Results 1 to 10 of 10

Thread: Risk & Penetration testing

  1. #1
    HYBR|D
    Guest

    Question Risk & Penetration testing

    Hello all,
    Just wondereing if anyone out there can tell me what is involved in a Risk Assessment and a Penetration test, are there certain techneques? and also what do they cost how do they differ? etc all the help I get the better. Thanks in advanced.

    Regards HYBR|D

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am assuming you are looking for those services. I would consider risk assessment to be limited to scanning for open ports, server versions, etc, but then writing a report about what risks are out there (what is vulnerable and needs to be patched or the security tightened) and stopping there, leaving the possibility of things like false positives or un-exploitable positives (for example a bad script might still be there but the permissions won't let the exploit rwork)...

    Penetration testing would continue past the point of risk assessment by taking it a step further and actually seeing if the detected risk could be used to gain unauthorized access to the system and if so how much...

    The above is how I have always considered things, the 'real' definition is probably slightly different but along those lines.

    Hope this helps,

    Neb
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Risk assessment is actually more about evaluating the security needs vs acceptable risks vs costs: going around evaluating the importance confidentiality, integrity, availability.

    For example, for an e-commerce site, the web services (web server...) would be rated on a scale of 1 to 10 (for example) on each criteria (confidentiality, integrity, availability). The sum of those relfects how much that system needs protection and in what ways...

    For the e-commerce site it would probably be something like: C:5, I:7, A:10
    while someother's buisness with a presentation page only could be like: C:1, I:5, A:2
    etc..

    Then you'd go about analysing the layout of the network and re-designing with your previous evaluation in mind...

    Ammo
    Credit travels up, blame travels down -- The Boss

  4. #4
    HYBR|D
    Guest
    Thankyou very much, so much help in so little time..

    how much are these services?

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    rather forgetful, arn't we?

    Birthday 0000-00-00

    OS Win 3.x / Win 9x / Win NT / Win 2000 / Linux Madrake / Redhat / Debian

    Skill Set Risk Assessmen \ Penetration Testing \ Most IT related (basic - advanced)

    Work Experience Own Business

    Your Current Box Cel 800 OC'ed 1064mhz 512mb ram Realtek ethernet card 20gig seagate
    and all the other usualls

    Biography err, ummm i spose so

    Location Australia
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    No problem!

    As far as cost, can't help you much on that...

    Ammo
    Credit travels up, blame travels down -- The Boss

  7. #7
    You wanna know what I heard your mom likes it when I give her some Penetration and do you know why? Because I have a Bigdick4yourMOM I'M out like a alight cause I'm straight like a gate.

  8. #8
    HYBR|D
    Guest
    Hi well thanks again ............ except for BIGDICK ... hmm what a wanker, Tedob1 sorry but skill set was copied and pasted soz...

  9. #9
    It is best to ignore people like bigdick4yourMOM, all they want is attention and bring valid threads to the toilet. Can everybody say ??

    As for the penetration and risk assesment tests, I am pretty sure you can do that for relatively low cost if you do not hire any outside help. Correct me if I am wrong, but can risk and penetration tests include a port scanner or security assesment software? I have seen free ones that do pretty well...

  10. #10
    Since this is what i do for a living, I have a little insight into how we price out pentests. WE charge around 20K for a full blown external pen test. This includes a cd with all of your known exposures as well as the links to do a hot patch. In my opinion this is a better method than handing someone a phonebook with all of their discovered holes in their network. However, risk assess and pen tests from other large known companies can differ in pricing on many different factors including:

    How many ingress points into your network
    size of your network in nodes
    how in depth you would like the scope to be (executive report, or the 4000 page phone book)

    Be prepared to spend anywhere from 40-80k with these large firms.
    freedom is a road seldom traveled by the multitude

    freedom aint free

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •