Re: Info collection

[Martin Mačok <martin.macok () underground cz>]

On Mon, Aug 09, 2004 at 06:56:47PM -0500, Frank Knobbe wrote:

> But isn't that considered a vulnerability assessment? A penetration
> test seems to be always from the outside in, with or without
> knowledge of systems involved. But a host review, network review and
> such are part of vulnerability assessments, not penetration tests.
>
> I see this mixed up in a lot of threads and am wondering why there
> is still such an amount of confusion between the two.

Because (at least in our local environment) the customers (be it
managers or IT security staff) are used to pay for "Penetration Tests"
(as a general common name product) and they expect that the final report is
comprehensive (every IP & every port & known/common vulnerability is
covered, like in VA).

They are also expecting that the consultants attemtp to exploit some
vulnerabilities, escalate priviledges through more layers of security,
brute-force user/passwords, exploit SQL injections etc. and see how
deep they can break and how much info they can gather (like in
a pen-test) because they need to get some "real" (demonstrable)
results and use them to speed up fixing the issues, upgrading, give
reasons for bigger budget for security and to get their
vendors/providers under pressure.

Shortly, customers pay for "Penetration Tests" (with or without prior
knowledge) but actually want VA with pen-test included.

Martin Mačok
IT Security Consultant