Re: Pen Test success rate

Hi James,

Penetration testing is not about breaking into the systems, but about
seeing if it is possible to break, now said that given time every system
in the world is breakable.

So let us put it that penetration testing is trying to see if it
possible to break into the system/network/application in a given time
frame using the techniques used by an hacker and then the penetration
tester goes a different way that is the penetration tester would
document a report about the findings and mitigation steps. So that the
identified loopholes can be closed.

I would say even if the penetration tester did not break into the
system/network/application it was a success. All that you will have to
see is that you engage a capable penetration testing team and not
someone who would just execute a tool and report the findings.

The time frame given to the team to test/break-in is important, it
should not be too small that they (penetration testers) cannot do
anything nor should it is too big (time is money). Based of how many
IP's you are planning to target i would say make a judgmental call about
the time. I suggest you engage a experienced penetration tester during
the scoping.

Hope that was of help
Zion


James Kelly wrote:
Given this scenario: Red team pen test from the Internet with no
information or cooperation from IT staff.

What would be a reasonable success rate of breaking in to say at least
DMZ machines? Of internal hosts on private network?



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • RE: Licensed Penetration Tester LPT
    ... Subject: Licensed Penetration Tester LPT ... Concerned about Web Application Security? ... a managed service can ...
    (Pen-Test)
  • Re: External Pen Test / Manual Exploitation
    ... Instead of Penetration Testing, nomatter how ... I am in the process of reviewing a proposal for external penetration ... open source tools. ...
    (Security-Basics)
  • RE: Limited vs full blown testing
    ... First of all, most people seem to confuse auditing, vulnerability ... Penetration testing is the act of penetrating a system. ... actually penetrate is made IT ISN'T A PEN TEST! ...
    (Pen-Test)
  • Re: Some help on methodologies and reports
    ... If you are running windows you can try the OWASP Report Generator. ... penetration testing. ... A friend setup a little lan to mimic an ISP. ...
    (Pen-Test)
  • Some help on methodologies and reports
    ... I would like to ask a few question concerning some aspects of penetration testing. ... A friend setup a little lan to mimic an ISP. ... Now I want to create a legit report, so that it looks like a real one. ...
    (Pen-Test)