From: Mark Tinberg (tinberg@securepipe.com)
Date: Fri Jun 07 2002 - 08:03:10 EDT
On Thu, 6 Jun 2002, Mike Riley wrote:
[snip]
> certainly isn't. It's not about getting in, it's about
> *auditing*.
If I may respectfully disagree, a pen-test *is* about getting in, and is
distinct from an audit. To me (and this may just be a semantic
difference) an audit is a completely different animal where the auditors
spend several weeks/months on-site going over the client's procedures and
network equipment with a fine toothed comb, as well as interviewing the
admins. The report will contain things that should be tightened up as
well as places where the written policy differs from what is implemented
in the network hardware and where the admins differ from policy. It is
not something that can be done remotely, although it may involve a
pen-test for verification.
I may be confused (it's way past my bedtime 8^) but I think that there is
a general misunderstanding both in the minds of clients and sometimes in
the minds of the consultants about where the difference lies.
-- Mark Tinberg <MTinberg@securepipe.com> Network Security Engineer, SecurePipe Inc. Remember: Wherever you go, there you are! Key fingerprint = AF6B 0294 EE33 D802 F7A1 38A4 CF52 5FE0 7470 E5F7 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT