RE: honeypot in conjunction with pen test?

["Woody Weaver" <woody.weaver () callisma com>]

On Monday, June 17, 2002 8:33 AM, Javier Fernandez-Sanguino Pena wrote:

(DP = David Polombo, MT = Mark Tinberg)

DP>  I tend to separate this into three different categories :

JF>     I have a different view myself (see below)

DP>  - the pen-test is all about getting in, as Mark said. Indeed, its very
DP>  name implies that the main purpose is to find _a_ hole, and not _all_
DP>  holes, the point (or one of the points, depending on the particulars)
(...)

JF>     A penetration test is not useful for the client if you just report
JF>a single hole and they close it. If you want to do a real penetration
test
JF>it should be broad in scope, i.e., detect _all_ holes that could be used
JF>to gain entrance and get in.
(...)

I think it is unfortunate that people don't use the language in RFC2828:

   $ penetration test
      (I) A system test, often part of system certification, in which
      evaluators attempt to circumvent the security features of the
      system. [NCS04]

      (C) Penetration testing may be performed under various constraints
      and conditions. However, for a TCSEC evaluation, testers are
      assumed to have all system design and implementation
      documentation, including source code, manuals, and circuit
      diagrams, and to work under no greater constraints than those
      applied to ordinary users.

Under that definition, which is I think consistent with David Polombo (and
Mark Tinberg), a penetration test is an attempt to violate the security
features of a system. It suceeds if the security policy can be violated;
what it tells the client is that their enforcement mechanisms are not
sufficient (given the resources of the pen test team).

A pen test is of little use to a client, unless they are looking for system
certification. It is not about finding a hole (or multiple holes) -- it
means that you aren't done preparing the system.  Marketing often tries to
sell vulnerability assessments (perhaps with some pen test flavors) because
"pen test" is sexy, and people are ignorant.

A vulnerability assessment has no sharp definition (there are some things in
the common criteria). However, I would think it is a comparison against an
existing security policy (aka a security audit) or comparison against "best
practices"; and it would provide a list of non-compliant elements or a list
of known vulnerabities, together with remediation steps.

--woody

--
Field Practice Lead, Security     pager: 8779583393 () skytel net
Callisma                          email: woody.weaver () callisma com
1320 Old Chain Bridge Road         cell: 301 524 8138
McLean, VA 22101                 office: 301 473 7320


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/