From: Amit (amit.deshmukh@security-assessment.com)
Date: Sun Jun 12 2005 - 05:20:37 EDT
Hello all,
Though i'd say the most value i see for my customers comes from option
A, we sometimes are faced with clients that conduct a VA but are
reluctant or hesitant to take remediation actions based on the results.
It is then that we propose a pen-test to demonstrate how easy/hard it is
for an attacker to gain control of critical servers. The result from a
pen-test are then used to perform a "root-cause-analysis" to determine
the factors contributing to increased security risk. This is to help
management understand the impact of risks such as inadequate patching
procedures or standards which could translate into regulatory compliance
issues.
As far as option B and C are concerned.. I am of the opinion that
attackers would only be interested in a single exploitable
vulnerability.. so 5 or 7 wouldnt make much of a difference.. except
probably demonstrate that time to "own" for the server with more vulns
is much less than the one with fewer ones. Having said that, a diligent
security consultant needs to find and report atleast all known
exploitable vulnerabilities :)
Regards,
Amit Deshmukh
Senior Security Consultant
Security-Assessment.com
Sydney, Australia
cbc wrote:
>Hi All,
>
>My comments on these are:
>
>A pentest which is useful and is able to add value to
>a company who pays the service is only if the results
>and finding are tally with the goal and expectation
>established during the initiation of the exercise.
>
>It is meaningless to judge which scenarios is the best
>as if my goal of a pentest is to find as many as
>vulnerabilites you can and exploit it, then I will say
>scenario C is the best. But if my goal is to find
>which vulnerbailities would impact my business most,
>then scenario A is a better candidate.
>
>In summary, ensuring a proper goal and expectation is
>achieved during the planning stage is very vital. You
>will find the evaluation and management process more
>manageable by doing so!
>
>
>Regards,
>Boon Chin,
>Senior Security Consultant, Singapore
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>
######################################################################
CONFIDENTIALITY NOTICE:
This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT