From: Marco Ivaldi (raptor@0xdeadbeef.info)
Date: Wed Jun 29 2005 - 12:34:05 EDT
> I was wondering the usefulness of a penetration testing against
> vulnerability assessment for a company.
Hey pen-testers,
First of all, i apologize for coming so late to the party -- i've been far
from the Internet for a couple of weeks lately...
Just wanted to point out something crucial to me that surprisingly enough
has not been mentioned yet in this discussion: a security professional
must always remember that there are some attack vectors that are hard (if
not impossible) to spot and test thoroughly using automated VA tools.
Yeah, not all attacks come from the IP infrastructure: instead, in my
personal and professional experience i witnessed that most dangerous
attacks come very often through PBX, RAS connected to a PSTN, backup ISDN
lines connected to routers, good old X.25 networks, etc. Also, not all
attacks can be easily reproduced using automated VA tools: just think
about common technologies as WLANs and (web) applications in general, an
automated testing approach would definitely miss some attack paths. Not to
mention social engineering, physical intrusions, dumpster diving, and
other popular ways to fool your expensive security measures.
In short, my point is: depending on the complexity of my operational
environment, i'd be very careful before deciding to rely _only_ on the
common IP infrastructure vulnerability assessments done with popular
automated scanning tools to secure my information. There's more outta here
that must be tested to ensure you get a 360 degrees vision of your
organization's security posture and IMHO a good consultant should tell you
before selling you yet another superficial VA.
Just my 2 euro-cents;) Cheers,
-- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:30 EDT