Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Security Audit

Re: Security Audit

From: Bill Pennington <billp_at_boarder.org>
Date: Thu, 06 Sep 2001 08:31:15 -0700

Todd Ransom wrote:

> What is the difference between vuln assessment and pen test?
 
The answer is pretty straight forward but many people in the business
mix the 2 all the time, or maybe I am just wrong. :-)

Pen-Test - the sole purpose of a pen-test is to penetrate the
network/application. The client and the consultant should agree on a set
of goals, like gain access to HR database from outside, gain access to
the credit card database... The end result is a yes we got in and this
is how or no we didn't get in.

Assessment - An assessment aims to find all vulnerabilities on all host
(or a representative sample) on the target network. Generally no attempt
is made to exploit is vulnerabilities past identifying them.

An example - On an engagement I find a host vulnerable to the IIS
unicode bug. During an assessment I would note it and move on. During a
pen-test I would tftp netcat, get a shell, escalate to system and start
poking around looking for "good stuff".

> I have not done either but this seems like a highly subjective area to me.
> Are you really going to do a vuln assess on a dynamic web site - with all
> its custom scripts and database connectivity and possibly middleware - in 20
> minutes? It sounds like a vuln assess consists of running Nessus or
> something similar, searching bugtraq archives and possibly throwing in a
> google search for extra credit.

It is heavily dependent on the clients environment. Most security firms
do not have the expertise in house to perform a web application review
so if your site has a complex web app. it will not be tested during a
pen-test. The sales guys would call that an application
pen-test/assessment and raise the rates :-).

Just a quick note on tools. Everyone uses Nessus/IIS/CyberCop during an
assessment. You have to see HOW your consultant uses them. Do they run
it and give you the report? Do they check for false pos/negs? Do they
use it as a final sweep to make sure they did miss anything?

>
> Even on a workstation it seems like you couldn't get much done in 20
> minutes. I don't even see how you could reliably enumerate all the
> installed software in less than 20 minutes.

That depends on what you are doing. I would say you could do an
automated network scan on a workstation in this time. A full vuln. scan
enumerating services and finding vulnerabilities on a single host would
not take that long.

>
> TR
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/ 

-- 
Bill Pennington - CISSP
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 06 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]