From: Markowsky, Tyler (tmarkowsky@seccuris.com)
Date: Fri Jun 25 2004 - 11:03:45 EDT
I agree with Martin: the object of the analysis is to determine weaknesses
within the environment. However, it is feasible to avoid 'destructive'
scanning with appropriate preliminary network analysis in concert with
predefined procedures and expectations.
**I encourage you to spend a significant amount of time defining these with
the client.**
Regards,
Tyler Markowsky
Principal Economist
Seccuris
http://www.seccuris.com
-----Original Message-----
From: Martin Mačok [mailto:martin.macok@underground.cz]
Sent: Thursday, June 24, 2004 4:02 PM
To: pen-test@securityfocus.com
Subject: Re: Limited vs full blown testing
On Wed, Jun 23, 2004 at 09:27:58AM -0700, Toby Barrick wrote:
> During my many years of pen testing one common thread when dealing
> with customers has been the request to not perform any destructive
> or DOS type testing.
Tell them that the purpose of the test is *to test* (i.e. to try
something) and the only thing you can do to not break anything is to
not try anything at all. Maybe they want an audit instead of
a pen-test and they just don't know the terms and the meanings.
If they are so scared, negotiate the exact time of potentially
destructive/aggressive tests.
Use Nessus with "safe checks" turned on for "polite" scans... You can
also disable all "DoS" family plugins in Nessus.
Martin Mačok
IT Security Consultant
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT