RE: Bank Assessment

From: James Williams (jwilliams@itexch.wtamu.edu)
Date: Fri Apr 23 2004 - 10:02:02 EDT

• Next message: Josh Tolley: "Re: Web site testing"
• Previous message: clarke-cummings@columbus.rr.com: "Re: Why eEye Retina (was MBSA scanner)"
• Maybe in reply to: Joe Smith: "Bank Assessment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

My thinking would be to not include pen testing with the risk
assessment. IMHO, the "risk assessment" is more of the political part of
the business. A company either out sources a security consultant to
learn how their business works for a period of time and the security
consultant writes the risk assessment based upon what he/she has learned
or the company has personal internally that create the risk assessment.

To determine "risk" you have to ask yourself a series of questions.

What are the threats?
-inside threats?
-outside threats?
-what are the company "crown jewels"

What are the vulnerabilities?
-social engineering?
-possible vulnerabilities in software?
-physical access? To what? Whom has access?

>From the above you are able to determine your risks. From that point you
work creating a better stance on risk and trying to get the company to
an acceptable risk.

This type of assessments are used to help create policies and to help
create a better understanding of what needs to happen to make the
company more secure.

James Williams
Network Systems Technician
West Texas A&M University
 

-----Original Message-----
From: Amit Deshmukh [mailto:amit_deshmukh@bridgepoint.com.au]
Sent: Thursday, April 22, 2004 6:57 PM
To: pen-test@securityfocus.com
Cc: c0d3r@cotse.net
Subject: RE: Bank Assessment

Hi all!

I'm new to this list and this is my first post! While we are still on
the discussion of standards, would anyone know of a simple risk
assessment methodology that could be employed for small to medium
businesses?

I'm stuck with the problem that its quite expensive to do an extensive
risk assessment for small firms to identify their threats and carry out
pen tests on the basis of those threats. So we have quoted a fixed
number of days based on gut instinct. However, in such a scenario it is
difficult to identify the extent to which one pen-test!

Any help would be much appreciated. Thanks!

Amit
 
-----Original Message-----
From: c0d3r@cotse.net [mailto:c0d3r@cotse.net]
Sent: Thursday, April 22, 2004 11:23 AM
To: Blake Wiedman
Cc: 'Joe Smith'; pen-test@securityfocus.com
Subject: RE: Bank Assessment

Hi all;

Not to cast any dispersions on anything, but IMHO, the FFIEC guidelines
are pretty
lame. They're OK for "management and operational" type reviews, but
they just don't
cut it for technical work. I'd look to a more solid technical standard,
like
nsa.gov, nist.gov, or OSSTMM Ver. 2. Those are the things that I use
for (almost
exclusively) banks. We've developed custom testing programs using these
as
standards.

c0d3r

> You can find the answers to most of your questions including
guidelines
> here http://www.ffiec.gov/
>
> My employer uses the guidelines as the basis for all of our banking
> clients.
>
>
> Blake Wiedman
> Security Technician
> Icons Inc.
> www.iconsinc.com
> 732.309.6038
>
> -----Original Message-----
> From: Joe Smith [mailto:joey@r00t66.com]
> Sent: Monday, April 19, 2004 2:40 PM
> To: pen-test@securityfocus.com
> Subject: Bank Assessment
>
>
> I'm looking for any good links with regard to Banking Institutions..
> Security assessments, pen-testing, special needs etc. I know they
are
> big on policies and procedures.
>
>
>
------------------------------------------------------------------------
> ------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off
> any course! All of our class sizes are guaranteed to be 10 students or
> less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
> -------
>
>
>
>
------------------------------------------------------------------------
------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
-------
>

-- 
Hacking is a good mixture of technical knowledge, programming knowhow
and misuse of
trust.
------------------------------------------------------------------------
------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------
------------------------------------------------------------------------
------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
-------
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Josh Tolley: "Re: Web site testing"
• Previous message: clarke-cummings@columbus.rr.com: "Re: Why eEye Retina (was MBSA scanner)"
• Maybe in reply to: Joe Smith: "Bank Assessment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:52 EDT