Re: Security Audit

[H Carvey <keydet89 () yahoo com>]

> > A good estimate of time for a "Once Over"
breaks down like this:

I can't imagine anyone doing a "once over", but I
am sure that there are customers out there 
willing to pay for such a thing.

> What is the difference between vuln assessment
and pen test?

> From my experience:

Pen test: conducted from the outside, designed to
simulate a sophisticated attacker, but in 
a compressed time frame.  Even with proper
contract wording in place, it's only real value
is to test the reactions of your IR team (assuming
you have one), or to see if your sysadmins
notice anything.

Vuln Assessment:  Conducted internally, with the
full cooperation of the admins.  Host
information is retrieved, as well as segment,
network, and infrastructure data (configs from
perimeter devices, RAS devices, etc.)  This
information is analyzed on a per-host basis,
as well as an infrastructure-level basis, to
provide a complete picture.  For even more
relevance, policies are reviewed and key personnel
are interviewed.  A tour of the facilities 
may also be conducted to view the layout, physical
and personnel security measures, 
etc.

> I have not done either but this seems like a
highly subjective area to me.

It is.  

> Are you really going to do a vuln assess on a
dynamic web site - with all
> its custom scripts and database connectivity and
possibly middleware - in 20
> minutes?  

No, of course not.  In many cases, code reviews
are additional.  Otherwise, throw whisker at
it and see what you get back.

> It sounds like a vuln assess consists of running
Nessus or
> something similar, searching bugtraq archives
and possibly throwing in a
> google search for extra credit.

Some folks don't even go that far.
 
> Even on a workstation it seems like you couldn't
get much done in 20
> minutes.  I don't even see how you could
reliably enumerate all the
> installed software in less than 20 minutes.

Actually, yes you can.  I've written code that
will pull the entire configuration from a system...
Registry settings, permissions on various objects
(Reg keys, files, directories, etc), network
settings, installed software, etc, etc, etc...in
20 minutes or less.  But that is only the
collection of
this raw data.  Analysis of that data, plus
analysis of all of the data from all systems examined,
takes much longer than that.  

The collection of data will take longer if you
want you to completely comprehensive.  If you find
a FAT file system on an NT/2K system, then your
time is reduced dramatically.  However, let's 
say you wish to include searches for alternate
data streams, hidden files, and want to dump the 
EventLogs, as well.  All this takes time, and the
more data you collect, the more time it takes for 
analysis.

What I'm referring to above is not running Nessus
or (gawd forbid) ISS.  It's collecting raw
configuration data from systems, and analyzing it.
 Commercial scanning tools must decide upon
an arbitrary level of security...one that doesn't
take router and firewall ACLs, NAT'd networks, 
VLANs, etc, into account.  Also, my experience
with ISS (5.8 - 6.01) has shown that it will return 
some false positives that can be very embarrassing
to the consultant group, and potentially 
have an effect on the credibility of the company.
 So rather than run one or more commercial 
tools that are just going to give me a list of
vulnerabilities, I prefer to collect the raw data, and
conduct the analysis.  Most folks are going to say
that doing so takes longer, and you're 
correct.  However, taking longer to provide a
deliverable that is meaningful to the customer 
is acceptable.  Dumping the ISS report to Word and
printing it on company letterhead (and
yes, there are companies that still do that) does
nothing and adds no value for the customer.

With the available commercial tools, and even the
freeware ones, the differentiator for 
consulting businesses is the analysis conducted.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/