Re: Security Audit

[Philipp Buehler <lists () fips de>]

On 05/09/2001, Forrest Rae <forrest () code-lab com> wrote To pen-test () securityfocus com:
> 100% of the work by hand, then they may require extra time.  This brings
> me to question why are they doing assessments by hand when there are
> great tools like Nessus?  

Well, something like Nessus should be used in first place, to give
a fair and realistic offer to the customer.
The tester can see there if the network is "tight" or not.

If not (usual case :>), the customer should be encouraged to fix major/
known bugs before a full test. You would only waste time and money from
the customer w/ a detailled analysis of all holes.
Of course (if "you" can offer that, offer the customer help or full
implementation of the major fixes - this is not always recommended for
obvious reasons).

If the network is somewhat tight, you can start doing detailled analysis
on the services, structures, communication flows, trust relationships, etc.

And this *takes* time, time which cant be easily estimated. As already
metioned the first point here is: how value is the data and the availablity
of the network and its services and how many money does (and can) the
customer spent on the penetration test.

> I am also interested in other people's estimates of time per host.  :)

"This depends". A user-client (usually offering no services) is something
different then a fully-featured workgroup-server or a DMZ box offering
services to the crowd out there.
How about self-written CGIs for example?
What about indirect vulnerabilities?
What about priviledge elevation?
What about social engineering (NEVER underestimate that!)?

Pen-Testing has to be defined by the customer. Cause the story is about
being endless :>

Pure port-scanning is fast and cheap. And it's somewhat useless.
Pure service scanning for "common" vulnerabilities takes a bit more
time and more or less gives only a picture how aware and skilled the
administrators are.


Btw, some have been mentioning "a hacker could spend weeks".
Well, that's true - if the target is interesting enough.
Most "hackers" (scrippies) are just out for the fast kick/breakin to 
install their ircbot or a ddos-drone - remove that noise first :>
Other point in here is: The pen-tester has *one* advantage, he can
ask the customer for an account on a machine, e.g. on a webserver -
just *assume* a CGI is vulnerable (most are anyway :P) and then from the
"start" being the UID which runs the webserver try to elevate your
priviledges.
I dont know, somewhat this is "stating the obvious" for aware people, but
I see too many people out there saying "this service has no *known* root
exploit, let's go to the next machine.

Hmm, I stop for now. :>

ciao
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ? 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/