Penetration Testing mailing list archives
Re: Security Audit
From: Justin Stanford <jus () security za net>
Date: Fri, 7 Sep 2001 19:56:32 +0200 (SAST)
Plus, no auditing tool can test the social engineering possibilities that are often so easy to pull off in typical corporate environments.. ;-) Is there anyone out there that performs social engineering as part of their pentests/audits? I feel that it is to be considered a definite part of a pentest/audit, as it's a common tool that can easily be used by smart perpetrators, other than computer tools. Please excuse me if this is old news on the list, I've just recently subscribed.. /jus -- Justin Stanford Internet/Network Security & Solutions Consultant 4D Digital Security http://www.4dds.co.za Cell: (082) 7402741 E-Mail: jus () security za net PGP Key: http://www.security.za.net/jus-pgp-key.txt On Thu, 6 Sep 2001, Renaud Deraison wrote:
On Thu, Sep 06, 2001 at 02:41:35AM -0400, Wertheimer, Ishai wrote:An e-commerce site is supposed to have an application layer or isn't it ? What about auditing the application on top? Many e-commerce sites have been hacked although you wouldn't find any vulnerability by running Nessus or such !<off topic, self promotion> Actually, Nessus 1.1.x has some plugins dedicated to the analysis of CGIs. This is not as good as a humain brain with at least a two-digit IQ, but that's better than just doing nothing. (it will catch trivial things such as param=../../../../etc/passwd%00 and such, but not dir=/etc&file=passwd, even though the later seems trivial to any human being). </off topic. Sorry for that> But I agree with you - no automated tool can do a security _audit_. There's more to a security audit than just flashing redlights and showing /etc/passwd to the management. Policies have to be read and correlated with the real life on the network. Services that do not match the policy should be told to be disabled, even if they're not vulnerable to anything. A security audit is first a matter of checking that kind of thing rather than licensing the list of vulnerabilities on a network. Vulnerabilities appear and disappear every day. The policy never changes. -- Renaud -- Renaud Deraison The Nessus Project http://www.nessus.org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit, (continued)
- Re: Security Audit bacano (Sep 06)
- Re: Security Audit bacano (Sep 05)
- Re: Security Audit JCovington (Sep 05)
- Re: Security Audit bacano (Sep 06)
- RE: Security Audit PM Systems - Rick Woehler (Sep 05)
- Re: Security Audit H Carvey (Sep 06)
- RE: Security Audit Filer, Eddie (ZA - Johannesburg) (Sep 06)
- RE: Security Audit Wertheimer, Ishai (Sep 06)
- Re: Security Audit Erik Tayler (Sep 06)
- Re: Security Audit Renaud Deraison (Sep 07)
- Re: Security Audit Justin Stanford (Sep 07)
- Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
- Re: Security Audit Rob J Meijer (Sep 07)
- RE: Security Audit Aleksander Czarnowski (Sep 07)
- RE: Security Audit Ogle Ron (Rennes) (Sep 10)
- Re: Security Audit H Carvey (Sep 10)
- Re: Security Audit bacano (Sep 10)
- How to discover FW-1 management module or GUI? Carmelo Floridia (Sep 12)
- Re: Security Audit bacano (Sep 10)