Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Performing a Security Audit

From: "bacano" <bacano () esoterica pt>
Date: Sat, 8 Sep 2001 17:11:22 +0100
hi2all

take a look at this two pages:
http://www.ideahamster.org/osstmm.htm
ftp://sailor.gutenberg.org/pub/gutenberg/etext94/sunzu10.txt

what you don't find in one, it's on the other =;o)

[  ]'s bacano

----- Original Message -----
From: "Dustin Puryear" <dpuryear () usa net>
To: <pen-test () securityfocus com>
Sent: Friday, September 07, 2001 10:23 PM
Subject: Performing a Security Audit



A client I work for has requested that I perform a security review of a
cluster that I am helping them on. I have experience in hardening
systems, but I do NOT have experience in performing a formal top-down
review.

I scanned the pen-test archives, including the recent "Security Audit"
thread, but didn't find anything that had a subject line that caught my
eye. Also, I tried using the security-focus.com search tool, but it
reports it is not available "at this time." Oh well on that front.

Can anyone provide links to sites or books or just be helpful by
providing information on how a security review is approached? I am not
really looking for information on analyzing a particular system or
trying to exploit a given service--that information is more than readily
available on the net and at the bookstore. Rather, I would like an
overview of how a security audit is performed. Something on the lines
of:

o Create Security Audit Outline
1. List items to be evaluated
o web service
o smtp
...
...
o Review AU, InfoSec, and XYZ Policies
o Perform System Analysis
1. Determine running services
o http
o smtp
o Attempt Exploits
...

Also, how should results be organized? How are reports organized?

And what about checklists?

Etc, etc.

Any help would be appreciated!

Regards, Dustin

--
Dustin Puryear <dpuryear () usa net>
http://members.telocity.com/~dpuryear
In the beginning the Universe was created.
This has been widely regarded as a bad move. - Douglas Adams


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: