Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Security Audit

Re: Security Audit

From: Justin Stanford <jus_at_security.za.net>
Date: Fri, 7 Sep 2001 19:56:32 +0200 (SAST)

Plus, no auditing tool can test the social engineering possibilities that
are often so easy to pull off in typical corporate environments.. ;-)

Is there anyone out there that performs social engineering as part of
their pentests/audits? I feel that it is to be considered a definite part
of a pentest/audit, as it's a common tool that can easily be used by smart
perpetrators, other than computer tools.

Please excuse me if this is old news on the list, I've just recently
subscribed..

/jus 

--
Justin Stanford
Internet/Network Security & Solutions Consultant
4D Digital Security
http://www.4dds.co.za
Cell: (082) 7402741
E-Mail: jus_at_security.za.net
PGP Key: http://www.security.za.net/jus-pgp-key.txt
On Thu, 6 Sep 2001, Renaud Deraison wrote:
> 
> On Thu, Sep 06, 2001 at 02:41:35AM -0400, Wertheimer, Ishai wrote:
> > An e-commerce site is supposed to have an application layer or isn't it ?
> > What about auditing the application on top?
> > 
> > Many e-commerce sites have been hacked although you wouldn't find any
> > vulnerability by running Nessus or such !
> 
> 
> <off topic, self promotion>
> Actually, Nessus 1.1.x has some plugins dedicated to the analysis of
> CGIs. This is not as good as a humain brain with at least a two-digit
> IQ, but that's better than just doing nothing. 
> (it will catch trivial things such as param=../../../../etc/passwd%00
> and such, but not dir=/etc&file=passwd, even though the later seems
> trivial to any human being).
> </off topic. Sorry for that>
> 
> 
> But I agree with you - no automated tool can do a security _audit_. 
> 
> There's more to a security audit than just flashing redlights and
> showing /etc/passwd to the management. Policies have to be read and
> correlated with the real life on the network. Services that do not match
> the policy should be told to be disabled, even if they're not vulnerable
> to anything.
> 
> A security audit is first a matter of checking that kind of thing rather
> than licensing the list of vulnerabilities on a network. Vulnerabilities
> appear and disappear every day. The policy never changes.
> 
> 
> 
> 				-- Renaud
> 
> -- 
> Renaud Deraison
> The Nessus Project
> http://www.nessus.org
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
> 
> 
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 07 2001
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]