Re: Why Penetration Test?

From: Terry Vernon (tvernon24@comcast.net)
Date: Mon Jun 13 2005 - 10:37:43 EDT

• Next message: Gareth Davies: "Re: Why Penetration Test?"
• Previous message: Pete Herzog: "Re: Why Penetration Test?"
• In reply to: tarunthenut@gmail.com: "Re: Re: Why Penetration Test?"
• Next in thread: Gareth Davies: "Re: Why Penetration Test?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That's a good way to do it. Not only do you find out what
vulnerabilities exist and need to be addressed you also find out if the
Intrusion Prevention you have spent oodles of money on is doing it's job.

tarunthenut@gmail.com wrote:

>hi,
>thanx to everyone for brain-stroming on this point.
>
>i asked this question cause i failed to understand why certain clients are bent on penetration testing cause the results totally depend on the skill set of the person/company performing the penetration testing.
>
>I am of the opine that the companyx should get a two vulnerability assessments (not penetration testing) done.
>
>Scan 1: With its preventive and reactive controls switched off (IPS/IDS/HIPS etc). Results ranked not on technical ranking (most tools/VA companies tabulate on tech rankings) but on business impact ranking.
>
>Scan 2: with the preventive and detective controls switched on (IPS/IDS/HIPS etc). Again results ranked on business impact rankings.
>
>The second result with test the effectiveness of security controls in place. Based on the two scans, the companyx should go about plugging those vulnerabilities in phased manner:
>
>Phase I: Plug those which could be "identified" (not necessarily exploited) inspite of security controls switched on and have high business impact.
>
>Phase II: Plug those which could be "identified" (not necessarily exploited) inspite of security controls switched on and have medium or low business impact.
>
>Phase III: Plug those which could be "identified" (not necessarily exploited) when security controls were switched off and have high business impact.
>(To ensure "safety" even when any preventive or detective control fails)
>
>Phase IV: Plug those which could be "identified" (not necessarily exploited) when security controls were switched off and have medium or low business impact. (To ensure "safety" even when any preventive or detective control fails)
>
>What say ppl. Does this approach make any sense into the chaos?
>
>Regards
>
>
>

• Next message: Gareth Davies: "Re: Why Penetration Test?"
• Previous message: Pete Herzog: "Re: Why Penetration Test?"
• In reply to: tarunthenut@gmail.com: "Re: Re: Why Penetration Test?"
• Next in thread: Gareth Davies: "Re: Why Penetration Test?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT