Re: Pen Test vs. Health Check

• Previous message: contact_at_proofsecure.com: "Paros v3.1 released"
• In reply to: Andy Cuff: "Pen Test vs. Health Check"
• Next in thread: Robert E. Lee: "RE: Pen Test vs. Health Check"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Andy Cuff" <lists@securitywizardry.com>, <pen-test@securityfocus.com>
Date: Mon, 26 Jan 2004 00:29:14 -0000

----- Original Message -----
From: "Andy Cuff" <lists@securitywizardry.com>
To: <pen-test@securityfocus.com>
Sent: Sunday, January 25, 2004 3:38 PM
Subject: Pen Test vs. Health Check

[snip]

> IMHO a more efficient and thorough method to conduct a security test is
the
> holistic approach, where the tester looks inside the network first from a
> privileged account, identifying
> problems and offering solutions, if need be, he/she can then attempt to
> exploit said vulnerabilities as a demonstration to the client. This
method
> greatly cuts down on the time taken to "scope the joint"
> externally.

True, but the actual test requirement can vary greatly - from the clients
perspective it could be a 'tick in the box' type requirement, specific
threat models (rogue intenal user, internet attacker etc), analysis of a 3rd
party provider / application or a general 'where are the gotcha's ?' test.
An intensive internal audit with priveledges would be time intensive (at
consultancy day rates) and require some fairly major effort to coordinate
everything within the client's organisation.
Internal politics and domains of responsibility will be the main issues
there.

Cheers.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: contact_at_proofsecure.com: "Paros v3.1 released"
• In reply to: Andy Cuff: "Pen Test vs. Health Check"
• Next in thread: Robert E. Lee: "RE: Pen Test vs. Health Check"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: RWW Disconnecting ... I understand that remote client encounts following error message when RWW ... I strongly suggest that we rerun the Configure E-mail and Internet ... 825763 How to configure Internet access in Windows Small Business Server ... (microsoft.public.windows.server.sbs) RE: Internet Printing ... that the option "Connect" is missing no matter the client is from internal ... it appears that IIS Internet Printing on Windows Server 2003 is ... To verify, install IIS ... (microsoft.public.windows.server.sbs) Re: RWW Disconnecting ... I have been connected from a remote site for about 3 ... DHCP server and even a wireless access ... the key codes to for Internet access. ... Client Workstations} ... (microsoft.public.windows.server.sbs) Re: RWW Disconnecting ... Server to test the issue. ... I understand that remote client encounts following error message when RWW ... I strongly suggest that we rerun the Configure E-mail and Internet ... (microsoft.public.windows.server.sbs) RE: RWW not accessible over web ... Can the client access Internet web sites when you ... Extract all files to a folder on ISA server. ... 'Microsoft Firewall' service. ... (microsoft.public.windows.server.sbs)