Re: Internal Penetration Testing

["Adriel T. Desautels" <ad_lists () netragard com>]

Stephen,
	You didn't "raise the ire of a bunch of folks whose mortgage payment  
depends on the perceived value of an internal penetration test."  You  
simply said that you "question the validity of internal penetration  
testing" and I addressed that.  You didn't answer the question that I  
posed in my email either.  I asked you "Do you really think that an  
external penetration test can cover all the bases?  The fact is that  
internal penetration testing can be all inclusive, external testing  
can't.  So you must really see no value what so ever in external  
testing, or am I mistaken?


On Jun 18, 2009, at 2:52 AM, Stephen Mullins wrote:

> Whoa there, I didn't mean to raise the ire of a bunch of folks whose
> mortgage payment depends on the perceived value of internal pen
> testing.
>
> Let's put the focus back on the original question:
>
> Can anybody recommend any good books, or ideally free online  
> references to
> start learning the techniques of internal penetration testing? I.e.  
> getting
> onto (access to) network shares, private network drives,  internal  
> servers,
> systems, from inside the Network that someone is not authorised to  
> do? I
> wont ask for specific pointers just some good online guides so I can  
> begin
> to identify the techniques that give rise to the "threat from  
> within" etc.
>
> On Tue, Jun 16, 2009 at 4:35 PM, Adriel T.
> Desautels<ad_lists () netragard com> wrote:
> > If you question the validity of internal penetration testing then  
> > you are
> > either not doing it right or you don't understand the subject  
> > enough to
> > realize its clear benefits.  Internal penetration tests are a great  
> > way to
> > test the internal technological controls of a company, and its  
> > resistance to
> > things like Distributed Metastasis.  Do you really think that an  
> > external
> > penetration test can cover all the bases?  If anything, an Internal  
> > is far
> > more valuable because it can include external scopes.
> >
> >
> > On Jun 13, 2009, at 10:21 AM, Stephen Mullins wrote:
> >
> > > I question the validity of "internal pen testing."  After all, as an
> > > insider you should have access to all manner of information that an
> > > attacker would not.  If you have the skills to perform a legitimate
> > > "black box" pen test then you should have no problem doing whatever
> > > you want as an inside "pen tester" even if you try to play by a
> > > predetermined set of rules wherein you pretend not to have insider
> > > knowledge (good luck).  I guess I don't understand the purpose.   
> > > If it
> > > is to demonstrate that having someone with a moderate to high amount
> > > of skill "go rogue" inside your network is a "bad thing", that just
> > > seems redundant to me.
> > >
> > > The best use for "internal pen testing" in my opinion would be  
> > > simply
> > > to see if anyone noticed via your IDS/log management solution/etc.
> > >
> > > If nobody is watching then an internal pen test is doubly pointless.
> > >
> > > Steve Mullins
> > >
> > > On Thu, Jun 11, 2009 at 8:10 AM, pma111<pmaneedham () hotmail com>  
> > > wrote:
> > > > Can anybody recommend any good books, or ideally free online  
> > > > references
> > > > to
> > > > start learning the techniques of internal penetration testing? I.e.
> > > > getting
> > > > onto (access to) network shares, private network drives,  internal
> > > > servers,
> > > > systems, from inside the Network that someone is not authorised  
> > > > to do? I
> > > > wont ask for specific pointers just some good online guides so I  
> > > > can
> > > > begin
> > > > to identify the techniques that give rise to the "threat from  
> > > > within"
> > > > etc.
> > > >
> > > > Regards,
> > > > --
> > > > View this message in context:
> > > > http://www.nabble.com/Internal-Penetration-Testing-tp23980128p23980128.html
> > > > Sent from the Penetration Testing mailing list archive at  
> > > > Nabble.com.
> > > >
> > > >
> > > > ------------------------------------------------------------------------
> > > > This list is sponsored by: Information Assurance Certification  
> > > > Review
> > > > Board
> > > >
> > > > Prove to peers and potential employers without a doubt that you can
> > > > actually do a proper penetration test. IACRB CPT and CEPT certs  
> > > > require a
> > > > full practical examination in order to become certified.
> > > >
> > > > http://www.iacertification.org
> > > > ------------------------------------------------------------------------
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification  
> > > Review
> > > Board
> > >
> > > Prove to peers and potential employers without a doubt that you can
> > > actually do a proper penetration test. IACRB CPT and CEPT certs  
> > > require a
> > > full practical examination in order to become certified.
> > >
> > > http://www.iacertification.org
> > > ------------------------------------------------------------------------
> >
> >
> >
> >        Adriel T. Desautels
> >        ad_lists () netragard com
> >        --------------------------------------
> >
> >        Subscribe to our blog
> >        http://snosoft.blogspot.com



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------