Penetration Testing mailing list archives
Re: Pen Test vs. Health Check
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Tue, 27 Jan 2004 14:20:44 -0600
If you leave out the hacker/cracker verbiage, point of view B.S., "professional" vs "non-professional", and focus on logical definitions and apply them to the subject you have your answer. It's amazing how logical facts can elevate so much objective discussion: To assess is to put an estimated value to something (qualitative or quantitative) based on given information applied to actuary statistics... (In this case we are assessing the likelihood of vulnerabilities, exposure, and exploitation on a given system/network by comparing what we know about the network in question to what we know about network security.) Standard statistical analysis. In order to gather more accurate and actuary data (and improve the accuracy and results of our assessment and future assessments), we perform tests. Therefore, "penetration" testing is (or should be) _part of_ a complete vulnerability assessment.
I am by no means an expert in this subject, but it seems to me that one major difference between a pen-test and a vulnerability assessment is the pen-test is designed to come from a cracker's perspective, and the tester is encouraged to actually attempt to enter systems using real exploits. In a vulnerability assessment, on the other hand, the touch seems to be lighter -- with the focus being on a report of the various areas that need improvement. An illustration: Pen-Test Guy: "Look what I could have done to your network." // more inflamitory Vulnerabilty Assessment Guy: "Here are some areas you need to work on." // more academic In short, pen-tests are more cutting edge and sexier. They are asked for when the company is *very* serious about their security and have a vested interest in knowing what an attacker could potentially do on their network from the outside. I should also note that I think that the pen-test requires quite a bit more skill than a vulnerability assessment. I, for example, could probably do a decent vunlerabilty assessment for a small to medium sized company, but I don't feel my skills are far enough along to do pen-testing yet. Regards, -danielrm26
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Pen Test vs. Health Check Andy Cuff (Jan 25)
- Re: Pen Test vs. Health Check Nexus (Jan 25)
- RE: Pen Test vs. Health Check Robert E. Lee (Jan 26)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- RE: Pen Test vs. Health Check Rob Shein (Jan 26)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 27)
- Re: Pen Test vs. Health Check danielrm26 (Jan 28)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 28)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- <Possible follow-ups>
- Re: Pen Test vs. Health Check Don Parker (Jan 26)
- RE: Pen Test vs. Health Check Yvan Boily (Jan 26)
- RE: Pen Test vs. Health Check Thompson, Jimi (Jan 26)