Security Basics mailing list archives
RE: Conducting vulnerability assessment for the first time
From: "Clayton T. Dillard" <cdillard () securespeed cc>
Date: Fri, 19 Mar 2004 14:02:57 -0500
Bill, 1. There are so many tools available for performing assessments that a list here would take up too much room and time. There are free tools as well as commercial tools. Generally I've experienced that the right Open-Source tools perform really well, but the shortfall with Open-Source assessment tools is their lack of elegant reporting and the ability to combine data (results) from multiple assessment sources. So, it takes more time to produce quality reports that are formatted properly for your customer(s). Tools like: Nessus, NMAP, CHEOPS, Etherape, Ethereal, Hping, firewalker, etc are all free and work very well, and they should be a good start for you to begin working with. There are many, many more tools that you can leverage - search the web. You might find Knoppix-STD to be a great tool to get started with. 2. The answer to this question may be a matter of opinion and here's mine. A vulnerability assessment is usually less in-depth and time consuming for the auditor and generally consists of some upfront discovery and is followed by the use of "canned" tools resulting in one or more basic reports. Penetration testing is usually very time consuming and is a much more in-depth *process* that digs deeper and covers more ground than a security/vulnerability assessment. A penetration test might take weeks to complete and cover internal & external systems and network gear, application security, backend security, physical security, social engineering, modem scans, wireless assessments and so on. 3. There are some best practices and I like the OSSTMM (Open-Source Security Testing Methodology Manual). You can pay for others but the OSSTMM is a great work that is highly respected. ------ All the best, Clayton T. Dillard SECURESPEED, LLC Office: 919-557-5126 Mobile: 919-395-9870 Fax: 919-577-0943 http://www.securespeed.cc "Information Assurance & Security Solutions" Subscribe to our monthly newsletter at www.securespeed.cc/newsletter.htm ... -----Original Message----- From: Bill Hardstone [mailto:rhardstone () eudoramail com] Sent: Friday, March 19, 2004 7:09 AM To: security-basics () securityfocus com Subject: Conducting vulnerability assessment for the first time I am tasked to perform network vulnerability assessments for a provider customer I am searching for 1. What are the tools out there to perform vulnerability assessments (port scanner, network mapper, etc.) 2. What is the difference between vulnerability assessment and penetration testing 3. Are there best practices that can be utilized to perform the assessments and to report its findings Any help will be appreciated. Bill. Need a new email address that people can remember Check out the new EudoraMail at http://www.eudoramail.com --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Conducting vulnerability assessment for the first time Bill Hardstone (Mar 19)
- RE: Conducting vulnerability assessment for the first time Clayton T. Dillard (Mar 22)
- <Possible follow-ups>
- RE: Conducting vulnerability assessment for the first time Rosado, Rafael (Rafael) (Mar 22)
- RE: Conducting vulnerability assessment for the first time Andrew Shore (Mar 22)