Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Security Audit

Re: Security Audit

From: Erik Tayler <erik_at_digitaloffense.net>
Date: Thu, 6 Sep 2001 20:18:36 -0500

On Thursday 06 September 2001 01:41 am, Wertheimer, Ishai wrote:
> Forrest,
>
> I'm not sure what is considered as pen-test in your eyes, but running
> Nessus for 20 minutes is not any pen-test !

I don't remember hearing Forrest claim that running Nessus qualified as a
pen-test. Actually, the point I got was that he disliked the fact that some
companies do in fact simply run tools such as Nessus against a network; And
after they do that, they do nothing but throw a large mangled report at upper
management. Read the fine print people.

> Even if you think Nessus can do better than any other tool, by automating
> and covering any possible vulnerability found in the past (which I could
> doubt) - is this a pen-test?

I've been reading all the replies to Forrest's post. Everybody seems to have
strayed a bit from the original topic. His point was never to prove that
running automated tools in order to save time > manual penetration testing.
Everybody here should also know that Nessus doesn't do penetration testing,
so it probably wouldn't be wise to imply that it could be a replacement for a
pen-test.

Let's all take sides here and get into a bar-room brawl, eh?

Erik Tayler

> Ishai.
>
> -----Original Message-----
> From: Forrest Rae [mailto:forrest_at_code-lab.com]
> Sent: Tuesday, September 04, 2001 9:49 PM
> To: pen-test_at_securityfocus.com
> Subject: Re: Security Audit
>
>
> Hi Simon,
> Hi pentest-list,
>
> <IMHO>
>
> The time spent is relational to the number of hosts being audited, and
> the security company's defined assessment process. As a customer, I
> would imagine one has the right to review the processes of your
> consultants. You should find out if the companies are going to run any
> automatic vulnerability assessment tools such as Nessus, or an in house
> product. If they are just going to run nessus on you, and print out the
> report it generates, do they really need 20+ hours to do that? (If you
> have several hundred hosts, then they probably do need 20+) If they do
> 100% of the work by hand, then they may require extra time. This brings
> me to question why are they doing assessments by hand when there are
> great tools like Nessus?
>
> A good estimate of time for a "Once Over" breaks down like this:
>
> Vulnerability Assessment:
> 20 minutes per host
>
> Penetration Test:
> 1 Hour per host
>
> Internal assessments usually take a little longer because you generally
> have access to more services, network devices, employees, etc...
>
> I am also interested in other people's estimates of time per host. :)
>
> -Forrest
>
> </IMHO>
>
> Simon Wellborne wrote:
> > Hello all,
> >
> > We have a company or two providing quotes on a security audit, including
> > penetration tests.
> >
> > I am a little concerned about the amount of hours being quoted for some
> > of these tests.
> >
> > >From peoples experience (and I would like to hear from Professionals who
> >
> > comduct audits) about what timeframes are 'normally' used.
> >
> > Our network is relatively small (20-40 users + servers).
> >
> > Appreciate all replies
> >
> > Regards
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA) Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
> ***************************************************************************
>** The information in this email is confidential and may be legally
> privileged. It is intended solely for the addressee. Access to this email
> by anyone else is unauthorized.
>
> If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken or omitted to be taken in reliance on it,
> is prohibited and may be unlawful. When addressed to our clients any
> opinions or advice contained in this email are subject to the terms and
> conditions expressed in the governing KPMG client engagement letter.
> ***************************************************************************
>**
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA) Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 07 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]