RE: Security Audit

From: Dom De Vitto (Domat_private)
Date: Wed Sep 05 2001 - 13:01:13 PDT

Next message: Roberts, Kevin S: "RE: Security Audit"

Previous message: Mark Villanova: "DoS tools"
In reply to: Todd Ransom: "Re: Security Audit"
Next in thread: Forrest Rae: "Re: Security Audit"
Next in thread: Dave Wray: "Re: Security Audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

'<whatever> Assessment' implies identifing and proportioning risk.
(which may involve a pen test, of just a look at your documentation)
e.g.
1) Your company lives and breathes through email, so extra care should
be taken with those systems (Impact:high).
2) Your web server is just for linux geeks, (impact:none).

'<whatever> testing' implies actually proving security.
e.g.
1) SNMP shows that your linux geek web server actually has a second
interface bypassing the firewall onto your internal network.(Risk: high)
2) Your email system is bulletproof and invulnerable to anything but
Uri Geller (risk:low)

You can see that generally, because of limited time/manpower, a assessment
is generaly done first (often in-house) and then pen testing is done,
focusing on the high impact elements.

How many people have been commisioned to attack a firewall from the
trusted network? (answer: too few)

Dom
-----Original Message-----
From: Todd Ransom [mailto:transomat_private]
Sent: 05 September 2001 18:12
To: pen-testat_private
Subject: Re: Security Audit


> A good estimate of time for a "Once Over" breaks down like this:
>
> Vulnerability Assessment:
> 20 minutes per host
>
> Penetration Test:
> 1 Hour per host

What is the difference between vuln assessment and pen test?

I have not done either but this seems like a highly subjective area to me.
Are you really going to do a vuln assess on a dynamic web site - with all
its custom scripts and database connectivity and possibly middleware - in 20
minutes?  It sounds like a vuln assess consists of running Nessus or
something similar, searching bugtraq archives and possibly throwing in a
google search for extra credit.

Even on a workstation it seems like you couldn't get much done in 20
minutes.  I don't even see how you could reliably enumerate all the
installed software in less than 20 minutes.

TR


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Roberts, Kevin S: "RE: Security Audit"
Previous message: Mark Villanova: "DoS tools"
In reply to: Todd Ransom: "Re: Security Audit"
Next in thread: Forrest Rae: "Re: Security Audit"
Next in thread: Dave Wray: "Re: Security Audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:35:03 PDT