Re: Security Audit

[Bill Pennington <billp () boarder org>]

Todd Ransom wrote:

> What is the difference between vuln assessment and pen test?
 
The answer is pretty straight forward but many people in the business
mix the 2 all the time, or maybe I am just wrong. :-)

Pen-Test - the sole purpose of a pen-test is to penetrate the
network/application. The client and the consultant should agree on a set
of goals, like gain access to HR database from outside, gain access to
the credit card database... The end result is a yes we got in and this
is how or no we didn't get in.

Assessment - An assessment aims to find all vulnerabilities on all host
(or a representative sample) on the target network. Generally no attempt
is made to exploit is vulnerabilities past identifying them.

An example - On an engagement I find a host vulnerable to the IIS
unicode bug. During an assessment I would note it and move on. During a
pen-test I would tftp netcat, get a shell, escalate to system and start
poking around looking for "good stuff".


> I have not done either but this seems like a highly subjective area to me.
> Are you really going to do a vuln assess on a dynamic web site - with all
> its custom scripts and database connectivity and possibly middleware - in 20
> minutes?  It sounds like a vuln assess consists of running Nessus or
> something similar, searching bugtraq archives and possibly throwing in a
> google search for extra credit.

It is heavily dependent on the clients environment. Most security firms
do not have the expertise in house to perform a web application review
so if your site has a complex web app. it will not be tested during a
pen-test. The sales guys would call that an application
pen-test/assessment and raise the rates :-). 

Just a quick note on tools. Everyone uses Nessus/IIS/CyberCop during an
assessment. You have to see HOW your consultant uses them. Do they run
it and give you the report? Do they check for false pos/negs? Do they
use it as a final sweep to make sure they did miss anything?

> Even on a workstation it seems like you couldn't get much done in 20
> minutes.  I don't even see how you could reliably enumerate all the
> installed software in less than 20 minutes.

That depends on what you are doing. I would say you could do an
automated network scan on a workstation in this time. A full vuln. scan
enumerating services and finding vulnerabilities on a single host would
not take that long.

> TR
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

-- 


Bill Pennington - CISSP

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/