Penetration Testing mailing list archives
Re: Security Audit
From: H Carvey <keydet89 () yahoo com>
Date: 6 Sep 2001 12:08:14 -0000
A good estimate of time for a "Once Over"
breaks down like this: I can't imagine anyone doing a "once over", but I am sure that there are customers out there willing to pay for such a thing.
What is the difference between vuln assessment
and pen test?
From my experience:
Pen test: conducted from the outside, designed to simulate a sophisticated attacker, but in a compressed time frame. Even with proper contract wording in place, it's only real value is to test the reactions of your IR team (assuming you have one), or to see if your sysadmins notice anything. Vuln Assessment: Conducted internally, with the full cooperation of the admins. Host information is retrieved, as well as segment, network, and infrastructure data (configs from perimeter devices, RAS devices, etc.) This information is analyzed on a per-host basis, as well as an infrastructure-level basis, to provide a complete picture. For even more relevance, policies are reviewed and key personnel are interviewed. A tour of the facilities may also be conducted to view the layout, physical and personnel security measures, etc.
I have not done either but this seems like a
highly subjective area to me. It is.
Are you really going to do a vuln assess on a
dynamic web site - with all
its custom scripts and database connectivity and
possibly middleware - in 20
minutes?
No, of course not. In many cases, code reviews are additional. Otherwise, throw whisker at it and see what you get back.
It sounds like a vuln assess consists of running
Nessus or
something similar, searching bugtraq archives
and possibly throwing in a
google search for extra credit.
Some folks don't even go that far.
Even on a workstation it seems like you couldn't
get much done in 20
minutes. I don't even see how you could
reliably enumerate all the
installed software in less than 20 minutes.
Actually, yes you can. I've written code that will pull the entire configuration from a system... Registry settings, permissions on various objects (Reg keys, files, directories, etc), network settings, installed software, etc, etc, etc...in 20 minutes or less. But that is only the collection of this raw data. Analysis of that data, plus analysis of all of the data from all systems examined, takes much longer than that. The collection of data will take longer if you want you to completely comprehensive. If you find a FAT file system on an NT/2K system, then your time is reduced dramatically. However, let's say you wish to include searches for alternate data streams, hidden files, and want to dump the EventLogs, as well. All this takes time, and the more data you collect, the more time it takes for analysis. What I'm referring to above is not running Nessus or (gawd forbid) ISS. It's collecting raw configuration data from systems, and analyzing it. Commercial scanning tools must decide upon an arbitrary level of security...one that doesn't take router and firewall ACLs, NAT'd networks, VLANs, etc, into account. Also, my experience with ISS (5.8 - 6.01) has shown that it will return some false positives that can be very embarrassing to the consultant group, and potentially have an effect on the credibility of the company. So rather than run one or more commercial tools that are just going to give me a list of vulnerabilities, I prefer to collect the raw data, and conduct the analysis. Most folks are going to say that doing so takes longer, and you're correct. However, taking longer to provide a deliverable that is meaningful to the customer is acceptable. Dumping the ISS report to Word and printing it on company letterhead (and yes, there are companies that still do that) does nothing and adds no value for the customer. With the available commercial tools, and even the freeware ones, the differentiator for consulting businesses is the analysis conducted. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit, (continued)
- Re: Security Audit Forrest Rae (Sep 06)
- Re: Security Audit R. DuFresne (Sep 06)
- Re: Security Audit Dave Wray (Sep 06)
- Re: Security Audit Jonathan Rickman (Sep 07)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
- Re: Security Audit Erik Tayler (Sep 06)
- Re: Security Audit Renaud Deraison (Sep 07)
- Re: Security Audit Justin Stanford (Sep 07)
- Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
- Re: Security Audit Rob J Meijer (Sep 07)