Re: Limited vs full blown testing

From: El C0chin0 (mr.nasty@ix.netcom.com)
Date: Thu Jun 24 2004 - 16:59:42 EDT


('binary' encoding is not supported, stored as-is) In-Reply-To: <6.1.1.1.2.20040624125700.03d1cc60@pop3.officemail.easynet.co.uk>

I can only hope the moderator of this fourm allows my post. Not much luck in the past.

After reviewing several pen testing contracts I have mixed feelings.

First of all, most people seem to confuse auditing, vulnerability testing and penetration testing. Even within discussions here, there doesn't seem to be a clear definition amongst the tribe as to what does what.

As an ex-Information Systems Security Auditor for a large government agency, a Chief Informatiion Security Officer, a Security Specialist, and a CISSP, CISA and CISM, I think I've seen all three angles.

Auditing systems should analyze gathered information from the inside. This should then create a network topology that you can compare with their network topology. This will also provide you with enough information to compare against their current security policies.

Vulnerability testing the analysis of the audit information against attack types. Scans/probes against the systems both from the inside and outside. But no penetration.

Penetration testing is the act of penetrating a system. Breaking into it using what ever tools are available. Not some propritary software. That's bogus.

So, if you run a syn flood against a system what are you looking for? Incident response? That's not penetration testing. Are you looking to shut down the firewall and by pass logging? That's penetration testing.

So before you folks eagely go about your business of using these words interchangably stop and think. When I see you across the table trying to sell me on your prowness as a Uber Haxor, you don't impress me when you mix the context of these different tests.

btw, what would running a dos against the system that a configuration audit wouldn't prevent? Patch and harden the system and chances are you bypass the dos. Test the application against buffer over flow and you bypass the dos. So why is running a dos against an unpatched unharden system supposed to make you more points?

Hacking is the easy part. Before you hack you need to know what countermeasures to recommned and first determine if those countermeasures are in place.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT