RE: Conducting vulnerability assessment for the first time

["Bill Hardstone" <rhardstone () eudoramail com>]

Hello All, 

Sorry for a late response...

Thanks to everyone who responded. I ended up deligating this part of the engagement to another resource that will 
report findings to me. 

I realized some of the issues as I was putting together the project plan for this client. The key issue being time 
limitation to ramp up...

Thanks again everyone for their input/ suggestions. 

~Bill
--

--------- Original Message ---------

DATE: Fri, 19 Mar 2004 11:52:02
From: "Rosado, Rafael (Rafael)" <rarosado () lucent com>
To: rhardstone () eudoramail com
Cc: security-basics () securityfocus com

> Bill,
>
> If you have never performed a Vulnerability Assessment, I would suggest that
> you take a course from SANS (or other vendors, although SANS is probably the
> best, Foundstone through GlobalKnowledge is also excellent) before
> performing the work for your customer.  Regarding a Pen Test, these require
> a large amount of knowledge/experience, so you are probably best suited
> contracting a company that has done it extensively and learn from them (and
> taking technically detailed training on these).
>
> When performing these reviews for customers, there is a large amount of
> liability you are exposing yourself to, so you are best suited working with
> other companies and taking in-depth training before attempting to perform
> these types of reviews on your own.
>
> I would be happy to speak with you offline on these topics.
>
> Rafael Rosado, CISSP, CISA
> Network Security Manager
> Lucent Technologies
> IT Infrastructure - Network Design
> 2400 SW 145th Avenue 
> Miramar, Florida 33027 
> Office: 954-885-2176 
> Facsimile: 954-885-3861 
> Email: rarosado () lucent com 
>
> This electronic mail message contains information belonging to Lucent
> Technologies, which may be confidential and/or legal privileged. The
> information is intended only for the use of the individual or entity named
> above. If you are not the intended recipient, you are hereby notified that
> any disclosure, printing, copying, distribution, or the taking of any action
> in reliance on the contents of this electronically mailed information is
> strictly prohibited. If you receive this message in error, please
> immediately notify us by electronic mail and delete this message.
>
> -----Original Message-----
> From: Bill Hardstone [mailto:rhardstone () eudoramail com] 
> Sent: Friday, March 19, 2004 7:09 AM
> To: security-basics () securityfocus com
> Subject: Conducting vulnerability assessment for the first time
>
> I am tasked to perform network vulnerability assessments for a provider
> customer
>
> I am searching for ...
>
> 1.     What are the tools out there to perform vulnerability assessments
> (port scanner, network mapper, etc.)
> 2.     What is the difference between vulnerability assessment and
> penetration testing
> 3.     Are there best practices that can be utilized to perform the
> assessments and to report its findings
>
> Any help will be appreciated.
>
> Bill.
>
>
>
>
> Need a new email address that people can remember Check out the new
> EudoraMail at http://www.eudoramail.com
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills of an Ethical Hacker to better assess the security of your
> organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------



Need a new email address that people can remember
Check out the new EudoraMail at
http://www.eudoramail.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------