Re: Vulnerability Assessment Checklists?

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <BAY2-F52x8VUkRacUtI000005ed () hotmail com>

Kim,

> Since I've never evaluated the security posture of a company before I could 
> use some resources on how to best get started. They run the gamut from P2P 
> to WANs. Of course, I want to give them some value while gaining valuable 
> experience for my resume.

> From my experience, the best way to "add value" to something like an assessment is to evaluate security based on the 
> their business processes and needs.  Technical information is easy to obtain...it wasn't too long ago that "security 
> consulting firms" simply had their "consultants" run ISS.  Even now, many reputable firms don't do much beyond running 
> a commercial scanning tool.

The real value comes when you can assess the security based on the business needs/processes of the client, and provide 
reasonable recommendations for improvement, if they're called for.  The things you mentioned...P2P, WAN, etc...are all 
part of the picture.  You'll want to look at a variety of areas, including but not limited to WLAN, user acct mgmt, 
host-based security, etc, etc.

Hope that helps.  Contact me off list if you want to discuss this.

Harlan

---------------------------------------------------------------------------
----------------------------------------------------------------------------