Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Gareth Davies <gareth.davies () mynetsec com>
Date: Tue, 14 Jun 2005 15:32:50 +0800
Tarun The Nut wrote:
Yes that's correct, the 'onion' approach, any vulnerability discovered must be mitigated against, including any vector which renders the vulnerability exploitable. It's something like risk assessment and business impact analysis, 'pen-test' itself tends to just conjour images of technical testing, 'ethical hacking' or whatever you want to call it.when i mentioned vulnerabilities that are exploitable, i meant not only being able to "exploit" the vulnerability but also map all the possible paths of attack. Also by plugging a vulnerability does not necessarily means "patching" but taking all possible steps (patches/tools/processes blah blah) that can help mitigating a possible exploit of the vulnerability.
The VA part would identify the vulnerability, the risks associated and the impact to the business, this can then lead to how to fix the problem, mitigate the risk and if the expenditure required to do this is worth it. Sometimes not only a patch will do it, but that's all that's affordable, and will mitigate the vulnerability to an acceptable level of risk.
The question still remains: Pen Test will always depend on the skill set of the company/individual contracted to do Pen Test and results will vary from person to person (or company to company).
That's a given, for any kind of consultancy, results/methodology/expertise varies from company to company and even consultant to consultant. But they are all trying to achive the same end result.
A parallel example is Business Continuity Planning, there are guildeines given by the BCI and the DRII, but there are no set standards for say Business Impact Analysis, so exact results and method differs from company to company as they all use proprietory methods, but the end results will generally be the same, and the objective is definately the same.
Thankx to Pete Herzog for bringing it out. It skipped my mind to include that in my previous mails. Is it not feasible to assume that the real attacker will be able to exploit the vulnerability using any one of the numerous attack paths and go about ensuring the vulnerability is "plugged" based on the phased approach described in one of my mails earlier?
Yes this is reasonable to assume. But your method is very complete, the problem is most companies are not willing to spend enough to engage quality consultants for the time span it would take to complete the project in this manner. Things like this are usually done on a best effort basis.
My approach is generally: 1) Do a technical VA on the segments/servers outlined within the scope1a) Do a non-technical RA of the premises (staff awareness, physical security, policy state (do they exist, are they good? are they enforced?)
2) Identify all 'critical' vulnerabilities 3) Report on these vulnerabilities with preventative measures4) Patching and Mitigation stage where we handhold the client through fixing the machines/reconfiguring securely 5) Re-test to establish risk has been reduced to a level acceptable by the client (it can never be eradicated) 6) Suggest further measure to improve the overall architecture (addition of security devices/policies/staff education etc.)
Something along those lines anyway. Cheers -- Gareth Davies Manager - Security Practice Network Security Solutions MSC Sdn. Bhd. Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara, Mont’ Kiara, 50480Kuala Lumpur, Malaysia Phone: +603-6203 5303
www.mynetsec.com
Current thread:
- Re: Why Penetration Test?, (continued)
- Re: Why Penetration Test? Amit (Jun 12)
- Re: Why Penetration Test? Rob Havelt (Jun 11)
- Re: Why Penetration Test? Petr . Kazil (Jun 11)
- Re: Why Penetration Test? Matt Curtin (Jun 20)
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Why Penetration Test? Pete Herzog (Jun 13)