Penetration Testing mailing list archives
RE: Info collection
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 09 Aug 2004 18:56:47 -0500
On Mon, 2004-08-09 at 13:21, Jeff Gercken wrote:
[...] By starting on the box and working outward you can evaluate the successive layers of security providing for a systematic and comprehensive evaluation.
But isn't that considered a vulnerability assessment? A penetration test seems to be always from the outside in, with or without knowledge of systems involved. But a host review, network review and such are part of vulnerability assessments, not penetration tests. I see this mixed up in a lot of threads and am wondering why there is still such an amount of confusion between the two. Perhaps this might be a nice topic for an aspiring author, to develop a book that contrasts these two exercises. Anyway, on a personal note (and not picking on Jeff), I question how much information you really need to gather and present (during a vulnerability assessment, not a pentest ;) I mean, if you run a bunch of scripts on, say 50 DMZ servers, you end up with a mountain of data that the client gets lost in. Instead of listing the configuration specifics, I prefer to list an opinion, or evaluated value of quality. I still list detailed recommendation (and am guilty at times to "over-recommend"), but a qualitative statement about a host is more worth than a bunch of appendices with configuration specs (imho). Especially with systems becoming more complex and having more configuration options, it should be job of the reviewer to evaluate and summarize the state of security. I argue that a manual review with a good eye often results in more useful information than running a bunch of scripts (to gather Reg settings, file ACL's and such). We should strive to summarize and qualify, not just collect and deliver. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Info collection Jeff Gercken (Aug 05)
- RE: Info collection Israel Torres (Aug 09)
- Re: Info collection Ali-Reza Anghaie (Aug 09)
- <Possible follow-ups>
- Re: Info collection H Carvey (Aug 09)
- RE: Info collection Michael Shirk (Aug 09)
- RE: Info collection Petr . Kazil (Aug 10)
- RE: Info collection Jeff Gercken (Aug 09)
- RE: Info collection Frank Knobbe (Aug 10)
- Re: Info collection Martin Mačok (Aug 11)
- RE: Info collection Frank Knobbe (Aug 10)
- Re: Info collection H Carvey (Aug 10)
- RE: Info collection Jack Cullen (Aug 11)
- Re: Info collection H Carvey (Aug 12)