Re: Pen Test vs. Health Check

["Don Parker" <dparker () rigelksecurity com>]

Hi Andy, well I have a few thoughts I would like to share here actually. The two (pen 
test and holistic approach) should remain separate as indicated. To that end though the 
pen test should still done. As we all know there are different attacks that are 
performed as a trusted member of the lan (physical access) vice that of the pen tester 
which is normally done remotely. 

Doing both of these actually in my mind highlights the various dangers to the client. 
The holistic approach will also show that the client must attempt to safeguard the 
internal lan from potentially disgruntled employee's and the such. This is done through 
hardening the internal lan in a variety of ways. It is also important though to show the 
normal external threats as well via a pen test. Doing the two gives a far more complete 
picture of the clients security posture. 

Hope this is what you had in mind for feedback :-) 

Cheers

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Jan 25, "Andy Cuff" <lists () securitywizardry com> wrote:

Hi Folks,
Last week Mark Teicher brought up a valid point regarding ethical
hacking not solving the underlying issue of an insecure network.
Addressing the symptom rather than the cause.

I personally don't like the term ethical hacking when referring to a Pen
Test, however as you probably noticed think, the term will remain where
training is concerned that introduces the student to the techniques and
methodology used by a hacker.  I do not think that an ethical hacking
course will make a security tester. OK, no more about training, honest!

A Pen Test is only as good as the testers and is only a snapshot.
However, a network that has been secured from the inside out, with a
solid secure foundation should stand the test of time, even if it is
compromised the attacker may not be able to roam freely and all their
actions should be recorded.

IMHO a more efficient and thorough method to conduct a security test is the
holistic approach, where the tester looks inside the network first from a
privileged account, identifying
problems and offering solutions, if need be, he/she can then attempt to
exploit said vulnerabilities as a demonstration to the client.  This method
greatly cuts down on the time taken to "scope the joint"
externally.

Firstly, what are the members thoughts on the above, and what are the
downsides in what I have said.  Also, does anyone have any good
analogies to vindicate the holistic approach over the Pen Test?

-andy

Talisker Security Tools Directory
<a href='http://www.securitywizardry.com&apos;>http://www.securitywizardry.com</a>


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------