Penetration Testing mailing list archives

Re: honeypot in conjunction with pen test?

From: Alex Russell <alex () netWindows org>
Date: Tue, 18 Jun 2002 14:54:14 -0500

On Monday 17 June 2002 07:33 am, Javier Fernandez-Sanguino Pena wrote:

      A penetration test is not useful for the client if you just report
a single hole and they close it.


Sure it is. Sometimes all a client needs is ammunition to take to the boss 
to show them that they security budget they have been clamoring for is 
really necessaray. What is and isn't "useful" is highly subjective in this 
sense. Not to mention that the end utility of your service is for your 
client to decide.

If you want to do a real penetration
test it should be broad in scope, i.e., detect _all_ holes that could be
used to gain entrance and get in.


That's not a pen-test, that's a full on audit. 2 different beasts. Yes, an 
audit is often significantly more useful, but it is not always appropriate.

      The fact that you exploit the holes and try to get in is the one
that distinguishes it from a vuln assesment since you are:

1.- proving that the hole exists, so that false positives are (or should
be) reduced to 0 in the reports

2.- prove that it can be exploited and thus determine the overall
impact to
security in the organization. That is you not only say "there is
a hole here
and people can get in" but: "there is a hole here and, due to the current
security layout I can jump to your internal network and do so and so"


goes to your credibility, why would you do any less?

      I like to see penetration tests as both broad (check all the systems
and all the vulnerabilities) and deep (exploit all the vulnerabilities to
their maximum extent and determine the real consequences, i.e. _impact_
of them in the client).


what you'd like to see and what clients are willing to pay for may be 2 
different things.

-- 
Alex Russell
alex () SecurePipe com
alex () netWindows org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE: honeypot in conjunction with pen test? Aleksander P. Czarnowski (Jun 05)
- <Possible follow-ups>
- RE: honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 06)
  - Re: honeypot in conjunction with pen test? Bennett Todd (Jun 06)
  - Re: honeypot in conjunction with pen test? Mike Riley (Jun 06)
    - Re: honeypot in conjunction with pen test? Mark Tinberg (Jun 07)
    - Re: honeypot in conjunction with pen test? Daniel Polombo (Jun 07)
- honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 18)
  - Re: honeypot in conjunction with pen test? Alex Russell (Jun 19)
  - RE: honeypot in conjunction with pen test? Woody Weaver (Jun 19)