Re: Security Audit

From: R. DuFresne (dufresneat_private)
Date: Wed Sep 05 2001 - 12:12:05 PDT

Next message: bacano: "Re: Security Audit"

Previous message: Forrest Rae: "Re: Security Audit"
In reply to: Todd Ransom: "Re: Security Audit"
Next in thread: Dave Wray: "Re: Security Audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anyone claiming that their pen test, vuln assessment, or security audit
consists merely of running nessus and or nmap and producing a reporrt and
final results is a charleton, and does the security industry a
dis-service.  Yet, I have seen, in practice, both outside consultants,
hired guns from the outside and supposedly 'trained' professionls <CISSP!> 
within the corporate sector do merely this and stamp "certified secure"
across organizations.  A "test, assessment, or audit"  are more akin to
remodeling, then ne home building and remodeling, having done lots of it
over time, I can safely state, is -=dirty work=-.  When you rip open a
wall, one is sometimes amazed, as well as disenheartened at what they find
behind the sheetrock and plaster.

Thanks,

Ron DuFresne

On Wed, 5 Sep 2001, Todd Ransom wrote:

> > A good estimate of time for a "Once Over" breaks down like this:
> >
> > Vulnerability Assessment:
> > 20 minutes per host
> >
> > Penetration Test:
> > 1 Hour per host
> 
> What is the difference between vuln assessment and pen test?
> 
> I have not done either but this seems like a highly subjective area to me.
> Are you really going to do a vuln assess on a dynamic web site - with all
> its custom scripts and database connectivity and possibly middleware - in 20
> minutes?  It sounds like a vuln assess consists of running Nessus or
> something similar, searching bugtraq archives and possibly throwing in a
> google search for extra credit.
> 
> Even on a workstation it seems like you couldn't get much done in 20
> minutes.  I don't even see how you could reliably enumerate all the
> installed software in less than 20 minutes.
> 
> TR
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: bacano: "Re: Security Audit"
Previous message: Forrest Rae: "Re: Security Audit"
In reply to: Todd Ransom: "Re: Security Audit"
Next in thread: Dave Wray: "Re: Security Audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:53:25 PDT