Penetration Testing mailing list archives
Re: How to Pen Test Crazy
From: MetaJunkie <metajunkie () gmail com>
Date: Wed, 22 Jun 2011 22:02:14 -0400
Pete, I liked your article. I agree with at least 90% of it. The part that I'm concerned with is regarding comments that could negatively impact patch-management. At the risk of making any Buddhist endeavour of slaying the ego more difficult for you - you should understand that you have become a voice that carries weight in the infosec community. While I can agree that if your entire InfoSec Program is focussed on "security through patchity", you are destined to lose at some point; I find it difficult to reconcile the realities of the necessity to patch systems with the following statement from your article: ... "Furthermore it's also perpetuating security through patchity, a process that's so labor intensive to assure homeostasis that nobody could maintain it indefinitely which is the exact definition of a loser in the cat and mouse game." I have followed ISECOM since early Idea Hamster days - and I continue to approve of the out-of-the-box thinking that is promoted by you and everyone involved. I don't think you are saying that patches are unimportant - but the quote above might lead someone to think that they might as well not try - because they are a dead mouse anyway. If what you are saying is that we need more being done to secure information, then I agree with you (and as an InfoSec Professional I do more). But, if you are implying that patching and vulnerability assessment is not required - I think you might be a part of the 'crazy' you have written about here. Are we in agreement that patching, and vulnerability assessment should be a part of the whole machine - but not the machine itself? -metajunkie On Mon, Jun 20, 2011 at 3:42 PM, Pete Herzog <lists () isecom org> wrote:
The current security model is crazy. And the current crazy testing methods actually make it look like it's not. I think that's why so many people fail to see how broken the current consumer-ready security model is. Look at the current attacks and how security companies, even HUGE ones with their security measures and countermeasures built on this model are letting the people hang. This is how to pen test that scenario. This is how to pen test crazy. The whole article is available at: https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html Sincerely, -pete. -- Pete Herzog - Managing Director - pete () isecom org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.badpeopleproject.org ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- How to Pen Test Crazy Pete Herzog (Jun 22)
- Re: How to Pen Test Crazy MetaJunkie (Jun 24)
- Re: How to Pen Test Crazy Pete Herzog (Jun 24)
- Re: How to Pen Test Crazy MetaJunkie (Jun 24)