RE: Email Pen-testing

From: AJ Butcher, Information Systems and Computing (Alex.Butcher@bristol.ac.uk)
Date: Tue Mar 23 2004 - 11:01:09 EST


--On 23 March 2004 04:50 -0800 James Taylor <james_n_taylor@yahoo.com>
wrote:

> To drift slightly off topic... For me a vulnerability scan has much more
> value to most companies than a pen test. That is , of course, if you
> apply the principle that a vuln scan should be performed at each
> perimeter layer, against all hosts, then assess the risk by taking each
> vulnerability discovered in the context of the network as a whole.
>
> Too often one hears of a pen test, where as soon as the 'testers' find a
> vulnerability, they focus on that one vulnerability and, more likely than
> not, are able to break in to that system. End of pen test. What about
> the rest of the network?

The approach I've taken in the past is to treat vulnerability assessments
as a breadth-first search for vulnerabilities, and penetration testing as a
time-limited depth-first attempt to "capture a/the flag". As far as
allowable techniques go, that's down to the customer - if I'm capable of
using the technique and the customer has explicitly allowed it, it's fair
game, whether it's dumpster diving, or dressing up in a boiler suit and
carrying two cups of tea. ;-)

IMHO, regular vulnerability assessment is usually the most useful approach
as it can identify the critical vulnerabilities that require fixing. Viewed
in such a light, penetration testing is probably only useful for proving a
political point (e.g. that someone is or isn't doing their job competently,
or that their budget is adequate or insufficient).

> Regards
> James Taylor
> CISSP

Best Regards,
Alex.

-- 
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT