RE: Moving from Defense to Offense (or vice versa) to secure your network

From: Erin Carroll (amoeba@amoebazone.com)
Date: Sun Nov 27 2005 - 22:32:45 EST


 
<snip>
> Conducting routine audits (both scheduled and un-scheduled),
> forensics management (break-in attempts, viruses, trojans,
> etc.), policy management (in most cases, this can represent
> almost as much as 70% of the network securification process
> -- without a good policy, nothing will have any significance
> or meaning), and more. Pentesting is just 1-3% of the entire
> securification process.

You won't find me disagreeing with anything in what you said here Bob. One
thing I wanted to mention was how forcing yourself to think outside your
normal comfort level can bring some unexpected benefits. I recently sub'd
out some pen-test work to someone (due to scheduling conflicts) whose
background was all on the defense side of things. A comment he made that
really touched off my initiating this discussion was that he was learning a
hell of a lot from using some of the standard pen-test tools out there
(nessus, nmap etc) in ways that were outside his normal usage. While some
tools were new, others (such as nmap) that he had experience with were
making him use it in different ways than his norm due to the nature of
pen-testing, and opening a new insight into security as a whole as a result.

While I completely agree that a complete security model should incorporate
facets of audits, policy management, forensics, etc. it never occurred to me
that the very nature of pen-testing methodologies would be such an eye
opener for a person whose background in security is rather lengthy and
accomplished. I'm thinking it would beneficial for any security group to
play with pen-testing for a spell just to see what new insights and skill
sets they can glean.

-Erin Carroll
SecurityFocus pen-test list moderator

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.8/184 - Release Date: 11/27/2005
 
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:12 EDT