Penetration Testing mailing list archives
RE: Bank Assessment
From: "Chuck Herrin" <me () chuckherrin com>
Date: Fri, 23 Apr 2004 10:07:02 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's a great question. I'll be interested to see what everyone else comes back with. <Foundation Definitions> I don't use "Pen Test" and "Vulnerability Assessment" interchangeably, as these are 2 different services and vary in scope. My 2 cents is: it depends 100% on what the client wants. In my experience, many clients want the results of a Pen Test to be a "scare tactic" or "fundraiser" to get Senior Management's attention and get more funding. Many clients want the results of a Vulnerability Assessment to be a "pat on the back", and just want the results of a CyberCop or ISS scan showing that they're OK. Others really want to know how secure they are, and some just want to guard against the Script Kiddies out there. Fewer companies want (or in the case of the small firms, can afford) a true Pen Test, which includes Social Engineering, Wardriving, Physical Access attempts, password cracking, etc. I have found the OSSTMM to be a great tool, but it doesn't quite map to smaller organizations and their budgets. I would suggest that your Salespeople try to (tactfully) ferret out what EXACTLY the clients are looking for, and then pull the relevant tests from the OSSTMM. Of course, you can always follow the standard steps, and charge based on the amount of time the client would like you to spend on each part: Footprinting (2 hours) Gentle scanning (2 hours) Less-gentle scanning (4 hours) ELECTIVES: Going around the firewall: Social Engineering (4 hours) Wardialing (4 hours) Wardriving (1 hour) Exploit research (4 hours) Etc. based on what they want. **Note that these times are SAMPLES that will vary, especially for small clients - NO FLAMES on how lame it is to only spend 2 hours footprinting, etc. please ;-)** Hope this helps, and I look forward to what all you 31337 H4x0rs out there have to say on the subject. Chuck Herrin, CISSP, MCSE, CEH www.chuckherrin.com - -----Original Message----- From: Amit Deshmukh [mailto:amit_deshmukh () bridgepoint com au] Sent: Thursday, April 22, 2004 7:57 PM To: pen-test () securityfocus com Cc: c0d3r () cotse net Subject: RE: Bank Assessment Hi all! I'm new to this list and this is my first post! While we are still on the discussion of standards, would anyone know of a simple risk assessment methodology that could be employed for small to medium businesses? I'm stuck with the problem that its quite expensive to do an extensive risk assessment for small firms to identify their threats and carry out pen tests on the basis of those threats. So we have quoted a fixed number of days based on gut instinct. However, in such a scenario it is difficult to identify the extent to which one pen-test! Any help would be much appreciated. Thanks! Amit - -----Original Message----- From: c0d3r () cotse net [mailto:c0d3r () cotse net] Sent: Thursday, April 22, 2004 11:23 AM To: Blake Wiedman Cc: 'Joe Smith'; pen-test () securityfocus com Subject: RE: Bank Assessment Hi all; Not to cast any dispersions on anything, but IMHO, the FFIEC guidelines are pretty lame. They're OK for "management and operational" type reviews, but they just don't cut it for technical work. I'd look to a more solid technical standard, like nsa.gov, nist.gov, or OSSTMM Ver. 2. Those are the things that I use for (almost exclusively) banks. We've developed custom testing programs using these as standards. c0d3r
You can find the answers to most of your questions including
guidelines
here http://www.ffiec.gov/ My employer uses the guidelines as the basis for all of our banking clients. Blake Wiedman Security Technician Icons Inc. www.iconsinc.com 732.309.6038 -----Original Message----- From: Joe Smith [mailto:joey () r00t66 com] Sent: Monday, April 19, 2004 2:40 PM To: pen-test () securityfocus com Subject: Bank Assessment I'm looking for any good links with regard to Banking Institutions.. Security assessments, pen-testing, special needs etc. I know they
are
big on policies and procedures.
- ---------------------------------------------------------------------- - --
------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your
organization.
Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.htm l
- ---------------------------------------------------------------------- - --
-------
- ---------------------------------------------------------------------- - -- - ------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your
organization.
Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.htm l
- ---------------------------------------------------------------------- - -- - -------
- -- Hacking is a good mixture of technical knowledge, programming knowhow and misuse of trust. - ---------------------------------------------------------------------- - -- - ------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html - ---------------------------------------------------------------------- - -- - ------- - ---------------------------------------------------------------------- - -------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html - ---------------------------------------------------------------------- - --------- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBQIkjBabL2AcPBTOlEQK0KgCfRzfh/Kn6M4vMs0JKBza055OZtBMAmQEZ 3AOnT+L+VK0iMzptiueUm6AU =TxtA -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Bank Assessment Joe Smith (Apr 19)
- Re: Bank Assessment Max (Apr 21)
- RE: Bank Assessment Blake Wiedman (Apr 21)
- Re: Bank Assessment Ivan Arce (Apr 22)
- Re: Bank Assessment lists (Apr 23)
- RE: Bank Assessment c0d3r (Apr 22)
- RE: Bank Assessment Amit Deshmukh (Apr 23)
- RE: Bank Assessment Chuck Herrin (Apr 23)
- Re: SME risk assessment (Was: Bank Assessment) fergus (Apr 24)
- RE: Bank Assessment Blake Wiedman (Apr 23)
- Re: Bank Assessment Ivan Arce (Apr 22)
- <Possible follow-ups>
- RE: Bank Assessment James Williams (Apr 23)