Penetration Testing mailing list archives
Re: honeypot in conjunction with pen test?
From: Alex Russell <alex () netWindows org>
Date: Tue, 18 Jun 2002 14:54:14 -0500
On Monday 17 June 2002 07:33 am, Javier Fernandez-Sanguino Pena wrote:
A penetration test is not useful for the client if you just report a single hole and they close it.
Sure it is. Sometimes all a client needs is ammunition to take to the boss to show them that they security budget they have been clamoring for is really necessaray. What is and isn't "useful" is highly subjective in this sense. Not to mention that the end utility of your service is for your client to decide.
If you want to do a real penetration test it should be broad in scope, i.e., detect _all_ holes that could be used to gain entrance and get in.
That's not a pen-test, that's a full on audit. 2 different beasts. Yes, an audit is often significantly more useful, but it is not always appropriate.
The fact that you exploit the holes and try to get in is the one that distinguishes it from a vuln assesment since you are: 1.- proving that the hole exists, so that false positives are (or should be) reduced to 0 in the reports 2.- prove that it can be exploited and thus determine the overall impact to security in the organization. That is you not only say "there is a hole here and people can get in" but: "there is a hole here and, due to the current security layout I can jump to your internal network and do so and so"
goes to your credibility, why would you do any less?
I like to see penetration tests as both broad (check all the systems and all the vulnerabilities) and deep (exploit all the vulnerabilities to their maximum extent and determine the real consequences, i.e. _impact_ of them in the client).
what you'd like to see and what clients are willing to pay for may be 2 different things. -- Alex Russell alex () SecurePipe com alex () netWindows org ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: honeypot in conjunction with pen test? Aleksander P. Czarnowski (Jun 05)
- <Possible follow-ups>
- RE: honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 06)
- Re: honeypot in conjunction with pen test? Bennett Todd (Jun 06)
- Re: honeypot in conjunction with pen test? Mike Riley (Jun 06)
- Re: honeypot in conjunction with pen test? Mark Tinberg (Jun 07)
- Re: honeypot in conjunction with pen test? Daniel Polombo (Jun 07)
- honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 18)
- Re: honeypot in conjunction with pen test? Alex Russell (Jun 19)
- RE: honeypot in conjunction with pen test? Woody Weaver (Jun 19)