On Thursday 06 September 2001 01:41 am, Wertheimer, Ishai wrote: > Forrest, > > I'm not sure what is considered as pen-test in your eyes, but running > Nessus for 20 minutes is not any pen-test ! I don't remember hearing Forrest claim that running Nessus qualified as a pen-test. Actually, the point I got was that he disliked the fact that some companies do in fact simply run tools such as Nessus against a network; And after they do that, they do nothing but throw a large mangled report at upper management. Read the fine print people. > Even if you think Nessus can do better than any other tool, by automating > and covering any possible vulnerability found in the past (which I could > doubt) - is this a pen-test? I've been reading all the replies to Forrest's post. Everybody seems to have strayed a bit from the original topic. His point was never to prove that running automated tools in order to save time > manual penetration testing. Everybody here should also know that Nessus doesn't do penetration testing, so it probably wouldn't be wise to imply that it could be a replacement for a pen-test. Let's all take sides here and get into a bar-room brawl, eh? Erik Tayler > Ishai. > > -----Original Message----- > From: Forrest Rae [mailto:forrest@code-lab.com] > Sent: Tuesday, September 04, 2001 9:49 PM > To: pen-testat_private > Subject: Re: Security Audit > > > Hi Simon, > Hi pentest-list, > > <IMHO> > > The time spent is relational to the number of hosts being audited, and > the security company's defined assessment process. As a customer, I > would imagine one has the right to review the processes of your > consultants. You should find out if the companies are going to run any > automatic vulnerability assessment tools such as Nessus, or an in house > product. If they are just going to run nessus on you, and print out the > report it generates, do they really need 20+ hours to do that? (If you > have several hundred hosts, then they probably do need 20+) If they do > 100% of the work by hand, then they may require extra time. This brings > me to question why are they doing assessments by hand when there are > great tools like Nessus? > > A good estimate of time for a "Once Over" breaks down like this: > > Vulnerability Assessment: > 20 minutes per host > > Penetration Test: > 1 Hour per host > > Internal assessments usually take a little longer because you generally > have access to more services, network devices, employees, etc... > > I am also interested in other people's estimates of time per host. :) > > -Forrest > > </IMHO> > > Simon Wellborne wrote: > > Hello all, > > > > We have a company or two providing quotes on a security audit, including > > penetration tests. > > > > I am a little concerned about the amount of hours being quoted for some > > of these tests. > > > > >From peoples experience (and I would like to hear from Professionals who > > > > comduct audits) about what timeframes are 'normally' used. > > > > Our network is relatively small (20-40 users + servers). > > > > Appreciate all replies > > > > Regards > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > *************************************************************************** >** The information in this email is confidential and may be legally > privileged. It is intended solely for the addressee. Access to this email > by anyone else is unauthorized. > > If you are not the intended recipient, any disclosure, copying, > distribution or any action taken or omitted to be taken in reliance on it, > is prohibited and may be unlawful. When addressed to our clients any > opinions or advice contained in this email are subject to the terms and > conditions expressed in the governing KPMG client engagement letter. > *************************************************************************** >** > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 16:05:24 PDT