Security Basics mailing list archives
Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books
From: Jon Kibler <Jon.Kibler () aset com>
Date: Tue, 30 Dec 2008 21:58:24 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 gmail wrote:
Just got done reading Nessus Network Auditing Second Edition. Very good book on how to use Nessus for vulnerability testing. Does not go deep into the methodology, but does cover Nessus very well. If you plan on working with Nessus, a good read.
A vulnerability scan is NOT a penetration test! The problem is that too many people in the industry that claim to be penetration testers are nothing more than vulnerability scanners. They run, Nessus, Retina, etc. against a network from inside the network, print out a few dozen cases of paper that are the results, and dump the "Pen Test Report" on the client's door step along with their invoice. I don't care what all the wackos and rip-off artists in our industry that call them pen testers claim, a vulnerability scan is NOT a penetration test! Period. End of discussion. That said, I do not consider Nessus to be a penetration testing tool. Nessus is a great tool. It has its proper place in the organization: Vulnerability Assessment. Use the tool for what it is designed for! When a new client first contacts me regarding 'pen test work', the first thing I tell them is "Let's talk, because you probably are not ready for a pen test... So, why waste money on a test, just to fail it?" I usually find that after some basic Q&A that they are not even remotely prepared for a pen test. The number one clue usually being that they have never had a vulnerability assessment. Clearly, you want to fix your known and obvious vulnerabilities before you pay someone to break the obvious! Nessus has its place. This is it. - From the technical standpoint, why is Nessus (or any other vulnerability assessment tool for that matter) a lousy pen test tool? A couple of really BIG factors immediately come to mind: 1) When you do a pen test, you want to be sneaky, and you definitely don't want to leave any tracks. Running a vuln assmnt tool should set off all types of alarms that indicate a system is under attack. This is NOT stealth! 2) Most pen tests occur from outside the protected network. Hopefully, even the most lamely deployed firewall will filter the majority of the ports that a vuln assmnt tool would hit on (and hopefully set off all types of alarm bells!), so your tool would not give an accurate portrayal of whether there were actual exploitable vulnerabilities on the network, because the required ports were filtered. Finally, I do concur that the Nessus 2nd Ed. book is a great read -- but NOT as a pen testing book. Jon K. - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkla39AACgkQUVxQRc85QlMVbQCdFb1OVa4vJQOIVgImWVRTVrrS tNkAnjxJeSe/R1QVFdrijGjWkx/c3S2A =x2ON -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Re: Penetration testing books, (continued)
- Re: Penetration testing books Nathan Sportsman (Dec 23)
- RE: Penetration testing books Palacios Ruiz, Pablo (Dec 23)
- Re: Penetration testing books Robert Larsen (Dec 23)
- Re: Penetration testing books Jon Kibler (Dec 26)
- Re: Penetration testing books p3dRø (Dec 23)
- RE: Penetration testing books Craig Wright (Dec 30)
- Re: Penetration testing books Taras P. Ivashchenko (Dec 23)
- Re: Penetration testing books Jon Kibler (Dec 24)
- Re: Penetration testing books Vedantam sekhar (Dec 30)
- Re: Penetration testing books gmail (Dec 30)
- Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books Jon Kibler (Dec 31)
- Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books gmail (Dec 31)
- Re: Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books Adriel Desautels (Dec 31)
- Re: Penetration testing books gmail (Dec 30)
- Re: Penetration testing books paavan . shah (Dec 23)
- Re: Penetration testing books krymson (Dec 23)
- Re: Penetration testing books aloha (Dec 23)