Security Basics mailing list archives
Re: External Pen Test / Manual Exploitation
From: port530 <port530 () yahoo com>
Date: Tue, 23 Sep 2003 07:24:57 -0700 (PDT)
Pen-testing is defiantly a way to reduce the number of false positives, however there are other ways as well. If you are uncomfortable with this approach, have the group performing the vulnerability assessment due additional follow-up work to verify tool results. Most tools provide some form of remediation recommendations such as apply this patch or remove that service. Have the auditor talk to the system admins and verify the patch was applied or the service is not running or the system is configured in such a way that it is not vulnerable. Also, make sure that the auditor doesnt just take the admins word for what the system looks like (whats on the system). Admins are usually overworked and may not know exactly what is on each box; even though box A is not running FrontPage, last software upgrade some FrontPage extensions were inadvertently copied to the production box, etc. This will take more time so it will probably cost you more but you will get the same, if not better, end result without the added risk of brining a system down. If price is an issue, then have the auditor report everything the vulnerability tools indicated. Then have your IT staff follow up and verify system configuration, but aging, is your IT staff already over-worked? __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- External Pen Test / Manual Exploitation Jason Burzenski (Sep 22)
- Re: External Pen Test / Manual Exploitation Ian Kelly (Sep 22)
- Re: External Pen Test / Manual Exploitation James Fields (Sep 22)
- Re: External Pen Test / Manual Exploitation port530 (Sep 23)
- <Possible follow-ups>
- Re: External Pen Test / Manual Exploitation Muhammad Faisal Rauf Danka (Sep 23)