Re: Pen Test vs. Health Check

From: Don Parker (dparker_at_rigelksecurity.com)
Date: 01/26/04

  • Next message: Yvan Boily: "RE: Pen Test vs. Health Check" 
    Date: Sun, 25 Jan 2004 21:40:46 -0500 (EST)
To: "Andy Cuff" <lists@securitywizardry.com>, <pen-test@securityfocus.com>

    Hi Andy, well I have a few thoughts I would like to share here actually. The two (pen
    test and holistic approach) should remain separate as indicated. To that end though the
    pen test should still done. As we all know there are different attacks that are
    performed as a trusted member of the lan (physical access) vice that of the pen tester
    which is normally done remotely.

    Doing both of these actually in my mind highlights the various dangers to the client.
    The holistic approach will also show that the client must attempt to safeguard the
    internal lan from potentially disgruntled employee's and the such. This is done through
    hardening the internal lan in a variety of ways. It is also important though to show the
    normal external threats as well via a pen test. Doing the two gives a far more complete
    picture of the clients security posture.

    Hope this is what you had in mind for feedback :-)

    Cheers

    -------------------------------------------
    Don Parker, GCIA
    Intrusion Detection Specialist
    Rigel Kent Security & Advisory Services Inc
    www.rigelksecurity.com
    ph :613.249.8340
    fax:613.249.8319
    --------------------------------------------

    On Jan 25, "Andy Cuff" <lists@securitywizardry.com> wrote:

    Hi Folks,
    Last week Mark Teicher brought up a valid point regarding ethical
    hacking not solving the underlying issue of an insecure network.
    Addressing the symptom rather than the cause.

    I personally don't like the term ethical hacking when referring to a Pen
    Test, however as you probably noticed think, the term will remain where
    training is concerned that introduces the student to the techniques and
    methodology used by a hacker. I do not think that an ethical hacking
    course will make a security tester. OK, no more about training, honest!

    A Pen Test is only as good as the testers and is only a snapshot.
    However, a network that has been secured from the inside out, with a
    solid secure foundation should stand the test of time, even if it is
    compromised the attacker may not be able to roam freely and all their
    actions should be recorded.

    IMHO a more efficient and thorough method to conduct a security test is the
    holistic approach, where the tester looks inside the network first from a
    privileged account, identifying
    problems and offering solutions, if need be, he/she can then attempt to
    exploit said vulnerabilities as a demonstration to the client. This method
    greatly cuts down on the time taken to "scope the joint"
    externally.

    Firstly, what are the members thoughts on the above, and what are the
    downsides in what I have said. Also, does anyone have any good
    analogies to vindicate the holistic approach over the Pen Test?

    -andy

    Talisker Security Tools Directory
    <a href='http://www.securitywizardry.com'>http://www.securitywizardry.com>

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Yvan Boily: "RE: Pen Test vs. Health Check"

    Relevant Pages