minimized. Also good pentesters will use a toolbag of scripts and > utilities as a second level of thoroughness. See ... for vuln scanners a crazy dude can use lets say 5 in windoze and other 5 in linux/bsd, then will test the perl and c scripts lets say 5 for each service, then he will jump to the unknown and will try to use every skills he has (try new overflows, write 0days, improve/change used stuff, <insert madness here>, ...). At the end he must compile all information and produce a nice, clear and objective report to a non-security expert reader. Is one day enough for one server? > And as someone stated before...an attacker could spend weeks going over > everything in fine detail. For a complete assessment with a good, clear, > concise report at the end I would say 4-5 days. You know what? I'm changing jobs, and each time I go to an interview somebody ask me "so, tell me, to check a web server what tools do you use first?" to what I usually say "none, or just a browser" ... probably thats why people are choosing fresh kids from college and not me. At the end they are right, because most likelly they don't know how to do the job well done and clients are not available to pay for one. What I must do is open a restaurant to turn out public my skillz with pizzas and other tasty things =;o) [ ]'s bacano ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:26:17 PDT