Re: Why Penetration Test?

[Amit <amit.deshmukh () security-assessment com>]

Hello all,

Though i'd say the most value i see for my customers comes from option 
A, we sometimes are faced with clients that conduct a VA but are 
reluctant or hesitant to take remediation actions based on the results.

It is then that we propose a pen-test to demonstrate how easy/hard it is 
for  an attacker to gain control of critical servers. The result from a 
pen-test are  then used to perform a "root-cause-analysis" to determine 
the factors contributing to increased security risk. This is to help 
management understand the impact of  risks such as inadequate patching 
procedures or standards which could translate into regulatory compliance 
issues.

As far as option B and C are concerned.. I am of the opinion that 
attackers would only be interested in a single exploitable 
vulnerability.. so 5 or 7 wouldnt make much of a difference.. except 
probably demonstrate that time to "own" for the server with more vulns 
is much less than the one with fewer ones. Having said that,  a diligent 
security consultant needs to find and report atleast all known 
exploitable vulnerabilities :)

Regards,

Amit Deshmukh

Senior Security Consultant
Security-Assessment.com
Sydney, Australia


cbc wrote:

> Hi All,
>
> My comments on these are:
>
> A pentest which is useful and is able to add value to
> a company who pays the service is only if the results
> and finding are tally with the goal and expectation
> established during the initiation of the exercise.
>
> It is meaningless to judge which scenarios is the best
> as if my goal of a pentest is to find as many as
> vulnerabilites you can and exploit it, then I will say
> scenario C is the best. But if my goal is to find
> which vulnerbailities would impact my business most,
> then scenario A is a better candidate.
>
> In summary, ensuring a proper goal and expectation is
> achieved during the planning stage is very vital. You
> will find the evaluation and management process more
> manageable by doing so!
>
>
> Regards,
> Boon Chin, 
> Senior Security Consultant, Singapore
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>  

######################################################################
CONFIDENTIALITY NOTICE: 

This message and any attachment(s) are confidential and proprietary. 
They may also be privileged or otherwise protected from disclosure. If 
you are not the intended recipient, advise the sender and delete this 
message and any attachment from your system. If you are not the 
intended recipient, you are not authorised to use or copy this message 
or attachment or disclose the contents to any other person. Views 
expressed are not necessarily endorsed by Security-Assessment.com 
Limited. Please note that this communication does not designate an 
information system for the purposes of the New Zealand Electronic 
Transactions Act 2003.
######################################################################