Security Basics mailing list archives
Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books
From: Adriel Desautels <adriel () netragard com>
Date: Wed, 31 Dec 2008 12:33:09 -0500
Guys,Not sure if anyone is interested but we have a white paper that defines the differences between services very clearly. Its specifically designed to help prospective customers choose the right service for the right reasons. You do need to register to download the paper, but its a good read. The paper contains no marketing junk, just fact.
http://www.netragard.com/landing-page/index.php If you do take a read I'd love to get your input! On Dec 30, 2008, at 9:58 PM, Jon Kibler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 gmail wrote:Just got done reading Nessus Network Auditing Second Edition. Very goodbook on how to use Nessus for vulnerability testing. Does not go deep into the methodology, but does cover Nessus very well. If you plan on working with Nessus, a good read.A vulnerability scan is NOT a penetration test! The problem is that too many people in the industry that claim to be penetration testers are nothing more than vulnerability scanners. They run, Nessus, Retina, etc. against a network from inside the network,print out a few dozen cases of paper that are the results, and dump the"Pen Test Report" on the client's door step along with their invoice. I don't care what all the wackos and rip-off artists in our industry that call them pen testers claim, a vulnerability scan is NOT a penetration test! Period. End of discussion. That said, I do not consider Nessus to be a penetration testing tool. Nessus is a great tool. It has its proper place in the organization: Vulnerability Assessment. Use the tool for what it is designed for!When a new client first contacts me regarding 'pen test work', the first thing I tell them is "Let's talk, because you probably are not ready for a pen test... So, why waste money on a test, just to fail it?" I usually find that after some basic Q&A that they are not even remotely preparedfor a pen test. The number one clue usually being that they have neverhad a vulnerability assessment. Clearly, you want to fix your known andobvious vulnerabilities before you pay someone to break the obvious! Nessus has its place. This is it.- From the technical standpoint, why is Nessus (or any other vulnerabilityassessment tool for that matter) a lousy pen test tool? A couple of really BIG factors immediately come to mind: 1) When you do a pen test, you want to be sneaky, and you definitely don't want to leave any tracks. Running a vuln assmnt tool should setoff all types of alarms that indicate a system is under attack. This isNOT stealth!2) Most pen tests occur from outside the protected network. Hopefully,even the most lamely deployed firewall will filter the majority of the ports that a vuln assmnt tool would hit on (and hopefully set off all types of alarm bells!), so your tool would not give an accurate portrayal of whether there were actual exploitable vulnerabilities on the network, because the required ports were filtered.Finally, I do concur that the Nessus 2nd Ed. book is a great read -- butNOT as a pen testing book. Jon K. - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkla39AACgkQUVxQRc85QlMVbQCdFb1OVa4vJQOIVgImWVRTVrrS tNkAnjxJeSe/R1QVFdrijGjWkx/c3S2A =x2ON -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
-- Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------ Netragard, LLC - "The Specialist in Anti-Hacking"
Current thread:
- Re: Penetration testing books, (continued)
- Re: Penetration testing books Robert Larsen (Dec 23)
- Re: Penetration testing books Jon Kibler (Dec 26)
- Re: Penetration testing books p3dRø (Dec 23)
- RE: Penetration testing books Craig Wright (Dec 30)
- Re: Penetration testing books Taras P. Ivashchenko (Dec 23)
- Re: Penetration testing books Jon Kibler (Dec 24)
- Re: Penetration testing books Vedantam sekhar (Dec 30)
- Re: Penetration testing books gmail (Dec 30)
- Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books Jon Kibler (Dec 31)
- Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books gmail (Dec 31)
- Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books Adriel Desautels (Dec 31)
- Re: Penetration testing books gmail (Dec 30)
- Re: Penetration testing books paavan . shah (Dec 23)
- Re: Penetration testing books krymson (Dec 23)
- Re: Penetration testing books aloha (Dec 23)