Penetration Testing mailing list archives

RE: Email Pen-testing

From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Tue, 23 Mar 2004 16:01:09 +0000

--On 23 March 2004 04:50 -0800 James Taylor <james_n_taylor () yahoo com>wrote:

To drift slightly off topic... For me a vulnerability scan has much more
value to most companies than a pen test.  That is , of course, if you
apply the principle that a vuln scan should be performed at each
perimeter layer, against all hosts, then assess the risk by taking each
vulnerability discovered in the context of the network as a whole.

Too often one hears of a pen test, where as soon as the 'testers' find a
vulnerability, they focus on that one vulnerability and, more likely than
not, are able to break in to that system.  End of pen test.  What about
the rest of the network?

The approach I've taken in the past is to treat vulnerability assessmentsas a breadth-first search for vulnerabilities, and penetration testing as atime-limited depth-first attempt to "capture a/the flag". As far asallowable techniques go, that's down to the customer - if I'm capable ofusing the technique and the customer has explicitly allowed it, it's fairgame, whether it's dumpster diving, or dressing up in a boiler suit andcarrying two cups of tea. ;-)

IMHO, regular vulnerability assessment is usually the most useful approachas it can identify the critical vulnerabilities that require fixing. Viewedin such a light, penetration testing is probably only useful for proving apolitical point (e.g. that someone is or isn't doing their job competently,or that their budget is adequate or insufficient).

Regards
James Taylor
CISSP


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9



---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

Current thread:

Email Pen-testing Blake (Mar 21)
- RE: Email Pen-testing Kevin (Mar 22)
  - RE: Email Pen-testing R. DuFresne (Mar 22)
    - RE: Email Pen-testing Blake Wiedman (Mar 22)
    - RE: Email Pen-testing Chuck Herrin (Mar 22)
    - RE: Email Pen-testing James Taylor (Mar 23)
    - RE: Email Pen-testing Kevin (Mar 23)
    - RE: Email Pen-testing Chris Hurley (Mar 23)
    - RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
    - RE: Email Pen-testing Frank Knobbe (Mar 24)
    - Re: Email Pen-testing Michael Richardson (Mar 24)
    - RE: Email Pen-testing Rob Shein (Mar 23)
    - RE: Email Pen-testing Brad . Murray (Mar 23)
    - Re: Email Pen-testing Michael Richardson (Mar 23)
    - RE: Email Pen-testing R. DuFresne (Mar 23)
- RE: Email Pen-testing Mike Sues (Mar 22)
- Re: Email Pen-testing Joe Blatz (Mar 22)
- Re: Email Pen-testing Al Smolkin (Mar 22)
- Re: Email Pen-testing Andreas (Mar 22)

(Thread continues...)