Re: Security Audit

[Forrest Rae <forrest () code-lab com>]

Hi Simon, 
Hi pentest-list,

<IMHO>

The time spent is relational to the number of hosts being audited, and
the security company's defined assessment process.  As a customer, I
would imagine one has the right to review the processes of your
consultants.  You should find out if the companies are going to run any
automatic vulnerability assessment tools such as Nessus, or an in house
product.  If they are just going to run nessus on you, and print out the
report it generates, do they really need 20+ hours to do that?  (If you
have several hundred hosts, then they probably do need 20+)  If they do
100% of the work by hand, then they may require extra time.  This brings
me to question why are they doing assessments by hand when there are
great tools like Nessus?  

A good estimate of time for a "Once Over" breaks down like this:

Vulnerability Assessment:
20 minutes per host

Penetration Test:
1 Hour per host

Internal assessments usually take a little longer because you generally
have access to more services, network devices, employees, etc...

I am also interested in other people's estimates of time per host.  :)

-Forrest

</IMHO>

Simon Wellborne wrote:
> Hello all,
>
> We have a company or two providing quotes on a security audit, including
> penetration tests.
>
> I am a little concerned about the amount of hours being quoted for some of
> these tests.
>
> > From peoples experience (and I would like to hear from Professionals who
> comduct audits) about what timeframes are 'normally' used.
>
> Our network is relatively small (20-40 users + servers).
>
> Appreciate all replies
>
> Regards

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/