Re: Pen Test success rate

["Serg B." <sergicles () gmail com>]

How long is a piece of string?

Doing a blind test from the outside doesn't really test much. Perhaps
the skills of the tester within the allowed time limit and targets
monetary budget for security. Proper attack can take several month.
What about trojans?  Are they allowed to email those? Perhaps
mail-order some USB keys ;) into the the targets office ;) All through
the internet.

I think that this scenario is really at a mercy of factors such as:

Amount of application the target makes available for public access.
Type of applications publicly accessible.

I don't think this is something that could be easily quantified.

Just my sad AUD$0.2   :(

  Serg


On 30/08/2007, James Kelly <macubergeek () comcast net> wrote:
> Given this scenario: Red team pen test from the Internet with no
> information or cooperation from IT staff.
>
> What would be a reasonable success rate of breaking in to say at
> least DMZ machines? Of internal hosts on private network?
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


-- 
Serg

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------