RE: Why Penetration Test?

From: Williamson, Clyde (CWilliamson@Limitedbrands.com)
Date: Tue Jun 21 2005 - 10:28:00 EDT

• Next message: Sbc Global: "RE: wireless WEP crack."
• Previous message: Michael Sierchio: "Re: wireless WEP crack."
• Maybe in reply to: tarunthenut@gmail.com: "Why Penetration Test?"
• Next in thread: Marco Ivaldi: "Re: Why Penetration Test?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I tend to consider it in the terms of a drill. We might have all the fire
exits clearly marked, but a drill would seem to provide a good test as to
the viability of the escape plan.

I would wager that mosbunall companies that kept offices in the WTC run
regular disaster recovery drills, it appears that many of them had disaster
recovery plans... But had never proven the plan.

I think penetration testing works in a similar fashion.

-----Original Message-----
From: Matt Curtin [mailto:cmcurtin@interhack.net]
Sent: Friday, June 17, 2005 9:13 AM
To: tarunthenut@gmail.com
Cc: pen-test@securityfocus.com
Subject: Re: Why Penetration Test?

tarunthenut@gmail.com writes:

> I was wondering the usefulness of a penetration testing against
> vulnerability assessment for a company.

It's a good question, and while there are plenty who disagree with me on
this, I maintain that penetration testing is useful for determining whether
an organization's ability to detect and to respond to attack is in line with
its expectations.

Risk assessment will consider things like threats, vulnerabilities, and
assets, looking at the likelihood and impact of various threats exploiting
vulnerabilities to damage assets. The objective here is to determine which
risks are best accepted as a cost of doing business, which are best
transferred, and which are best mitigated against.

Technical evaluation will perform validation of the controls put in place,
whether they are working as expected. Many people (mistakenly, in my view)
call this "penetration testing").

Penetration testing, understood in this context, is very useful indeed. For
example, if your staff notices and responds to something that your risk
assessment said you're not going to worry about, it shows that you're
spending too much time and money looking at stuff in detail, or that your
risk management policy needs to be updated to reflect what is happening in
reality. On the other hand, if a penetration is attempted, noticed, and
responded to appropriately, that will show whether the policy, technology,
and people are doing all of what they should.

--
Matt Curtin,  author of  Brute Force: Cracking the Data Encryption Standard
Founder of Interhack Corporation  +1 614 545 4225 http://web.interhack.com/
Forensic Computing | Information Assurance | Managed Information Technology

• Next message: Sbc Global: "RE: wireless WEP crack."
• Previous message: Michael Sierchio: "Re: wireless WEP crack."
• Maybe in reply to: tarunthenut@gmail.com: "Why Penetration Test?"
• Next in thread: Marco Ivaldi: "Re: Why Penetration Test?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:26 EDT