Re: Security Audit

["bacano" <bacano () esoterica pt>]

From: "H Carvey" <keydet89 () yahoo com>

> Generally (and in order to set the playing field
> here) a pen test is done in the blind, or with
> very little information.  The more prior knowledge
> a pen tester has, the less 'fair' the test is
> going to be.  However, the lack of prior knowledge
> can extend the time of the pen test, depending on
> what was contracted.

This is really important, and I completly agree. A zero knowledge pen test
should be the starting point of an audit, where the auditor will not know
anything (except a hostname or IP address, for what he just have to know
what client is it). The conditions for doing the test MUST be the same that
an external attacker may have access or can discover. After that, and now
with the feedback of the first reports (and of course after ALL reported
problems being fixed), and with a little more knowledge provided by the
client (from interviews, etc...), other audit can be done, where the
external attacker can be a potencial dissatisfied and evil ex-employee.

Regarding studies like CSI/FBI survey, more or less, the 1st test will cover
about 20-30% of the potencial attackers while the 2nd will cover the others
70-80%.
The 1st test should be much longer in time and resources, and usually the
clients here don't understant quiet well where their money goes. So most of
the times clients prefer to contract the 2nd test only, because it takes
less time and money. Also, that's why after that their systems are still
vulnerable.

It is important for the client that a little education is provided, at least
regarding why the need of this diferent kinds of tests, what are they
covering regarding the real world problems in the security field. And also,
why pen tests should be regular, each month or 2 or 6 or whatever ... An
audit will only cover a specific period of time, so it is not anyway and not
anyhow a garantee that in the (short) future problems will not happen.

At the technical side and at the commercial side for both parts (consultant
and client), the more audits in a period of time are made, the better the
investiment and the results. For example, with 12 audits a year the price
for each will be easy 50%, where the other 50% will be paid with those 2/3
salaries from internal guys that are not needed anymore (those two can even
join the consultant company and after some trainning they can do the job for
half the price, because they will be in other projects too ... and everybody
will be happy).

> One way of doing it is to ask the consulting firm
> for references...but they'd be fools to give you
> negative references, wouldn't they?  So when
> you're talking to them, find out what their model
> is, how they go about doing things.

Some security consulting companies will not give away clients references,
because keeping confidential other companies with past or present security
problem is part of the contract with a client. What they can give is the
"Curriclula" of their auditors that whould be in some project; or projets
made public by the client on his own. Other problem can be also giving away
models and methods, because there are many smartasses that are just looking
after knowledge to do the job themselfs.

[  ]'s bacano



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/