From: Chuck Herrin (me@chuckherrin.com)
Date: Fri Apr 23 2004 - 10:07:02 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That's a great question. I'll be interested to see what everyone
else comes back with.
<Foundation Definitions> I don't use "Pen Test" and "Vulnerability
Assessment" interchangeably, as these are 2 different services and
vary in scope.
My 2 cents is: it depends 100% on what the client wants. In my
experience, many clients want the results of a Pen Test to be a
"scare tactic" or "fundraiser" to get Senior Management's attention
and get more funding. Many clients want the results of a
Vulnerability Assessment to be a "pat on the back", and just want the
results of a CyberCop or ISS scan showing that they're OK. Others
really want to know how secure they are, and some just want to guard
against the Script Kiddies out there.
Fewer companies want (or in the case of the small firms, can afford)
a true Pen Test, which includes Social Engineering, Wardriving,
Physical Access attempts, password cracking, etc.
I have found the OSSTMM to be a great tool, but it doesn't quite map
to smaller organizations and their budgets. I would suggest that
your Salespeople try to (tactfully) ferret out what EXACTLY the
clients are looking for, and then pull the relevant tests from the
OSSTMM. Of course, you can always follow the standard steps, and
charge based on the amount of time the client would like you to spend
on each part:
Footprinting (2 hours)
Gentle scanning (2 hours)
Less-gentle scanning (4 hours)
ELECTIVES: Going around the firewall:
Social Engineering (4 hours)
Wardialing (4 hours)
Wardriving (1 hour)
Exploit research (4 hours)
Etc. based on what they want. **Note that these times are SAMPLES
that will vary, especially for small clients - NO FLAMES on how lame
it is to only spend 2 hours footprinting, etc. please ;-)**
Hope this helps, and I look forward to what all you 31337 H4x0rs out
there have to say on the subject.
Chuck Herrin, CISSP, MCSE, CEH
www.chuckherrin.com
- -----Original Message-----
From: Amit Deshmukh [mailto:amit_deshmukh@bridgepoint.com.au]
Sent: Thursday, April 22, 2004 7:57 PM
To: pen-test@securityfocus.com
Cc: c0d3r@cotse.net
Subject: RE: Bank Assessment
Hi all!
I'm new to this list and this is my first post! While we are still on
the discussion of standards, would anyone know of a simple risk
assessment methodology that could be employed for small to medium
businesses?
I'm stuck with the problem that its quite expensive to do an
extensive risk assessment for small firms to identify their threats
and carry out pen tests on the basis of those threats. So we have
quoted a fixed number of days based on gut instinct. However, in such
a scenario it is difficult to identify the extent to which one
pen-test!
Any help would be much appreciated. Thanks!
Amit
- -----Original Message-----
From: c0d3r@cotse.net [mailto:c0d3r@cotse.net]
Sent: Thursday, April 22, 2004 11:23 AM
To: Blake Wiedman
Cc: 'Joe Smith'; pen-test@securityfocus.com
Subject: RE: Bank Assessment
Hi all;
Not to cast any dispersions on anything, but IMHO, the FFIEC
guidelines are pretty lame. They're OK for "management and
operational" type reviews, but they just don't cut it for technical
work. I'd look to a more solid technical standard, like nsa.gov,
nist.gov, or OSSTMM Ver. 2. Those are the things that I use for
(almost
exclusively) banks. We've developed custom testing programs using
these as standards.
c0d3r
> You can find the answers to most of your questions including
guidelines
> here http://www.ffiec.gov/
>
> My employer uses the guidelines as the basis for all of our banking
> clients.
>
>
> Blake Wiedman
> Security Technician
> Icons Inc.
> www.iconsinc.com
> 732.309.6038
>
> -----Original Message-----
> From: Joe Smith [mailto:joey@r00t66.com]
> Sent: Monday, April 19, 2004 2:40 PM
> To: pen-test@securityfocus.com
> Subject: Bank Assessment
>
>
> I'm looking for any good links with regard to Banking
> Institutions.. Security assessments, pen-testing, special needs
> etc. I know they
are
> big on policies and procedures.
>
>
>
- ----------------------------------------------------------------------
- --
> ------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get
> $545 off any course! All of our class sizes are guaranteed to be
> 10
> students or less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art hacking
> lab. Master the skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
> l
>
- ----------------------------------------------------------------------
- --
> -------
>
>
>
>
- ----------------------------------------------------------------------
- --
- ------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get
> $545
off
> any course! All of our class sizes are guaranteed to be 10 students
> or
less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
in-the-field
> pen testing experience in our state of the art hacking lab. Master
> the
skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.htm
> l
>
- ----------------------------------------------------------------------
- --
- -------
>
- --
Hacking is a good mixture of technical knowledge, programming knowhow
and misuse of trust.
- ----------------------------------------------------------------------
- --
- ------
Ethical Hacking at the InfoSec Institute. Mention this ad and get
$545 off any course! All of our class sizes are guaranteed to be 10
students or less to facilitate one-on-one interaction with one of our
expert instructors. Attend a course taught by an expert instructor
with years of in-the-field pen testing experience in our state of the
art hacking lab. Master the skills of an Ethical Hacker to better
assess the security of your organization. Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
- ----------------------------------------------------------------------
- --
- -------
- ----------------------------------------------------------------------
- --------
Ethical Hacking at the InfoSec Institute. Mention this ad and get
$545 off any course! All of our class sizes are guaranteed to be 10
students or less to facilitate one-on-one interaction with one of our
expert instructors. Attend a course taught by an expert instructor
with years of in-the-field pen testing experience in our state of the
art hacking lab. Master the skills of an Ethical Hacker to better
assess the security of your organization. Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
- ----------------------------------------------------------------------
- ---------
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBQIkjBabL2AcPBTOlEQK0KgCfRzfh/Kn6M4vMs0JKBza055OZtBMAmQEZ
3AOnT+L+VK0iMzptiueUm6AU
=TxtA
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:52 EDT