Full Disclosure mailing list archives
Re: Pentesting an IDP-System
From: Jay Beale <jay () bastille-linux org>
Date: Sun, 30 May 2004 07:36:07 -0400
I think of penetration testing as comprising much more than just an automated test "scan" for vulnerabilities. Automated tools generally fit into the "vulnerability asessment," or VA, category. They run a number of tests designed to generate a list of known vulnerabilities.
A full penetration test goes beyond this.The full penetration test is basically a full compromise simulation, where one or more "ethical hackers" does everything that a real attacking organization would do, with the following limitations:
1) Time - a real attacker might pursue a target for 6 man-months, while most of us can't afford to pay for that level of effort.
2) Scope - a real attacker can target any computer/network andmay use social engineering, wardialing and physical attacks. Most organizations restrict the penetration test in one or more of these areas.
The penetration test serves as a simulation to answer some question, generally similar to "what would happen if a real attacker with skill targeted this application or our organization in general?"
From a services perspective, vulnerability assessment firms generally add value to their VA scanners by prioritizing and, to the extent possible, contextualizing the vulnerabilities. Given enough information about your operation, they can guess what an attacker could do with the vulnerabilities. The penetration test goes deeper, to find out what an attacker (limited by time and scope) could do to you.
Plug: my employer, Intelguardians, provides both services. - Jay evilninja wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcin Owsiany schrieb: | What does "to pentest" mean? I tried 4 dictionaries, without success. | Is it the same as "to test on paper"? penetration testing, as in http://www.penetration-testing.com/ (just found it with google...) - -- BOFH excuse #172: pseudo-user on a pseudo-terminal -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAuLHEC/PVm5+NVoYRAuT+AJ9er5vZMXs1vj0y8xm7jE3qZXeiNgCcDsVX Bt+Qn3vz/v9sAyW/c8yaBqk= =JkGK -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Pentesting an IDP-System ph03n1x (May 29)
- Re: Pentesting an IDP-System Oliver () greyhat de (May 29)
- Re: Pentesting an IDP-System Marcin Owsiany (May 29)
- Re: Pentesting an IDP-System evilninja (May 29)
- Re: Pentesting an IDP-System Jay Beale (May 30)
- Re: Pentesting an IDP-System evilninja (May 29)
- Re: Pentesting an IDP-System H D Moore (May 29)
- Re: Pentesting an IDP-System Dave King (May 29)
- Re: Pentesting an IDP-System Cedric Blancher (May 29)
- Re: Pentesting an IDP-System Dave King (May 29)
- Re: Pentesting an IDP-System Darren Bounds (May 29)
- Re: Pentesting an IDP-System ph03n1x (May 30)