Re: Security Audit

From: Rob J Meijer (rmeijerat_private)
Date: Fri Sep 07 2001 - 08:41:56 PDT

Next message: Jonathan Rickman: "Re: Security Audit"

Previous message: Talha, Sebastien: "RE: DoS tools"
In reply to: bluefur0r bluefur0r: "Re: Security Audit"
Next in thread: H Carvey: "Re: Security Audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 6 Sep 2001, bluefur0r bluefur0r wrote:

> Here are my experiences although this thread will be put to death soon...
> When asked by sales/billing dept. They ask me: "how long will this take?" 
> here's an for you all. Ask for the audit to be done in two phases.
> Automated scanning (eg vuln-assessment) nmap, nessus, other automated
> tools whisker ect. and then the pen-test. The reason for this is once
> you do the automated scan you know exactly how many boxes are up, 
> what services are running and what might exist on the webservers. 
> This will help you greatly in gauging the time it will take to do the 
> pen-test. 
> Now you all the information you'd need to start the pen-test.
> In the past I made a grave error... (when i first started ;P). 
> I did the automated scans then penetrated with JUST the results I had from 
> the automated scans. As I reflect, I realize that was not an audit but
> just a pen-test. Yeah great give them the report with how you broke in.
> But I missed a lot of information! What about the application layer?
> What about custom cgi's? Audits are ment for one reason. To be through 
> and try to find! every single hole you can. 

This seems to be a widely spread misconception.
The actual holes are only a small part of security and thus of a security
audit, but also of the penetration test phase itself.
Just auditing the 'crunchy outside' by looking for 'every single hole you
can find' does in no way constitute a complete audit or even a
complete penetration test. 

A major part of the security assesment should be an evaluation of the
provided containment and concequent risks for all systems that could
possibly contain holes that are not known at the time of the audit.

Security is not just about bugs, its 'MOSTLY' about 'CONTAINMENT' and thus
security assesments and penetration tests, and with them the time needed
to complete them should also be mainly about auditing the containment of 
systems with unknown bugs/holes and not just about finding as much as
possible known and unknown bugs/holes in these systems.

Rob

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Jonathan Rickman: "Re: Security Audit"
Previous message: Talha, Sebastien: "RE: DoS tools"
In reply to: bluefur0r bluefur0r: "Re: Security Audit"
Next in thread: H Carvey: "Re: Security Audit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:55:54 PDT