Plus, no auditing tool can test the social engineering possibilities that are often so easy to pull off in typical corporate environments.. ;-) Is there anyone out there that performs social engineering as part of their pentests/audits? I feel that it is to be considered a definite part of a pentest/audit, as it's a common tool that can easily be used by smart perpetrators, other than computer tools. Please excuse me if this is old news on the list, I've just recently subscribed.. /jus -- Justin Stanford Internet/Network Security & Solutions Consultant 4D Digital Security http://www.4dds.co.za Cell: (082) 7402741 E-Mail: jusat_private PGP Key: http://www.security.za.net/jus-pgp-key.txt On Thu, 6 Sep 2001, Renaud Deraison wrote: > > On Thu, Sep 06, 2001 at 02:41:35AM -0400, Wertheimer, Ishai wrote: > > An e-commerce site is supposed to have an application layer or isn't it ? > > What about auditing the application on top? > > > > Many e-commerce sites have been hacked although you wouldn't find any > > vulnerability by running Nessus or such ! > > > <off topic, self promotion> > Actually, Nessus 1.1.x has some plugins dedicated to the analysis of > CGIs. This is not as good as a humain brain with at least a two-digit > IQ, but that's better than just doing nothing. > (it will catch trivial things such as param=../../../../etc/passwd%00 > and such, but not dir=/etc&file=passwd, even though the later seems > trivial to any human being). > </off topic. Sorry for that> > > > But I agree with you - no automated tool can do a security _audit_. > > There's more to a security audit than just flashing redlights and > showing /etc/passwd to the management. Policies have to be read and > correlated with the real life on the network. Services that do not match > the policy should be told to be disabled, even if they're not vulnerable > to anything. > > A security audit is first a matter of checking that kind of thing rather > than licensing the list of vulnerabilities on a network. Vulnerabilities > appear and disappear every day. The policy never changes. > > > > -- Renaud > > -- > Renaud Deraison > The Nessus Project > http://www.nessus.org > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 16:12:16 PDT