Penetration Testing mailing list archives

Re: Converged Network Assessment

From: lucien Fransman <lucien.fransman () irc2 nl>
Date: Sun, 5 Feb 2006 20:41:54 +0100

On Friday 03 February 2006 20:01, joseph () cibir net wrote:

In answer to your mail:
reading the list it seems as a marketing version what most other companies 
would offer. That said, the meaning of the term assessment differs from 
company to company (and indeed from person to person).

to make the listmore accessable, I would say it amounts to something like:

an external/internal portscan of your network, someone to look over the pbx 
settings, a wardialer scan over your phonenumbers, checking your IDS ruleset 
and someone with a wireless/bluetooth sniffer wandering around in your 
company. The pentest looks promising, but beware of quality issues. A pentest 
is worthless if the person conducting the pentest isn't good, and if the 
person doing the pentest isn't able to reach its goal ( root account on 
several servers, access to the payroll database, whatever), it just says that 
that person isn't able to breach your defenses.  

The sans assessment is (as far as I can make out) a crosscheck of the 10 or so 
most horrible vulnerabilities as reported by SANS.

IMHO, the worth of something like this isn't so much in the outcome of the 
individual parts as in the resulting collaboration of the results. 

- What does it mean for your company,
- is there something fundamental lacking,
- Is the outcome what you expected
and last but not least:
- Can you do something usefull with the results 

This depends a lot on the individual(s) doing the testing.

My advice would be to have a talk with these people, and ask them of sample 
(stripped) deliverables, and see if they fit with your expectations.    

--
Kind Regards,

Lucien Fransman, 
Information Risk Control

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Converged Network Assessment joseph (Feb 05)
- Re: Converged Network Assessment lucien Fransman (Feb 05)
- <Possible follow-ups>
- Re: Converged Network Assessment Bob Radvanovsky (Feb 05)
  - RE: Converged Network Assessment Ken Kousky (Feb 06)
    - RE: Converged Network Assessment Giancarlo Paolillo (Feb 06)
    - RE: Converged Network Assessment - VoIP Security Ken Kousky (Feb 07)
    - RE: Converged Network Assessment Joseph Seanor (Feb 11)