Re: Security Audit

["bacano" <bacano () esoterica pt>]

hi2all

From: "JCovington" <jcovingto () home com>


> It's pretty difficult to break the time down per host. Servers may have
> a bunch of services running and each one needs to be scanned, searches
> done for new vulnerabilities, etc. A workstation on the other hand may
> only have only a few services and it becomes a check for
> misconfigurations.

It's really hard to break the time ... specially because this is a service
where the client must invest not to get profite, but to fight possible
losses.
More time means more money to spend.
You may have a server with 50 services running, and all without known
vulnerabilities ... should the pen-tester skip to the next server, or jump
in to the unknown?
You may have a workstation with a pretty (m)nice configuration, but it's a
laptop and has a modem card ... should the pen-tester skip to the next
workstation, or try to find out if this user is accessing the net from a
dial-up, or who knows from home to RAS in to work? How will you find his
work and home phone numbers to check this?

Now, if I say that I spend one day (8/10 hours work) just with one server
and usually think that is not enough, it's because i'm crazy ...

> It can also depend on the scanning tools used. A big commercial scanner
> could check all machines pretty efficiently. But then good pentesters
> will follow up on what the scanner found and verify so false positives
> are minimized. Also good pentesters will use a toolbag of scripts and
> utilities as a second level of thoroughness.

See ... for vuln scanners a crazy dude can use lets say 5 in windoze and
other 5 in linux/bsd, then will test the perl and c scripts lets say 5 for
each service, then he will jump to the unknown and will try to use every
skills he has (try new overflows, write 0days, improve/change used stuff,
<insert madness here>, ...). At the end he must compile all information and
produce a nice, clear and objective report to a non-security expert reader.
Is one day enough for one server?

> And as someone stated before...an attacker could spend weeks going over
> everything in fine detail. For a complete assessment with a good, clear,
> concise report at the end I would say 4-5 days.

You know what? I'm changing jobs, and each time I go to an interview
somebody ask me "so, tell me, to check a web server what tools do you use
first?" to what I usually say "none, or just a browser" ... probably thats
why people are choosing fresh kids from college and not me. At the end they
are right, because most likelly they don't know how to do the job well done
and clients are not available to pay for one.

What I must do is open a restaurant to turn out public my skillz with pizzas
and other tasty things =;o)

[  ]'s bacano




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/