Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Security Audit

From: "Filer, Eddie (ZA - Johannesburg)" <efiler () deloitte co za>
Date: Thu, 6 Sep 2001 09:14:30 +0200 
Hi

My opinion is that a vulnerability assessment entails far more than a
penetration test.
A penetration test just looks to see if a system has a single weakness that
can be exploited to compromise the system from internally and/or externally.

A vulnerability assessment would entail a detailed analysis of the system,
including, but not limited to a nessus scan. We would normally quote
approximately 8 hours for an individual system and this would be scaled down
for additional systems due to the ability to script scans etc.

Our normal vulnerability assessment process would be:
1. Research and Planning (Check latest vulnerabilities and exploits etc)
2. Run tools (not just nessus)
3. Verify findings of tools (eliminate false positives)
4. Write detailed report indicating findings, impact and recommendations.

Hope this helps.

Kind Regards,

Eddie Filer
Senior Consultant

Deloitte & Touche
Enterprise Risk Services 
Information Security Services

PLEASE NOTE:  This e-mail message and its attachments is subject to the
disclaimers as published at: <http://www.deloitte.co.za/disc.htm#emaildisc>>



 




-----Original Message-----
From: Todd Ransom [mailto:transom () extremelogic com]
Sent: 05 September 2001 07:12
To: pen-test () securityfocus com
Subject: Re: Security Audit



A good estimate of time for a "Once Over" breaks down like this:

Vulnerability Assessment:
20 minutes per host

Penetration Test:
1 Hour per host


What is the difference between vuln assessment and pen test?

I have not done either but this seems like a highly subjective area to me.
Are you really going to do a vuln assess on a dynamic web site - with all
its custom scripts and database connectivity and possibly middleware - in 20
minutes?  It sounds like a vuln assess consists of running Nessus or
something similar, searching bugtraq archives and possibly throwing in a
google search for extra credit.

Even on a workstation it seems like you couldn't get much done in 20
minutes.  I don't even see how you could reliably enumerate all the
installed software in less than 20 minutes.

TR


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: