Penetration Testing mailing list archives
RE: Security Audit
From: "Roberts, Kevin S" <KSRobe1 () missi ncsc mil>
Date: Wed, 5 Sep 2001 17:40:36 -0400
Another critical thing to note is that some companies are having both Sr. Auditors and trainees doing the security audit. You need to have the companies provide resumes of the folks doing the audits if possible. To be honest the number of hours is relative to the experience level of the Auditor itself. You may get two mid level auditors that have a decent amount of experience, but requires assistance. This of course is taken into account when the companies bill the customer respectively. Not all companies are this way, and I need to make that clear. However, I know from first hand knowledge, that this is an issue. My 2 cents, for what it is worth, K -----Original Message----- From: bacano [mailto:bacano () esoterica pt] Sent: Wednesday, September 05, 2001 6:54 AM To: pen-test () securityfocus com Subject: Re: Security Audit hi2all From: "Simon Wellborne" <simon.wellborne () initiative-technology co nz>
We have a company or two providing quotes on a security audit, including penetration tests.
Get another two quotes from more companies for a start ...
I am a little concerned about the amount of hours being quoted for some of these tests.
How many hours do you think an attacker will spend? At the end this is a matter of how much money you want to spend with this versus how deep the audit should go ... you must find a balance here.
From peoples experience (and I would like to hear from Professionals whocomduct audits) about what timeframes are 'normally' used. Our network is relatively small (20-40 users + servers).
A professional probably will take 2/3 days plus one for present a report ... an attacker that has nothing more usefull to do can have fun for some weeks ... At the end is a matter of how much you can loose versus how much you can spend. hint = ask for 30% discount against a new audit 6 months from this one ... do they want to get an audit or to get a client? =;o) [ ]'s bacano ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit, (continued)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
- Re: Security Audit Erik Tayler (Sep 06)
- Re: Security Audit Renaud Deraison (Sep 07)
- Re: Security Audit Justin Stanford (Sep 07)
- Re: Security Audit bacano (Sep 10)
- Re: Security Audit JCovington (Sep 05)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
- Re: Security Audit Rob J Meijer (Sep 07)
- RE: Security Audit Aleksander Czarnowski (Sep 07)
- RE: Security Audit Ogle Ron (Rennes) (Sep 10)
- Re: Security Audit H Carvey (Sep 10)
- Re: Security Audit bacano (Sep 10)
- How to discover FW-1 management module or GUI? Carmelo Floridia (Sep 12)
- Re: How to discover FW-1 management module or GUI? Sheik Abdulla (Sep 13)
- Re: How to discover FW-1 management module or GUI? Alex Butcher (Sep 13)
- Re: Security Audit bacano (Sep 10)