Penetration Testing mailing list archives
Re: Info collection
From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 11 Aug 2004 11:25:48 +0200
On Mon, Aug 09, 2004 at 06:56:47PM -0500, Frank Knobbe wrote:
But isn't that considered a vulnerability assessment? A penetration test seems to be always from the outside in, with or without knowledge of systems involved. But a host review, network review and such are part of vulnerability assessments, not penetration tests. I see this mixed up in a lot of threads and am wondering why there is still such an amount of confusion between the two.
Because (at least in our local environment) the customers (be it managers or IT security staff) are used to pay for "Penetration Tests" (as a general common name product) and they expect that the final report is comprehensive (every IP & every port & known/common vulnerability is covered, like in VA). They are also expecting that the consultants attemtp to exploit some vulnerabilities, escalate priviledges through more layers of security, brute-force user/passwords, exploit SQL injections etc. and see how deep they can break and how much info they can gather (like in a pen-test) because they need to get some "real" (demonstrable) results and use them to speed up fixing the issues, upgrading, give reasons for bigger budget for security and to get their vendors/providers under pressure. Shortly, customers pay for "Penetration Tests" (with or without prior knowledge) but actually want VA with pen-test included. Martin Mačok IT Security Consultant
Current thread:
- Info collection Jeff Gercken (Aug 05)
- RE: Info collection Israel Torres (Aug 09)
- Re: Info collection Ali-Reza Anghaie (Aug 09)
- <Possible follow-ups>
- Re: Info collection H Carvey (Aug 09)
- RE: Info collection Michael Shirk (Aug 09)
- RE: Info collection Petr . Kazil (Aug 10)
- RE: Info collection Jeff Gercken (Aug 09)
- RE: Info collection Frank Knobbe (Aug 10)
- Re: Info collection Martin Mačok (Aug 11)
- RE: Info collection Frank Knobbe (Aug 10)
- Re: Info collection H Carvey (Aug 10)
- RE: Info collection Jack Cullen (Aug 11)
- Re: Info collection H Carvey (Aug 12)