Re: Is Pentesting Goal Oriented, or Coverage Oriented?

[David Howe <DaveHowe.Pentest () googlemail com>]

Chris Griffin wrote:
> I agree that finding one point in and stopping is an incomplete test.

A lot depends on if you are taking a depth first or breadth first approach.

With automated scans, it is often the default anyhow to let it continue
scanning, and of course you should finish the series (unless you feel
that might cause an IDS/IDP to notice and block your access, including
the already achieved breach)

however, in the real world a hacker would not note a breach, then stop -
he would dive in and try to exploit that, expanding and finding systems
not normally exposed to external traffic but which are reachable via the
breach; Normally I would say that you should ideally try at least to
find out what you can reach via the breach already found, and if that
hole dries up (even if that is because you now own the system) THEN
continue looking for an exploitable breach on the outside.

far far too many systems rely on a firewall "Maginot Line" which is
never a good idea - getting them to adopt at least some concept of
defense in depth is (in my opinion of course) a major goal in securing
their systems against future intrusion.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------