RE: Conducting vulnerability assessment for the first time

["Clayton T. Dillard" <cdillard () securespeed cc>]

Bill,

1. There are so many tools available for performing assessments that a list
here would take up too much room and time.  There are free tools as well as
commercial tools.  Generally I've experienced that the right Open-Source
tools perform really well, but the shortfall with Open-Source assessment
tools is their lack of elegant reporting and the ability to combine data
(results) from multiple assessment sources.  So, it takes more time to
produce quality reports that are formatted properly for your customer(s).

Tools like: Nessus, NMAP, CHEOPS, Etherape, Ethereal, Hping, firewalker, etc
are all free and work very well, and they should be a good start for you to
begin working with.  There are many, many more tools that you can leverage -
search the web.  You might find Knoppix-STD to be a great tool to get
started with.

2. The answer to this question may be a matter of opinion and here's mine.
A vulnerability assessment is usually less in-depth and time consuming for
the auditor and generally consists of some upfront discovery and is followed
by the use of "canned" tools resulting in one or more basic reports.
Penetration testing is usually very time consuming and is a much more
in-depth *process* that digs deeper and covers more ground than a
security/vulnerability assessment.  A penetration test might take weeks to
complete and cover internal & external systems and network gear, application
security, backend security, physical security, social engineering, modem
scans, wireless assessments and so on.

3. There are some best practices and I like the OSSTMM (Open-Source Security
Testing Methodology Manual).  You can pay for others but the OSSTMM is a
great work that is highly respected.

------

All the best,

Clayton T. Dillard
SECURESPEED, LLC
Office: 919-557-5126
Mobile: 919-395-9870
Fax: 919-577-0943
http://www.securespeed.cc
"Information Assurance & Security Solutions"

Subscribe to our monthly newsletter at www.securespeed.cc/newsletter.htm ...





 

-----Original Message-----
From: Bill Hardstone [mailto:rhardstone () eudoramail com] 
Sent: Friday, March 19, 2004 7:09 AM
To: security-basics () securityfocus com
Subject: Conducting vulnerability assessment for the first time

I am tasked to perform network vulnerability assessments for a provider
customer

I am searching for 

1.      What are the tools out there to perform vulnerability assessments
(port scanner, network mapper, etc.)
2.      What is the difference between vulnerability assessment and
penetration testing
3.      Are there best practices that can be utilized to perform the
assessments and to report its findings

Any help will be appreciated.

Bill.




Need a new email address that people can remember Check out the new
EudoraMail at http://www.eudoramail.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------