Penetration Testing mailing list archives
Re: Pen Test vs. Health Check
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Thu, 29 Jan 2004 16:44:09 -0300
Rob Shein wrote:
A Pen Test is only as good as the testers and is only a snapshot. However, a network that has been secured from the inside out, with a solid secure foundation should stand the test of time, even if it is compromised the attacker may not be able to roam freely and all their actions should be recorded.There's another factor, which is the way that a pen-tester becomes engaged by a weak point. In an assessment, a vulnerability is noted, and the tester moves on, but in a pen-test, they engage that vulnerability, and follow it like the beginning of a path into the network. Later, they can go back to the starting point and find another path, but it's still like trying to map the paths through the woods on foot; it's possible to miss one. On the other hand, an assessment is more like mapping them from a low-flying aircraft.
Right, or in other words, A penetration test gives you depth, you understand how a small set ofvulnerabilities can be linked together into an attack and the implications of that particular attack to your organization, but you dont learn about
ALL possible paths of attack.A vulnerability assement gives you breath, you map and identify ALL (hopefully) vulnerabilities in your network but you do not undersand how they relate to each other and how an attack could link a given subset of
them together in order to achieve a specific goal. Iterating both processes can give you more breath in the first case and more depth in the second. Doing a penetration test constantly is quite expensive today hence the perceived shortcoming of just identifing one or a few attack paths. Doing constant vuln. scanning is, perhaps, not as expensive if you do so from a single or a few attack points in your network topology but will quickly become cumbersome and expensive if you want to achieve the level of depth a pen-test provides. And there is still a need to correlate results and construct possible attack scenerarios out of them. The overall cost of this also increases if you consider (as it should be) a vulnerability assesment something much more comprehensive than just vulnerability scanning. I suspect that the right balance for each organization is unique to its specific needs, skillsets, budget, business practices and core business. -ivan --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Pen Test vs. Health Check Andy Cuff (Jan 25)
- Re: Pen Test vs. Health Check Nexus (Jan 25)
- RE: Pen Test vs. Health Check Robert E. Lee (Jan 26)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- RE: Pen Test vs. Health Check Rob Shein (Jan 26)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 27)
- Re: Pen Test vs. Health Check danielrm26 (Jan 28)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 28)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- <Possible follow-ups>
- Re: Pen Test vs. Health Check Don Parker (Jan 26)
- RE: Pen Test vs. Health Check Yvan Boily (Jan 26)
- RE: Pen Test vs. Health Check Thompson, Jimi (Jan 26)