Penetration Testing mailing list archives
Re: Pen Test vs. Health Check
From: "Nexus" <nexus () patrol i-way co uk>
Date: Mon, 26 Jan 2004 00:29:14 -0000
----- Original Message ----- From: "Andy Cuff" <lists () securitywizardry com> To: <pen-test () securityfocus com> Sent: Sunday, January 25, 2004 3:38 PM Subject: Pen Test vs. Health Check [snip]
IMHO a more efficient and thorough method to conduct a security test is
the
holistic approach, where the tester looks inside the network first from a privileged account, identifying problems and offering solutions, if need be, he/she can then attempt to exploit said vulnerabilities as a demonstration to the client. This
method
greatly cuts down on the time taken to "scope the joint" externally.
True, but the actual test requirement can vary greatly - from the clients perspective it could be a 'tick in the box' type requirement, specific threat models (rogue intenal user, internet attacker etc), analysis of a 3rd party provider / application or a general 'where are the gotcha's ?' test. An intensive internal audit with priveledges would be time intensive (at consultancy day rates) and require some fairly major effort to coordinate everything within the client's organisation. Internal politics and domains of responsibility will be the main issues there. Cheers. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Pen Test vs. Health Check Andy Cuff (Jan 25)
- Re: Pen Test vs. Health Check Nexus (Jan 25)
- RE: Pen Test vs. Health Check Robert E. Lee (Jan 26)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- RE: Pen Test vs. Health Check Rob Shein (Jan 26)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 27)
- Re: Pen Test vs. Health Check danielrm26 (Jan 28)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 28)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- <Possible follow-ups>
- Re: Pen Test vs. Health Check Don Parker (Jan 26)
- RE: Pen Test vs. Health Check Yvan Boily (Jan 26)