Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Tarun The Nut <tarunthenut () gmail com>
Date: Tue, 14 Jun 2005 11:04:20 +0530
when i mentioned vulnerabilities that are exploitable, i meant not only being able to "exploit" the vulnerability but also map all the possible paths of attack. Also by plugging a vulnerability does not necessarily means "patching" but taking all possible steps (patches/tools/processes blah blah) that can help mitigating a possible exploit of the vulnerability. The question still remains: Pen Test will always depend on the skill set of the company/individual contracted to do Pen Test and results will vary from person to person (or company to company). Thankx to Pete Herzog for bringing it out. It skipped my mind to include that in my previous mails. Is it not feasible to assume that the real attacker will be able to exploit the vulnerability using any one of the numerous attack paths and go about ensuring the vulnerability is "plugged" based on the phased approach described in one of my mails earlier? Regards On 6/14/05, Gareth Davies <gareth.davies () mynetsec com> wrote:
tarunthenut () gmail com wrote:hi, thanx to everyone for brain-stroming on this point. i asked this question cause i failed to understand why certain clients are bent on penetration testing cause the results totally depend on the skill set of the person/company performing the penetration testing.Yeah that's pretty much how I see it too. Most clients request a pen test because they don't know what it is, it sounds more exciting. What they actually want is a VA, I've had this issue a few times. When it comes down to it, they don't want you to actually exploit their servers, as the machines are live and they can't face the possibility of downtime. They don't mind snapshots of passive intrusion (through non passworded services, or weak/default u/p combinations, open root shares, unprotected NFS mounts and so on). IMHO a full pen-test consists of a VA but it goes one step further, into the realm of actually confirming the exploits will work (as an example, sendmail is often pegged as being vulnerable, but many OS's update the service without changing the banner, so according to the banner it's vulnerable, in reality it's not). I generally like to strike a balance somewhere in between where possible. Cheers -- Gareth Davies Manager - Security Practice Network Security Solutions MSC Sdn. Bhd. Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara, Mont' Kiara, 50480 Kuala Lumpur, Malaysia Phone: +603-6203 5303 www.mynetsec.com
Current thread:
- Re: Why Penetration Test?, (continued)
- Re: Why Penetration Test? Daniel Reynaud-Plantey (Jun 11)
- Re: Why Penetration Test? Amit (Jun 12)
- Re: Why Penetration Test? Rob Havelt (Jun 11)
- Re: Why Penetration Test? Petr . Kazil (Jun 11)
- Re: Why Penetration Test? Matt Curtin (Jun 20)
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Why Penetration Test? Pete Herzog (Jun 13)