Penetration Testing mailing list archives
RE: Why Penetration Test?
From: "DUBRAWSKY, IDO (CALLISMA)" <id3878 () sbc com>
Date: Fri, 10 Jun 2005 15:47:08 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you're looking at it from a strict technical perspective, a penetration test is more detailed than a vulnerability assessment. A vulnerability assessment can provide a surface level view of issues within the network but a penetration test can take it further by validating the vulnerability and demonstrating the extent of the potential risk involved by not remediating. In fact a pen-test, many times, includes an initial vulnerability assessment. Consider that a typical VA may identify a vulnerability in an application, but that the exploit used requires a reverse telnet shell to be shoveled to the application. A VA tool may flag the vulnerability as a high risk, but if the customer is also doing outbound filtering and is able to block the reverse telnet back to the attacker's box then this needs to be accounted for in the evaluation of the risk level in the network. A VA typically does not see this...a pen-test should. Additionally a pen-test could be used to look at the data on the systems being attacked to determine the sensitivity of that data. A VA doesn't look at that information. Now, these are very simplistic examples and there are more factors that come into play as well but it kind of exemplifies some of the differences between a VA and a pen-test. It all depends on the customer and what they're comfortable with (an exploit used in a pen-test may well cause a critical service to fail thus causing a denial-of-service that needs to be dealt with -- a VA typically won't cause such a situation -- it may, but it is, in my experience, rare) and how good the consultant is. I believe that scenario C as you describe it is the most useful. Even with a vulnerability assessment, it's value is also tied into the skill and capabilities of the consultant. Ido - -- Ido Dubrawsky, CISSP Senior Security Consultant SBC/Callisma (571) 633-9500 (Office) (202) 213-9029 (Mobile)
-----Original Message----- From: tarunthenut () gmail com [mailto:tarunthenut () gmail com] Sent: Thursday, June 02, 2005 2:30 AM To: pen-test () securityfocus com Subject: Why Penetration Test? I was wondering the usefulness of a penetration testing against vulnerability assessment for a company. Scenario A Cosultant "A is employed to perform a vulnerability assessment and the result is tabulated based on the business risk these vulnerabilities pose. Scenario B Cosultant "B is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 5 vulnerabilities. Scenario C Cosultant "C" is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 7 vulnerabilities. Which scenario would have more usefulness to the company? it is ovbious that the result of a PT would depend and vary from skill of a consultant to another?
-----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQA/AwUBQqn8TGmsDscGuNcHEQIhXwCgzAAs7+QejMDHyQR2A1X/ikKbelwAnivD +B8YanOqyuw8HjJ0t5pL1gPC =yHV9 -----END PGP SIGNATURE-----
Current thread:
- Why Penetration Test? tarunthenut (Jun 10)
- Re: Why Penetration Test? Terry Vernon (Jun 10)
- RE: Why Penetration Test? Erin Carroll (Jun 10)
- Re: Why Penetration Test? Brahman Thiyagalingham (Jun 10)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Daniel Reynaud-Plantey (Jun 11)
- Re: Why Penetration Test? Amit (Jun 12)
- Re: Why Penetration Test? cbc (Jun 10)
- Re: Why Penetration Test? Rob Havelt (Jun 11)
- Re: Why Penetration Test? Petr . Kazil (Jun 11)
- Re: Why Penetration Test? Matt Curtin (Jun 20)
- <Possible follow-ups>
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)