Re: Pen Test vs. Health Check

["Nexus" <nexus () patrol i-way co uk>]

----- Original Message -----
From: "Andy Cuff" <lists () securitywizardry com>
To: <pen-test () securityfocus com>
Sent: Sunday, January 25, 2004 3:38 PM
Subject: Pen Test vs. Health Check

[snip]

> IMHO a more efficient and thorough method to conduct a security test is
the
> holistic approach, where the tester looks inside the network first from a
> privileged account, identifying
> problems and offering solutions, if need be, he/she can then attempt to
> exploit said vulnerabilities as a demonstration to the client.  This
method
> greatly cuts down on the time taken to "scope the joint"
> externally.

True, but the actual test requirement can vary greatly - from the clients
perspective it could be a 'tick in the box' type requirement, specific
threat models (rogue intenal user, internet attacker etc), analysis of a 3rd
party provider / application or a general 'where are the gotcha's ?' test.
An intensive internal audit with priveledges would be time intensive (at
consultancy day rates) and require some fairly major effort to coordinate
everything within the client's organisation.
Internal politics and domains of responsibility will be the main issues
there.

Cheers.


---------------------------------------------------------------------------
----------------------------------------------------------------------------