Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Matt Curtin <cmcurtin () interhack net>
Date: Fri, 17 Jun 2005 09:12:45 -0400
tarunthenut () gmail com writes:
I was wondering the usefulness of a penetration testing against vulnerability assessment for a company.
It's a good question, and while there are plenty who disagree with me on this, I maintain that penetration testing is useful for determining whether an organization's ability to detect and to respond to attack is in line with its expectations. Risk assessment will consider things like threats, vulnerabilities, and assets, looking at the likelihood and impact of various threats exploiting vulnerabilities to damage assets. The objective here is to determine which risks are best accepted as a cost of doing business, which are best transferred, and which are best mitigated against. Technical evaluation will perform validation of the controls put in place, whether they are working as expected. Many people (mistakenly, in my view) call this "penetration testing"). Penetration testing, understood in this context, is very useful indeed. For example, if your staff notices and responds to something that your risk assessment said you're not going to worry about, it shows that you're spending too much time and money looking at stuff in detail, or that your risk management policy needs to be updated to reflect what is happening in reality. On the other hand, if a penetration is attempted, noticed, and responded to appropriately, that will show whether the policy, technology, and people are doing all of what they should. -- Matt Curtin, author of Brute Force: Cracking the Data Encryption Standard Founder of Interhack Corporation +1 614 545 4225 http://web.interhack.com/ Forensic Computing | Information Assurance | Managed Information Technology
Current thread:
- Why Penetration Test? tarunthenut (Jun 10)
- Re: Why Penetration Test? Terry Vernon (Jun 10)
- RE: Why Penetration Test? Erin Carroll (Jun 10)
- Re: Why Penetration Test? Brahman Thiyagalingham (Jun 10)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Daniel Reynaud-Plantey (Jun 11)
- Re: Why Penetration Test? Amit (Jun 12)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Rob Havelt (Jun 11)
- Re: Why Penetration Test? Petr . Kazil (Jun 11)
- Re: Why Penetration Test? Matt Curtin (Jun 20)
- <Possible follow-ups>
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)