Penetration Testing mailing list archives
RE: Email Pen-testing
From: "AJ Butcher, Information Systems and Computing" <Alex.Butcher () bristol ac uk>
Date: Tue, 23 Mar 2004 16:01:09 +0000
--On 23 March 2004 04:50 -0800 James Taylor <james_n_taylor () yahoo com> wrote:
To drift slightly off topic... For me a vulnerability scan has much more value to most companies than a pen test. That is , of course, if you apply the principle that a vuln scan should be performed at each perimeter layer, against all hosts, then assess the risk by taking each vulnerability discovered in the context of the network as a whole. Too often one hears of a pen test, where as soon as the 'testers' find a vulnerability, they focus on that one vulnerability and, more likely than not, are able to break in to that system. End of pen test. What about the rest of the network?
The approach I've taken in the past is to treat vulnerability assessments as a breadth-first search for vulnerabilities, and penetration testing as a time-limited depth-first attempt to "capture a/the flag". As far as allowable techniques go, that's down to the customer - if I'm capable of using the technique and the customer has explicitly allowed it, it's fair game, whether it's dumpster diving, or dressing up in a boiler suit and carrying two cups of tea. ;-)
IMHO, regular vulnerability assessment is usually the most useful approach as it can identify the critical vulnerabilities that require fixing. Viewed in such a light, penetration testing is probably only useful for proving a political point (e.g. that someone is or isn't doing their job competently, or that their budget is adequate or insufficient).
Regards James Taylor CISSP
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- Email Pen-testing Blake (Mar 21)
- RE: Email Pen-testing Kevin (Mar 22)
- RE: Email Pen-testing R. DuFresne (Mar 22)
- RE: Email Pen-testing Blake Wiedman (Mar 22)
- RE: Email Pen-testing Chuck Herrin (Mar 22)
- RE: Email Pen-testing James Taylor (Mar 23)
- RE: Email Pen-testing Kevin (Mar 23)
- RE: Email Pen-testing Chris Hurley (Mar 23)
- RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing R. DuFresne (Mar 22)
- RE: Email Pen-testing Kevin (Mar 22)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)