Re: Security Audit

["R. DuFresne" <dufresne () sysinfo com>]

Of course, and Paul's later statements on the issues, he was the
individual that Ben was quoting, go further.  Paul's assesment is:

                        [SNIP]
        ben nagy;
> need to be perfect - one just needs to know quite accurately how
imperfect
> they are.

Paul D. Robertson:
I'm not sure you can know that accurately when blind.  That's actually
probably my biggest problem with blind tests- the tester doesn't get to
see the configuration file that could contain the backdoor from hell.
I'll give you an example.  Let's say that a company's administrator is
attending a local university, and to make life easier, allows access to
the administrative ports of his infrastructure (routers, switches and
firewalls) from the university's lab so that when his pager goes off, he
can fix things without missing too much class time.  A blind test won't
find that.  A configuration check can.


The full discuassion is quite well done, and a danged good read.  I
recommend others here look at the firewalls list archives of the past few
days.

Thanks,

Ron DuFresne


On Wed, 12 Sep 2001, H C wrote:

> For the most part, I agree with Ben's comments.  For
> completeness, a system can be as secure as possible if
> a vulnerability assessment of that system is
> conducted, and that information is then used to launch
> a "full disclosure pen-test" or perhaps more
> appropriately, a "verification analysis".
>
> However, like anything else, this is only a snapshot
> of the system in time.  We then get into the change
> control/management process, and where verification
> testing fits in such a process.
>
> > But any "analysis" process should include external
> > verification - ie that
> > the box is doing what you told it to do, right?
> >
> > This is quite distinct from the traditional pen-test
> > in that it isn't blind.
> >
> > I think that to create the most secure system
> > possible, blind pen-testing is
> > a waste of time - 
>
>
> __________________________________________________
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
> http://im.yahoo.com

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/