Penetration Testing mailing list archives
Re: Security Audit
From: JCovington <jcovingto () home com>
Date: Wed, 05 Sep 2001 10:35:36 -0700
It's pretty difficult to break the time down per host. Servers may have a bunch of services running and each one needs to be scanned, searches done for new vulnerabilities, etc. A workstation on the other hand may only have only a few services and it becomes a check for misconfigurations. It can also depend on the scanning tools used. A big commercial scanner could check all machines pretty efficiently. But then good pentesters will follow up on what the scanner found and verify so false positives are minimized. Also good pentesters will use a toolbag of scripts and utilities as a second level of thoroughness. And as someone stated before...an attacker could spend weeks going over everything in fine detail. For a complete assessment with a good, clear, concise report at the end I would say 4-5 days. -Jim -----Original Message----- From: Forrest Rae [mailto:forrest () code-lab com] Sent: Tuesday, September 04, 2001 12:49 PM To: pen-test () securityfocus com Subject: Re: Security Audit Hi Simon, Hi pentest-list, <IMHO> The time spent is relational to the number of hosts being audited, and the security company's defined assessment process. As a customer, I would imagine one has the right to review the processes of your consultants. You should find out if the companies are going to run any automatic vulnerability assessment tools such as Nessus, or an in house product. If they are just going to run nessus on you, and print out the report it generates, do they really need 20+ hours to do that? (If you have several hundred hosts, then they probably do need 20+) If they do 100% of the work by hand, then they may require extra time. This brings me to question why are they doing assessments by hand when there are great tools like Nessus? A good estimate of time for a "Once Over" breaks down like this: Vulnerability Assessment: 20 minutes per host Penetration Test: 1 Hour per host Internal assessments usually take a little longer because you generally have access to more services, network devices, employees, etc... I am also interested in other people's estimates of time per host. :) -Forrest </IMHO> Simon Wellborne wrote:
Hello all, We have a company or two providing quotes on a security audit,
including
penetration tests. I am a little concerned about the amount of hours being quoted for
some of
these tests.From peoples experience (and I would like to hear from Professionals
who
comduct audits) about what timeframes are 'normally' used. Our network is relatively small (20-40 users + servers). Appreciate all replies Regards
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit, (continued)
- Re: Security Audit Bill Pennington (Sep 06)
- Re: Security Audit Todd Ransom (Sep 06)
- RE: Security Audit Dom De Vitto (Sep 06)
- Re: Security Audit Forrest Rae (Sep 06)
- Re: Security Audit R. DuFresne (Sep 06)
- Re: Security Audit Dave Wray (Sep 06)
- Re: Security Audit Jonathan Rickman (Sep 07)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
- Re: Security Audit Erik Tayler (Sep 06)
- Re: Security Audit Renaud Deraison (Sep 07)
- Re: Security Audit Justin Stanford (Sep 07)
- Re: Security Audit bacano (Sep 10)