Penetration Testing mailing list archives
RE: Security Audit
From: "Dom De Vitto" <Dom () DeVitto com>
Date: Wed, 5 Sep 2001 21:01:13 +0100
'<whatever> Assessment' implies identifing and proportioning risk. (which may involve a pen test, of just a look at your documentation) e.g. 1) Your company lives and breathes through email, so extra care should be taken with those systems (Impact:high). 2) Your web server is just for linux geeks, (impact:none). '<whatever> testing' implies actually proving security. e.g. 1) SNMP shows that your linux geek web server actually has a second interface bypassing the firewall onto your internal network.(Risk: high) 2) Your email system is bulletproof and invulnerable to anything but Uri Geller (risk:low) You can see that generally, because of limited time/manpower, a assessment is generaly done first (often in-house) and then pen testing is done, focusing on the high impact elements. How many people have been commisioned to attack a firewall from the trusted network? (answer: too few) Dom -----Original Message----- From: Todd Ransom [mailto:transom () extremelogic com] Sent: 05 September 2001 18:12 To: pen-test () securityfocus com Subject: Re: Security Audit
A good estimate of time for a "Once Over" breaks down like this: Vulnerability Assessment: 20 minutes per host Penetration Test: 1 Hour per host
What is the difference between vuln assessment and pen test? I have not done either but this seems like a highly subjective area to me. Are you really going to do a vuln assess on a dynamic web site - with all its custom scripts and database connectivity and possibly middleware - in 20 minutes? It sounds like a vuln assess consists of running Nessus or something similar, searching bugtraq archives and possibly throwing in a google search for extra credit. Even on a workstation it seems like you couldn't get much done in 20 minutes. I don't even see how you could reliably enumerate all the installed software in less than 20 minutes. TR ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit H Carvey (Sep 04)
- <Possible follow-ups>
- RE: Security Audit Christopher Ray (Sep 04)
- RE: Security Audit Aleksander Czarnowski (Sep 04)
- Re: Security Audit Forrest Rae (Sep 05)
- Re: Security Audit Todd Ransom (Sep 05)
- Re: Security Audit Bill Pennington (Sep 06)
- Re: Security Audit Todd Ransom (Sep 06)
- RE: Security Audit Dom De Vitto (Sep 06)
- Re: Security Audit Forrest Rae (Sep 06)
- Re: Security Audit R. DuFresne (Sep 06)
- Re: Security Audit Todd Ransom (Sep 05)
- Re: Security Audit Dave Wray (Sep 06)
- Re: Security Audit Jonathan Rickman (Sep 07)
- Re: Security Audit Philipp Buehler (Sep 06)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)