Firewall Wizards mailing list archives

Re: Penetration testing via shrinkware

From: "Sheila //or// Bob (depends on who's writing)" <shsrms () erols com>
Date: Thu, 03 Sep 1998 19:35:53 -0400

Stout, Bill wrote:


What are the opinions on the thoroughness of shrinkwrap software
penetration testing?  Is today's shrinkware more capable for penetration
testing (a single machine) than a human?

I would like to take a step back.  Your ref to various tools seems to
ignore teh basic conept: These are tools.  A good tool can help a less
skilled tool operator do more, faster, and better than that same
operator without the tool.


I'll take one example of a tool,

<<SNIP>> sounds like an add for any tool company.


Some counter-points I have are:
  o The human needs to do data collection about the target through
whois, nslookup, search engines, anonymous or spoofed phone calls, etc.
  o The human element still needs to select the targets, the connection
path (dial-up, X.25, Internet, hops via private links, etc), the social
engineering, the password crackers, etc.
  o The human also needs to define the D.O.S. threshold of the target,
and limits on brute force efforts.
  o The tests won't detect sniffers installed at the target's ISP.

OR: the tool operator should have a selection of tools to choose from,
the skill and knowledge to apply the right tool to the job, and that can
actually come with experience.

This is not like building a house.  this is not like doing body work on
a real steel car.  One tool does not preclude the use of another.


Say someone wants to do penetration testing and security auditing for a
company, and use various types of shrinkware to do it.  Any comments?

I recommend using various tools. Much like our language, develop an
idiom of tools that might give you indications that you might need to do
more.
There is no perfect tool.  There are no perfect systems.  Hopefully, the
tool operator will learn what tools to use!
just my two cents.  Opinions are like arm pits, most folks have at least
two, 
bob


Bill Stout


-- 
real address is shsrms at erols dot com
The Herbal Gypsy and the Tinker.

Current thread:

Penetration testing via shrinkware Stout, Bill (Sep 03)
- Re: Penetration testing via shrinkware Bennett Todd (Sep 03)
- Re: Penetration testing via shrinkware Sheila //or// Bob (depends on who's writing) (Sep 06)
- Re: Penetration testing via shrinkware Stephen P. Berry (Sep 06)
- <Possible follow-ups>
- Re: Penetration testing via shrinkware Marcus J. Ranum (Sep 03)
  - Re: Penetration testing via shrinkware emaiwald (Sep 03)
- Re: Penetration testing via shrinkware Dominique Brezinski (Sep 03)
- Re: Penetration testing via shrinkware Ryan Russell (Sep 03)
- RE: Penetration testing via shrinkware Gary Crumrine (Sep 03)
  - RE: Penetration testing via shrinkware Christopher Nicholls (Sep 07)
    - Re: Penetration testing via shrinkware tqbf (Sep 17)
    - Re: Penetration testing via shrinkware Crispin Cowan (Sep 18)
    - Re: Penetration testing via shrinkware Ted Doty (Sep 19)

(Thread continues...)