Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Security Audit

Re: Security Audit

From: R. DuFresne <dufresne_at_sysinfo.com>
Date: Wed, 5 Sep 2001 15:12:05 -0400 (EDT)

Anyone claiming that their pen test, vuln assessment, or security audit
consists merely of running nessus and or nmap and producing a reporrt and
final results is a charleton, and does the security industry a
dis-service. Yet, I have seen, in practice, both outside consultants,
hired guns from the outside and supposedly 'trained' professionls <CISSP!>
within the corporate sector do merely this and stamp "certified secure"
across organizations. A "test, assessment, or audit" are more akin to
remodeling, then ne home building and remodeling, having done lots of it
over time, I can safely state, is -=dirty work=-. When you rip open a
wall, one is sometimes amazed, as well as disenheartened at what they find
behind the sheetrock and plaster.

Thanks,

Ron DuFresne

On Wed, 5 Sep 2001, Todd Ransom wrote:

> > A good estimate of time for a "Once Over" breaks down like this:
> >
> > Vulnerability Assessment:
> > 20 minutes per host
> >
> > Penetration Test:
> > 1 Hour per host
>
> What is the difference between vuln assessment and pen test?
>
> I have not done either but this seems like a highly subjective area to me.
> Are you really going to do a vuln assess on a dynamic web site - with all
> its custom scripts and database connectivity and possibly middleware - in 20
> minutes? It sounds like a vuln assess consists of running Nessus or
> something similar, searching bugtraq archives and possibly throwing in a
> google search for extra credit.
>
> Even on a workstation it seems like you couldn't get much done in 20
> minutes. I don't even see how you could reliably enumerate all the
> installed software in less than 20 minutes.
>
> TR
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 06 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]