Penetration Testing mailing list archives

Re: Security Audit

From: Erik Tayler <erik () digitaloffense net>
Date: Thu, 6 Sep 2001 20:18:36 -0500

On Thursday 06 September 2001 01:41 am, Wertheimer, Ishai wrote:

Forrest,

I'm not sure what is considered as pen-test in your eyes, but running
Nessus for 20 minutes is not any pen-test !


I don't remember hearing Forrest claim that running Nessus qualified as a 
pen-test. Actually, the point I got was that he disliked the fact that some 
companies do in fact simply run tools such as Nessus against a network; And 
after they do that, they do nothing but throw a large mangled report at upper 
management. Read the fine print people.

Even if you think Nessus can do better than any other tool, by automating
and covering any possible vulnerability found in the past (which I could
doubt) -  is this a pen-test?


I've been reading all the replies to Forrest's post. Everybody seems to have 
strayed a bit from the original topic. His point was never to prove that 
running automated tools in order to save time > manual penetration testing. 
Everybody here should also know that Nessus doesn't do penetration testing, 
so it probably wouldn't be wise to imply that it could be a replacement for a 
pen-test.

Let's all take sides here and get into a bar-room brawl, eh?

Erik Tayler

Ishai.

-----Original Message-----
From: Forrest Rae [mailto:forrest () code-lab com]
Sent: Tuesday, September 04, 2001 9:49 PM
To: pen-test () securityfocus com
Subject: Re: Security Audit

Hi Simon,
Hi pentest-list,

<IMHO>

The time spent is relational to the number of hosts being audited, and
the security company's defined assessment process.  As a customer, I
would imagine one has the right to review the processes of your
consultants.  You should find out if the companies are going to run any
automatic vulnerability assessment tools such as Nessus, or an in house
product.  If they are just going to run nessus on you, and print out the
report it generates, do they really need 20+ hours to do that?  (If you
have several hundred hosts, then they probably do need 20+)  If they do
100% of the work by hand, then they may require extra time.  This brings
me to question why are they doing assessments by hand when there are
great tools like Nessus?

A good estimate of time for a "Once Over" breaks down like this:

Vulnerability Assessment:
20 minutes per host

Penetration Test:
1 Hour per host

Internal assessments usually take a little longer because you generally
have access to more services, network devices, employees, etc...

I am also interested in other people's estimates of time per host.  :)

-Forrest

</IMHO>

Simon Wellborne wrote:

Hello all,

We have a company or two providing quotes on a security audit, including
penetration tests.

I am a little concerned about the amount of hours being quoted for some
of these tests.

From peoples experience (and I would like to hear from Professionals who


comduct audits) about what timeframes are 'normally' used.

Our network is relatively small (20-40 users + servers).

Appreciate all replies

Regards


---------------------------------------------------------------------------
- This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
***************************************************************************
** The information in this email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this email
by anyone else is unauthorized.

If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on it,
is prohibited and may be unlawful. When addressed to our clients any
opinions or advice contained in this email are subject to the terms and
conditions expressed in the governing KPMG client engagement letter.
***************************************************************************
**

---------------------------------------------------------------------------
- This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Re: Security Audit, (continued)
- - - Re: Security Audit Jonathan Rickman (Sep 07)
  - Re: Security Audit Philipp Buehler (Sep 06)
    - Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
  - Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
  - Re: Security Audit Erik Tayler (Sep 06)
  - Re: Security Audit Renaud Deraison (Sep 07)
    - Re: Security Audit Justin Stanford (Sep 07)
    - Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
  - Re: Security Audit Rob J Meijer (Sep 07)
- RE: Security Audit Aleksander Czarnowski (Sep 07)
- RE: Security Audit Ogle Ron (Rennes) (Sep 10)
- Re: Security Audit H Carvey (Sep 10)

(Thread continues...)