RE: Limited vs full blown testing

From: Markowsky, Tyler (tmarkowsky_at_seccuris.com)
Date: 06/25/04

  • Next message: Mister Coffee: "Re: RF code scanners" 
    To: 'Martin Mačok' <martin.ma***@underground.cz>, <pen-test@securityfocus.com>
Date: Fri, 25 Jun 2004 10:03:45 -0500

    I agree with Martin: the object of the analysis is to determine weaknesses
    within the environment. However, it is feasible to avoid 'destructive'
    scanning with appropriate preliminary network analysis in concert with
    predefined procedures and expectations.

    **I encourage you to spend a significant amount of time defining these with
    the client.**

    Regards,
    Tyler Markowsky
    Principal Economist

    Seccuris
    http://www.seccuris.com

    -----Original Message-----
    From: Martin Mačok [mailto:martin.ma***@underground.cz]
    Sent: Thursday, June 24, 2004 4:02 PM
    To: pen-test@securityfocus.com
    Subject: Re: Limited vs full blown testing

    On Wed, Jun 23, 2004 at 09:27:58AM -0700, Toby Barrick wrote:

    > During my many years of pen testing one common thread when dealing
    > with customers has been the request to not perform any destructive
    > or DOS type testing.

    Tell them that the purpose of the test is *to test* (i.e. to try
    something) and the only thing you can do to not break anything is to
    not try anything at all. Maybe they want an audit instead of
    a pen-test and they just don't know the terms and the meanings.

    If they are so scared, negotiate the exact time of potentially
    destructive/aggressive tests.

    Use Nessus with "safe checks" turned on for "polite" scans... You can
    also disable all "DoS" family plugins in Nessus.

    Martin Mačok
    IT Security Consultant

  • Next message: Mister Coffee: "Re: RF code scanners"
    • Quantcast