Penetration Testing mailing list archives
Re: Pen Testing
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Tue, 21 Oct 2008 08:48:22 -0400
Hi Patrick, Let me make a few suggestions on list regarding penetration testing and the businesses that offer those services. The first suggestion is that you understand what the terminology means, because a lot of the providers don't. A Vulnerability Assessment is a service that is designed to identify security flaws in technologies in a non-intrusive manner. Vulnerability Assessments do not make any attempt to compromise targets and as a result can contain false positives and false negatives. A good vulnerability assessment will not be driven by automated scanners, but will be driven by human expertise. Automated scanners are not accurate, period. Penetration Tests contain many of the same tests as vulnerability assessments only penetration tests actually attempt to compromise the target by exploiting an identified vulnerability. Penetration Tests and Vulnerability Assessments are not interchangeable terms! Any vendor that swaps these terms is using them incorrectly. If you catch one that does, find a different/better vendor. There are different degrees of Penetration Tests and Vulnerability Assessments. The degrees vary based on intensity and methodology. The general purpose of these services is to protect you (the customer) from real world internet based threats (malicious hackers). As such, the services should at the very least reproduce the same or similar level of threat as your business will likely face in the real world. Testing at a lesser level will do little to protect you against the threat. It is not always easy to test at that threat level, especially if the threat includes physical capabilities, but in my opinion it is a good practice. If someone is asking you for your passwords during a penetration test then find a different vendor because they already have their terminology confused. The purpose of a penetration test (see above) is different than the purpose of a security review/audit/etc. If someone is going to be delivering a different service than a penetration test then they might need passwords and access to systems, but if they call *that* a penetration test then tuck and run because you're not getting one. When you are looking for someone to deliver Penetration Testing, Vulnerability Assessments or other similar professional services, use someone that specializes in those services only. Do not use IT Shops that offer security services because you will not get quality services in most cases. Remember, you want to test your network using the same level of testing as you might face by the threat in the real world. Red flags are poor use of terminology, weak or "proprietary" methodologies, companies that do not perform and deliver vulnerability research and development (proof of talent), companies that offer prices that are too low, companies that rely on automated scanners and technologies for service delivery, companies that claim that the "low and slow" approach is "stealth", etc. Well, those are red flags if you're not looking for a quick scan to get a check in the box. If that is what you are looking for, then you can use just about any provider. The question is, are you trying to defend against malicious hackers or the auditors? On Oct 20, 2008, at 11:33 AM, Patrick Fitzgerald wrote:
Does anyone know of a pen testing company named Sklar Technology Partners, whether it be positive or negative? What should we be looking for in a security company? Is it common that a security company would need rights such as domain admin rights to perform an audit on the network? Any resources that you could suggest would be helpful. Thank you. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Adriel T. Desautels ad_lists () netragard com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Pen Testing Patrick Fitzgerald (Oct 20)
- Re: Pen Testing Volker Tanger (Oct 20)
- Re: Pen Testing Adriel T. Desautels (Oct 22)
- Message not available
- Re: Pen Testing Patrick Fitzgerald (Oct 22)
- Re: Pen Testing Adriel T. Desautels (Oct 22)
- Re: Pen Testing Patrick Fitzgerald (Oct 22)
- Re: Pen Testing Matt - MRS Security (Oct 24)