Re: Pen Test success rate

From: Zion (zion.den@gmail.com)
Date: Thu Aug 30 2007 - 07:01:05 EDT

• Next message: Paul Melson: "RE: Penetration tester or Ethical hacker future?"
• Previous message: David Jacoby: "Re: Penetration tester or Ethical hacker future?"
• In reply to: James Kelly: "Pen Test success rate"
• Next in thread: krymson@gmail.com: "Re: Pen Test success rate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi James,

Penetration testing is not about breaking into the systems, but about
seeing if it is possible to break, now said that given time every system
in the world is breakable.

So let us put it that penetration testing is trying to see if it
possible to break into the system/network/application in a given time
frame using the techniques used by an hacker and then the penetration
tester goes a different way that is the penetration tester would
document a report about the findings and mitigation steps. So that the
identified loopholes can be closed.

I would say even if the penetration tester did not break into the
system/network/application it was a success. All that you will have to
see is that you engage a capable penetration testing team and not
someone who would just execute a tool and report the findings.

The time frame given to the team to test/break-in is important, it
should not be too small that they (penetration testers) cannot do
anything nor should it is too big (time is money). Based of how many
IP's you are planning to target i would say make a judgmental call about
the time. I suggest you engage a experienced penetration tester during
the scoping.

Hope that was of help
Zion

James Kelly wrote:
> Given this scenario: Red team pen test from the Internet with no
> information or cooperation from IT staff.
>
> What would be a reasonable success rate of breaking in to say at least
> DMZ machines? Of internal hosts on private network?
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Paul Melson: "RE: Penetration tester or Ethical hacker future?"
• Previous message: David Jacoby: "Re: Penetration tester or Ethical hacker future?"
• In reply to: James Kelly: "Pen Test success rate"
• Next in thread: krymson@gmail.com: "Re: Pen Test success rate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:04 EDT