Re: Security Audit

["bluefur0r bluefur0r" <bluefur0r () drea ms>]

Here are my experiences although this thread will be put to death soon...
When asked by sales/billing dept. They ask me: "how long will this take?" here's an for you all. Ask for the audit to 
be done in two phases. Automated scanning (eg vuln-assessment) nmap, nessus, other automated tools whisker ect. and 
then the pen-test. The reason for this is once you do the automated scan you know exactly how many boxes are up, what 
services are running and what might exist on the webservers. This will help you greatly in gauging the time it will 
take to do the pen-test. Now you all the information you'd need to start the pen-test. In the past I made a grave 
error... (when i first started ;P). I did the automated scans then penetrated with JUST the results I had from the 
automated scans. As I reflect, I realize that was not an audit but just a pen-test. Yeah great give them the report 
with how you broke in. But I missed a lot of information! What about the application layer? What about custom cgi's? 
Audits are ment for one reason. To be through and try to find every single hole you can. Would a finicial auditor ever 
leave out any detail on how a company was doing? Hell no, and if they did you might want to find a new auditor ;). 
Obviously audits aren't the "cure all" but they should be pretty damn up-to-date and pretty damn complete to give the 
company the best idea possible of where the risks are and where they are tight. 
-blue 

=================================================================
Kies een origineel e-mailadres op www.emails.nl

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/