[GLLUG] Penetration Test

Hampton, Rodney rodney.hampton@jnli.com
Fri, 24 Jan 2003 11:54:55 -0500 

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C2C3C9.51F7EAC0
Content-Type: text/plain;
	charset="iso-8859-1"

Suzanne,

Just a recommendation from the trenches....a fairly computer literate person
could run Nessus and Saint from a linux/unix box  and WebTrends security
analyzer + NetIQ's security analzer from a windows platform.  The linux
programs (Nessus, Saint, +nmap for good measure) are free and you can get a
trial version of the windows programs for evaluation.  The trial versions
have all the features and boast a nice set of html/pdf reports for
management types.

You'll be able to find and lock down most of the easy vulnerabilities before
the penetration test.  A quick audit of your machines to ensure you've got a
1)personal/corporate virus protection suite 2)backup software
3)personal/corporate firewall
will also take you a step in the right direction.  Finally, if you don't
have a company policy on handling security incidents, nor a procedure for
disaster recovery, focus your efforts here.

In short, don't hire a company until you've done your homework and gotten
the basics out of the way.  Make sure the penetration test you contract is
exposing things that you couldn't have discovered on your own.

My 0.02




Rodney Hampton
(sorry abou the HTML mail)

-----Original Message-----
From: Suzanne Reiner [mailto:sreiner@fnba.com]
Sent: Friday, January 24, 2003 10:39 AM
To: linux-user@egr.msu.edu
Subject: [GLLUG] Penetration Test


We're in the market for penetration testing.  If anyone knows of a reliable
company, I'm all ears.  FYI:  we will need detailed reporting (high-level
for the suits and tech detail for IT) with recommendations.  Familiarity
with banking/OCC proceedures a plus but, not necessary.

Cheers,

Suzanne

_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user


_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user

------_=_NextPart_001_01C2C3C9.51F7EAC0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.45">
<TITLE>RE: [GLLUG] Penetration Test</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>Suzanne,</FONT>
</P>

<P><FONT SIZE=3D2>Just a recommendation from the trenches....a fairly =
computer literate person could run Nessus and Saint from a linux/unix =
box&nbsp; and WebTrends security analyzer + NetIQ's security analzer =
from a windows platform.&nbsp; The linux programs (Nessus, Saint, +nmap =
for good measure) are free and you can get a trial version of the =
windows programs for evaluation.&nbsp; The trial versions have all the =
features and boast a nice set of html/pdf reports for management =
types.</FONT></P>

<P><FONT SIZE=3D2>You'll be able to find and lock down most of the easy =
vulnerabilities before the penetration test.&nbsp; A quick audit of =
your machines to ensure you've got a 1)personal/corporate virus =
protection suite 2)backup software 3)personal/corporate =
firewall</FONT></P>

<P><FONT SIZE=3D2>will also take you a step in the right =
direction.&nbsp; Finally, if you don't have a company policy on =
handling security incidents, nor a procedure for disaster recovery, =
focus your efforts here.</FONT></P>

<P><FONT SIZE=3D2>In short, don't hire a company until you've done your =
homework and gotten the basics out of the way.&nbsp; Make sure the =
penetration test you contract is exposing things that you couldn't have =
discovered on your own.</FONT></P>

<P><FONT SIZE=3D2>My 0.02</FONT>
</P>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>Rodney Hampton</FONT>
<BR><FONT SIZE=3D2>(sorry abou the HTML mail)</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Suzanne Reiner [<A =
HREF=3D"mailto:sreiner@fnba.com">mailto:sreiner@fnba.com</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Friday, January 24, 2003 10:39 AM</FONT>
<BR><FONT SIZE=3D2>To: linux-user@egr.msu.edu</FONT>
<BR><FONT SIZE=3D2>Subject: [GLLUG] Penetration Test</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>We're in the market for penetration testing.&nbsp; If =
anyone knows of a reliable</FONT>
<BR><FONT SIZE=3D2>company, I'm all ears.&nbsp; FYI:&nbsp; we will need =
detailed reporting (high-level</FONT>
<BR><FONT SIZE=3D2>for the suits and tech detail for IT) with =
recommendations.&nbsp; Familiarity</FONT>
<BR><FONT SIZE=3D2>with banking/OCC proceedures a plus but, not =
necessary.</FONT>
</P>

<P><FONT SIZE=3D2>Cheers,</FONT>
</P>

<P><FONT SIZE=3D2>Suzanne</FONT>
</P>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>linux-user mailing list</FONT>
<BR><FONT SIZE=3D2>linux-user@egr.msu.edu</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.egr.msu.edu/mailman/listinfo/linux-user" =
TARGET=3D"_blank">http://www.egr.msu.edu/mailman/listinfo/linux-user</A>=
</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>linux-user mailing list</FONT>
<BR><FONT SIZE=3D2>linux-user@egr.msu.edu</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.egr.msu.edu/mailman/listinfo/linux-user" =
TARGET=3D"_blank">http://www.egr.msu.edu/mailman/listinfo/linux-user</A>=
</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C2C3C9.51F7EAC0--