Penetration Testing mailing list archives
RE: Pen Test vs. Health Check
From: "Thompson, Jimi" <JimiT () mail cox smu edu>
Date: Mon, 26 Jan 2004 15:46:54 -0600
<SNIP> Doing both of these actually in my mind highlights the various dangers to the client. The holistic approach will also show that the client must attempt to safeguard the internal lan from potentially disgruntled employee's and the such. This is done through hardening the internal lan in a variety of ways. It is also important though to show the normal external threats as well via a pen test. Doing the two gives a far more complete picture of the clients security posture. </SNIP> Imagine for a moment that you've built a fabulous car. You've just built and it sits in your garage idling. If you never drive it, there's a lot about your car you'll never know. You'll never know what the top speed is. You'll never know what it takes to red-line the engine. You'll never know if you need to adjust the suspension to get it to corner better. You'll never know if you need different rear end gears to get it accelerate faster. You'll never know if what the gas mileage is like. All you know is that it looks good. The engine sounds good and you worked really hard to build it. Never doing a pen-test on your network is like never driving the car. You'll never know for sure how much hammering it can take from a hacker and what weak points you need to shore up unless you put it to the test. The rubber has to meet the road somewhere. If it's not me or someone like me who's getting paid to do it, it's going to be some hacker that still lives in his mother's basement. The question boils down to who would you rather trust? Me - a paid professional with a long history of maintaining client confidentiality or BlackHat - someone who lives on "owning" you and posting things like the CEO's salaries to your company email distribution lists. On the other hand, doing a pen-test without the rest of the audit is rather like going to the doctor for a physical and finding out that he plans to do exploratory surgery so that he can look at your internal organs to see if there's anything wrong with you. It's an invasive procedure that can break things and have unintended consequences. It should not be attempted by the inexperienced or without reason (i.e. someone in management read about it in "Red Herring"/"Fast Company"/"Business 2.0" and has now decided that this "must" be done). It should be part of an overall security initiative. Just as you must periodically have unpleasant things done at the doctor's behest once you reach a certain age (colonoscopy, mammogram, etc.), networks need the same thing, but only once they reach a certain size. Just as most children don't need those kinds of procedures, many smaller companies don't need pen testing either. A simple security audit will suffice. However, most mid-size companies and larger need this on a regular basis. IMHO, the size of the network and its growth rate should determine the frequency. Think of it as a colonoscopy for your network :) - potentially embarrassing, uncomfortable and perhaps even painful but necessary for continued good health. 2 cents, Jimi --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Pen Test vs. Health Check, (continued)
- RE: Pen Test vs. Health Check Robert E. Lee (Jan 26)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- RE: Pen Test vs. Health Check Rob Shein (Jan 26)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 27)
- Re: Pen Test vs. Health Check danielrm26 (Jan 28)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 28)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- RE: Pen Test vs. Health Check Robert E. Lee (Jan 26)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)