Penetration Testing mailing list archives
RE: Email Pen-testing
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 24 Mar 2004 01:10:00 -0600
On Tue, 2004-03-23 at 10:01, AJ Butcher, Information Systems and Computing wrote:
IMHO, regular vulnerability assessment is usually the most useful approach as it can identify the critical vulnerabilities that require fixing. Viewed in such a light, penetration testing is probably only useful for proving a political point (e.g. that someone is or isn't doing their job competently, or that their budget is adequate or insufficient).
Penetration tests not only test the technical defenses, but also the processes and people around it. One variation of a Penetration Test is an Incident Response Exercise to test the response capabilities of a client. You are less concerned about getting root but instead try to operate stealthy or in an otherwise defined pattern, attempting to penetrate, but allowing others to take notes of the response procedures of the clients incident response team. Pentests do sometimes occur only to prove a point with management. But more often than not, they are a valuable educational exercise, an eye-opener. Less political, but more along the lines of "oh, we didn't think about that". Anything that broadens and increases security awareness of a client is a good thing. Pentests are valuable, but as you correctly identified, they are useful to uncover things in depth, not in breadth. First-action pentests are almost always for political/funding or regulatory requirement purposes. They should be followed by vulnerability studies, otherwise not much will have been gained. Just like you, I prefer to do a vulnerability assessment first, raise the security posture, but then do a pentest to uncover those "things we haven't thought of" (from a client perspective) and to find weaks point in your defenses, and polish up the security posture. Repeat periodically. Pentests, vuln studies, incident response exercises, security awareness training and exercises, risk assessments, those are pretty much ongoing developments. I mean, a document classification system, or initial IR capability setup, you typically develop once, and then just tweak them over time. But assessments and exercises need to be done periodically. That's all part of the "security is a process" cycle. And the more we can educate and teach our clients along the way, the better. (I'm gonna shut up now since I'm probably preaching to the choir...) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Email Pen-testing Blake (Mar 21)
- RE: Email Pen-testing Kevin (Mar 22)
- RE: Email Pen-testing R. DuFresne (Mar 22)
- RE: Email Pen-testing Blake Wiedman (Mar 22)
- RE: Email Pen-testing Chuck Herrin (Mar 22)
- RE: Email Pen-testing James Taylor (Mar 23)
- RE: Email Pen-testing Kevin (Mar 23)
- RE: Email Pen-testing Chris Hurley (Mar 23)
- RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing R. DuFresne (Mar 22)
- RE: Email Pen-testing Kevin (Mar 22)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)