Penetration Testing mailing list archives

Pen test vs Vulnerabilty Assessment (was Re: win2k pentest - what can i do?)

From: Alex Butcher <alex () s3 integralis co uk>
Date: Wed, 11 Jul 2001 09:49:42 +0100

Ryan Permeh wrote:

as a side, it occurs to me to ask the following of this group:

what level of pentration do you perform in an average test?  do you
penetrate completely?  use this to leverage access across a network?


Depends on the level of service commissioned. Our entry-level service
(Level 1 Interrogate) is purely a vulnerability scan; we enumerate
/possible/ vulnerabilities (taking great care to try to avoid both false
positives and negatives) and report on them and how they may be used to
gain further access. Our premium service (Infiltrate) is (virtually) "no
holds barred" penetration testing. We allow both classes of customers to
rule some actions out of bounds, such as DoS (even though it may be
necessary for spoofing attacks used in Infiltrate).

Essentially, we consider Interrogate to be a "breadth-first" search for
vulnerabilities, whilst Infiltrate is a "depth-first" search and we'll
try to get as deep as we can.

what
"trophy" do you use to prove access?


The minimum necessary. If \BOOT.INI proves our point, that'll do. No
need to drag (potentially) sensitive material unencrypted across the
Internet...

 How do you spell out your level of
penetration to your customers?


We charge more for Infiltrate. :)

 do they understand the difference between
"vulnerability assesment" and penetration analysis?


Hopefully. :)

just curious how everyone else chooses to do this....
Signed,
Ryan Permeh
eEye Digital Security Team


Best Regards,
Alex.
-- 
Alex Butcher                                      PGP/GnuPG Key IDs:
Consultant, S3 Systems Security Services          alex@s3       B7709088
PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp  alex.butcher@ 885BA6CE

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

win2k pentest - what can i do? Matt Andreko (Jul 06)
- Re: win2k pentest - what can i do? Mike DeGraw-Bertsch (Jul 06)
- Re: win2k pentest - what can i do? Jonathan Rickman (Jul 06)
- Re: win2k pentest - what can i do? John Tannahill (Jul 06)
- Re: win2k pentest - what can i do? Ryan Permeh (Jul 06)
  - Pen test vs Vulnerabilty Assessment (was Re: win2k pentest - what can i do?) Alex Butcher (Jul 11)
- <Possible follow-ups>
- RE: win2k pentest - what can i do? Jeff Seely (Jul 06)
- Re: win2k pentest - what can i do? Paul Rathborn (Jul 07)