Penetration Testing mailing list archives
RE: honeypot in conjunction with pen test?
From: "Woody Weaver" <woody.weaver () callisma com>
Date: Tue, 18 Jun 2002 16:59:01 -0400
On Monday, June 17, 2002 8:33 AM, Javier Fernandez-Sanguino Pena wrote: (DP = David Polombo, MT = Mark Tinberg) DP> I tend to separate this into three different categories : JF> I have a different view myself (see below) DP> - the pen-test is all about getting in, as Mark said. Indeed, its very DP> name implies that the main purpose is to find _a_ hole, and not _all_ DP> holes, the point (or one of the points, depending on the particulars) (...) JF> A penetration test is not useful for the client if you just report JF>a single hole and they close it. If you want to do a real penetration test JF>it should be broad in scope, i.e., detect _all_ holes that could be used JF>to gain entrance and get in. (...) I think it is unfortunate that people don't use the language in RFC2828: $ penetration test (I) A system test, often part of system certification, in which evaluators attempt to circumvent the security features of the system. [NCS04] (C) Penetration testing may be performed under various constraints and conditions. However, for a TCSEC evaluation, testers are assumed to have all system design and implementation documentation, including source code, manuals, and circuit diagrams, and to work under no greater constraints than those applied to ordinary users. Under that definition, which is I think consistent with David Polombo (and Mark Tinberg), a penetration test is an attempt to violate the security features of a system. It suceeds if the security policy can be violated; what it tells the client is that their enforcement mechanisms are not sufficient (given the resources of the pen test team). A pen test is of little use to a client, unless they are looking for system certification. It is not about finding a hole (or multiple holes) -- it means that you aren't done preparing the system. Marketing often tries to sell vulnerability assessments (perhaps with some pen test flavors) because "pen test" is sexy, and people are ignorant. A vulnerability assessment has no sharp definition (there are some things in the common criteria). However, I would think it is a comparison against an existing security policy (aka a security audit) or comparison against "best practices"; and it would provide a list of non-compliant elements or a list of known vulnerabities, together with remediation steps. --woody -- Field Practice Lead, Security pager: 8779583393 () skytel net Callisma email: woody.weaver () callisma com 1320 Old Chain Bridge Road cell: 301 524 8138 McLean, VA 22101 office: 301 473 7320 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: honeypot in conjunction with pen test? Aleksander P. Czarnowski (Jun 05)
- <Possible follow-ups>
- RE: honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 06)
- Re: honeypot in conjunction with pen test? Bennett Todd (Jun 06)
- Re: honeypot in conjunction with pen test? Mike Riley (Jun 06)
- Re: honeypot in conjunction with pen test? Mark Tinberg (Jun 07)
- Re: honeypot in conjunction with pen test? Daniel Polombo (Jun 07)
- honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 18)
- Re: honeypot in conjunction with pen test? Alex Russell (Jun 19)
- RE: honeypot in conjunction with pen test? Woody Weaver (Jun 19)