Re: Security Audit

[H C <keydet89 () yahoo com>]

To all,

> From comments I've received via email, I think this
discussion has been very beneficial to a great many
people.  I'd like to thank everyone for contributing
opposing or complimentary views, and I'd like to thank
the moderator for allowing the posts through.

I'd like to progress the discussion a bit by going a
step or two beyond the actual vulnerability
assessment/verification testing engagement.  There are
a limited number of ways to collect the information
necessary for an assessment, so the key business
differentiator for any consulting company is the
analysis done on that information.

Consulting companies and their clients need to
understand that security is never perfect.  Since a
vulnerability assessment is a snapshot of the
infrastructure, the analysis and recommendations
provided by the consulting firm need to follow a
"protect and detect" model...provide recommendations
that are cost-effective and meet the client's business
needs, doing what can be done to protect (ie, patches,
updated apps and configurations, etc) against known
and future vulnerabilities, and then detect (ie,
monitoring)any new, unknown vulnerabilities that may
occur.

The security goal for the client will be to make it
difficult for someone, attacking either externally or
internally, to cause a security incident to come to
fruition without being detected.  Security consulting
firms should have this as their goal, as well, with
respect to their clients.  This being said, what has
been referred to as a "blind pen test" quickly drops
out of the picture all together as a method of
reaching this goal.  A vulnerability assessment of the
overall infrastructure examines the configurations of
hosts within that infrastructure, the relationship
between the hosts, and the processes and procedures
used by the admins.  The assessment gets into every
nook and cranny and peeks into the deep, dark corners.
 Verification testing (ie, "full disclosure pen test")
can be done once recommended changes have been put in
place.

Attempting to break in blindly using no more
information than a domain name is not something that
can be completed in a week or two for larger
infrastructures, and leaves many items unchecked. 
However, a "blind pen test" can be used at a later
date to test the effectiveness of detection, as well
as incident response procedures.  At that point,
conducting such a test with full knowledge of the
infrastructure would definitely be very beneficial.  

Thanks for your time.  Thoughts/comments appreciated.

Carv 


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/