Penetration Testing mailing list archives
Re: Security Audit
From: Bill Pennington <billp () boarder org>
Date: Thu, 06 Sep 2001 08:31:15 -0700
Todd Ransom wrote:
What is the difference between vuln assessment and pen test?
The answer is pretty straight forward but many people in the business mix the 2 all the time, or maybe I am just wrong. :-) Pen-Test - the sole purpose of a pen-test is to penetrate the network/application. The client and the consultant should agree on a set of goals, like gain access to HR database from outside, gain access to the credit card database... The end result is a yes we got in and this is how or no we didn't get in. Assessment - An assessment aims to find all vulnerabilities on all host (or a representative sample) on the target network. Generally no attempt is made to exploit is vulnerabilities past identifying them. An example - On an engagement I find a host vulnerable to the IIS unicode bug. During an assessment I would note it and move on. During a pen-test I would tftp netcat, get a shell, escalate to system and start poking around looking for "good stuff".
I have not done either but this seems like a highly subjective area to me. Are you really going to do a vuln assess on a dynamic web site - with all its custom scripts and database connectivity and possibly middleware - in 20 minutes? It sounds like a vuln assess consists of running Nessus or something similar, searching bugtraq archives and possibly throwing in a google search for extra credit.
It is heavily dependent on the clients environment. Most security firms do not have the expertise in house to perform a web application review so if your site has a complex web app. it will not be tested during a pen-test. The sales guys would call that an application pen-test/assessment and raise the rates :-). Just a quick note on tools. Everyone uses Nessus/IIS/CyberCop during an assessment. You have to see HOW your consultant uses them. Do they run it and give you the report? Do they check for false pos/negs? Do they use it as a final sweep to make sure they did miss anything?
Even on a workstation it seems like you couldn't get much done in 20 minutes. I don't even see how you could reliably enumerate all the installed software in less than 20 minutes.
That depends on what you are doing. I would say you could do an automated network scan on a workstation in this time. A full vuln. scan enumerating services and finding vulnerabilities on a single host would not take that long.
TR ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
-- Bill Pennington - CISSP ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit H Carvey (Sep 04)
- <Possible follow-ups>
- RE: Security Audit Christopher Ray (Sep 04)
- RE: Security Audit Aleksander Czarnowski (Sep 04)
- Re: Security Audit Forrest Rae (Sep 05)
- Re: Security Audit Todd Ransom (Sep 05)
- Re: Security Audit Bill Pennington (Sep 06)
- Re: Security Audit Todd Ransom (Sep 06)
- RE: Security Audit Dom De Vitto (Sep 06)
- Re: Security Audit Forrest Rae (Sep 06)
- Re: Security Audit R. DuFresne (Sep 06)
- Re: Security Audit Todd Ransom (Sep 05)
- Re: Security Audit Dave Wray (Sep 06)
- Re: Security Audit Jonathan Rickman (Sep 07)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)